For any new business, it’s easy to defer spending on security; the do-nothing option is a no-cost solution that has no drawbacks until the moment when something goes wrong.
Why do small businesses need to bother?
Historically small businesses could get away with the do-nothing option. However, the likelihood of being hacked increases year on year; more bad actors, more attack vectors, better tools, and more opportunities to make money. An attacker can now deliver ransomware to thousands of targets in a matter of minutes. They only need a small percentage to fall victim and pay a modest ransom to make a profitable return. Being a small, low-value, low-profile business is no deterrent to would-be attackers.
Small businesses operate on tight budgets. To work out what a business should spend on security, it’s often better to start by working out how much it will cost the company if it suffers a significant incident.
How much would it cost the business for each day that it cannot operate? The potential cost of having intellectual property stolen, a loss of brand reputation, and consequential damages for any impact on client data. It just takes a quick back of the envelope calculation to see that this cost could spiral out of control and impact future earnings.
Building a foundation of secure infrastructure, applications, and processes is far simpler for small businesses than large ones. The aim is to create a culture of security awareness into a company’s core, encouraging the business to support security rather than adopt the traditional stance of “we’ll get a tool to do that”. Knowing how the company plans to evolve also means the security foundations can be structured to support increasing business and process complexity.
Policies and Processes
The first step for any business is to document its policies and processes. This lays out what needs to be done, and just as importantly, what doesn’t need to be done. Writing down the problem makes it simpler to develop a solution. For a micro-business, this is a quick and easy task. Then as the business grows, the documentation expands with it. Waiting until a company has grown to the point where such documentation is essential will create a much more challenging task that’s more likely to be filed under the ‘too complicated, do later’ section of the to-do list.
IT Infrastructure and Applications
All businesses need an IT infrastructure that securely support the business processes and income. Agile solutions that bring flexibility and scalability are the gold standard. As we say at the end of our reports, “We don’t ask our clients to make a trade-off between usability and security. We need to offer them the best of both”. Ensuring new applications and infrastructure hit the following marks can significantly improve your security posture.
- Ensure the resource can be updated quickly and easily, and updates are provided regularly during its lifetime.
- Make sure secure configuration is either standard out-the-box or the product has a security configuration tool.
- Apply a trust-but-verify approach to software vendors – Ensure they’re trusted, with a history of an excellent strategy to security.
It’s almost inevitable that a business will experience a security incident. Having equipment stolen or absentmindedly clicking on a link that installs ransomware does happen (trust us, we’ve seen it) and deleting an important file or spilling coffee over a laptop can be just as impactful as any cyber-attack (we’ve seen that too).
Companies need to have the means in place to recover quickly, whatever happens. This comes down to having backups for important information and timely access to replacement equipment for small businesses. The latter these days is simple, replacements for most IT equipment can be sourced within hours. The former requires a little more thought. Solutions for backing up data are straightforward; services such as SharePoint have this available as standard. However, small businesses often forget to check that the backup solution is working effectively. Are all the correct files being backed up, can the backups be accessed, and how easy is it to recover files. The last thing any business wants is to find out that the backup isn’t working when they need to recover a critical file.
On top of this, “break-glass” procedures are also an essential part of recovery. Something as simple as knowing which plug to pull for the server or what someone’s emergency phone number is could be the difference between a working day and a lost day.
Security as a marketing tool
For B2B customers looking to integrate a new business into their supply chain, security requirements and due diligence are becoming more common. Supply chain security is increasingly a point of focus, and a small business that has security built into its foundations will have the advantage.
Schemes such as Cyber Essentials and the ability to say “we adhere to cyber best-practice” come with badges of honour that can proudly be displayed on marketing materials. This offers customers the confidence that this is a business to be trusted.
Businesses of all sizes need to consider their security and implement adequate controls. For small businesses, security shouldn’t be thought of as an expense but rather as insurance against the significant losses that falling victim to an attack or suffering accidental damage can cause.
The challenge for small businesses is finding a pragmatic solution that is compatible with their budgeting constraints. Affordability, practicality and effectiveness are the key aspects to consider.