It’s tough enough for large global enterprises to build a strong security program. Small and mid-sized businesses (SMBs) have their own unique set of challenges, the biggest of which might be a lack of financial and professional resources to deploy and maintain the latest technologies.
Recent industry research shows not only that SMBs are targets for intrusions, but that they have some work to do to bolster their cyber security. One survey of (SMBs) by Barclaycard, which provides payment cards for Barclays Bank, found that many smaller companies are neglecting to prioritize cyber security, despite widespread fears of online crime.
Barclaycard queried more than 250 SMBs to gauge their readiness for an attack and found that just 20% ranked cybercrime as a top priority. The results contradict separate findings that 48% of the respondents had been the victim of at least one cyber security attack within the past year, with 10% having been hit with four attacks or more and 54% saying they were concerned about an attack.
Rather than take steps to mitigate risks, 16% of the organizations surveyed said they only review security in the aftermath of an attack. The survey also showed that only 13% of the companies were confident that their own knowledge of cyber security was sufficient to combat the threat posed.
Another report, conducted in March-May 2016 by Ponemon Institute and sponsored by Keeper Security, finds that more than 50% of the North American SMBs surveyed were breached in the past year. Only 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective.
Confidence in SMB cyber security posture “is so low primarily because personnel, budget and technologies aren't sufficient,” the report says. In addition, IT security priority determination “is not centralized to one specific function in a company, therefore reducing accountability and resulting in less informed decision making.”
The most common attacks against smaller businesses are Web-based and involve phishing and social engineering breaches, the Ponemon report says. Widely adopted technologies such as antivirus are still useful, it notes, but they can not be depended on to protect against exploits and cyber attacks.
The research found that SMBs have a major lack of control and visibility when it comes to employee password security. Strong passwords and biometrics are thought to be a key part of security, yet 59% of respondents said they have no visibility into employees' password practices and 65% don’t strictly enforce their documented password policies.
Other research indicates that SMBs are reducing expenditures on security technology at a time when threats are increasing. For example, consulting firm PwC’s Global State of Information Security Survey 2015 shows that companies with annual revenues of less than $100 million cut security spending by roughly 20% in 2014, while those above that level increased security investments by 5%.
Even though they might not have the budget or the inhouse cyber security expertise of a large enterprise, there are steps smaller companies can take to defend themselves against the latest threats.
For one thing, SMBs can hire a managed security services provider to help plan and implement a security program—including technology solutions and policies and procedures. Fortunately there plenty of qualified service providers available to help.
The key in choosing the right one is knowing what type of expertise you need and whether the provider can meet these specific needs. It’s by no means a one-size-fits-all scenario when it comes to hiring security consultants and integrators. For some types of businesses, such as banks and healthcare providers, it’s best if the provider understands the unique requirements of the industry such as regulatory compliance.
Another good practice is to do a thorough evaluation of security tools to determine which make the most sense, rather than just buy up the latest offerings because they’re hot. The budget is likely to be tight, so be sure to invest in products that will address particular needs or weaknesses, such as blocking sophisticated malware or ensuring that employees have secure and authorized access to networks and data.
When looking at technology solutions, keep in mind that protecting the perimeter is only part of the strategy. Organizations must be sure to provide end-point security as well. This is especially important as more users have access to applications and data via their mobile devices and through the cloud.
SMBs can also build a strong security posture by continuously updating their security policies and procedures guidelines. If the company is still using guidelines that were created five years ago, there might even be any references to the secure use of mobile devices, acceptable use of social media at work, and the correct way to access cloud-based applications.
As part of the policy/procedure initiative, SMBs would be wise to keep employees constantly educated about the need for strong security, and to remind everyone that cyber security is a team effort.