If you think about enterprise organizations, there are typically teams of cybersecurity professionals on staff or hired to help them bolster their security portfolio. For SMBs, there typically isn’t this type of support to help them with cybersecurity practices.
As you peel back the layer, many SMBs think that they’re protected, when in reality all they have is an antivirus and a firewall. However, many of these companies have invested in physical protection for their buildings – access control systems, surveillance, alarms, etc. In addition, they’ll inform and train employees on what to do in case of emergency situations.
Treat Cybersecurity Like Physical Security
The average loss in a burglary is around $5,000, while the average loss in a cyber attack starts around $80,000. So there is clearly a disconnect among SMBs between what they should invest in to protect themselves.
“You really need to have comprehensive, multiple layers of protection on the cybersecurity front, and we really don’t see that with small business today,” says Rob Simopoulos, Co-Founder of Defendify.
If you think of it in terms of a building, many of these same sorts of physical security initiatives can be applied to the network. Alarm systems can be activated if there is any strange activity in the network. Training can teach employees cybersecurity best practices. Policies can be put in place to make sure they’re protected.
“Human error is really the leading reason for most incidents, and we think it’s really important that people think about their cybersecurity posture,” says Andrew Rinaldi, Co-Founder of Defendify. “What am I doing every day to help protect and defend?” You need to think about the human error, and then determine what technology to put into place to aide.
Educate Employees on Cybersecurity
“I think that it’s important that the employees totally understand how they’re expected to use computer, mobile phones, and applications,” says Simopoulos. “Make sure that they understand why those things are put in place.”
One of the key places to start it to develop strong policies and guidelines for the employees that work there. Basically writing the rulebook and then training employees on that. In the end, you’ll also want to do testing to ensure that the human error is under control.
If one of the policies is that employees can’t use devices for personal things, explain why and how that puts the organization at risk. When an employee understands the true risk of logging into personal accounts on company devices they’ll shy away from doing so. Otherwise, an employee that doesn’t understand risk will consider some of the policies simple paranoia.
It’s a serious topic, but it doesn’t have to be so serious when you present the information to the team. When you explain the why, and weave some fun into it. Presentations, videos, training, and so on – keep it short and digestible, explained in ways laymen employees can wrap their heads around. You want employees to actually engage with it – it’s not the most exciting material.
“The other big thing is leading by example,” says Rinaldi. “The IT Director is often in a position where people are looking to them and thinking of them from a tech perspective, but they’re also a leader of the organization. Having someone in that role talking about cybersecurity as a posture, and building everyone to be a cyber defender, leading by example, doing things they’re asking others to do, really goes a long way.”
One way to weave in some fun is to offer prizes when employees complete training or pass things like phishing tests.
Hire Consultants and Managed Service Providers
One way for SMBs to get the support that an enterprise organization gets at a fraction of the cost is to outsource their cybersecurity needs. Managed service providers and consultants are a great way to get professional help without the need to hire new staff members. They can work with your existing IT department to put many of these practices and technologies in place.
“It really depends on the situation,” says Rinaldi. “It’s about setting the table in terms of how you’re going to work together from a relationship perspective.”
Everyone’s cybersecurity program is different, and unique to the organization’s needs. Make sure the conversation is had in plain English. Things tend to get overcomplicated in the tech world – but complicated and confusing concepts should be made to be understood by your cybersecurity partner.
Another big thing is to make sure your partner is accessible. There’s a trend in the industry of companies hiding behind their computers – you want to be able to have a conversation with your partner when you need to talk to them. Decisions should be made with the end user in mind, and someone should be there to answer your questions along the way.
A good user experience is what you’re searching for. How do they engage with what you’re doing? How does it work for your organization? Is it something that you understand? Is there someone there to help you along the way?
If you can be sure that your partner is just that – a partner – then you’re on your way to improving your cybersecurity portfolio.