Cyber security practices for small and medium-sized businesses
Defending against cybercrime is a fundamental requirement for every business, regardless of its size.
In the past, many small and medium-sized enterprises (SMEs) assumed they were unlikely targets for cybercrime. As a result, some treated cyber security as a non-essential expense. This was always a misnomer; many attacks were opportunistic rather than targeted, meaning organisations small and large could be caught in the crossfire (or more accurately the dragnet).
Today things are drastically different. The threat to all businesses has been further amplified through increased monetisation of any breach, in particular through ransomware and extortion. Constantly evolving customer requirements and Government legislation mean neglecting cyber security is no longer an option. Focus has shifted towards accountability and obligatory protection.
What are the best cyber security practices for small to medium size businesses?
Cyber security is essential for small to medium businesses. Here are the areas you should focus on, and some ways to harden security quickly and effectively.
Prioritise the basics
Visibility of your environment
Effective patch management
Restricting administrative privileges
Continuous monitoring
Enabling strong authentication
Robust disaster recovery and backup process
Automate repetitive tasks
Leverage existing resources
Focus on protecting critical assets
Build strong defences in line with industry standards
As a starting point, document your maturity against each of the above. What does ‘good’ look like? What would you need to do to get there? Consider security, compliance, productivity, and user experience in your ideal solutions. Then, get started on achieving them. The following tips will help you get there faster and most effectively.
Automate repetitive tasks
Automate where you can, particularly routine tasks. If you need to do it more than once, it's worth automating. Automation is a force multiplier for your cyber security efforts, streamlines processes and improves efficiency and consistency.
When developing in-house, it's beneficial to incorporate a practice wherein security flaws are treated like bugs and seamlessly integrated into automated testing. This proactive approach enhances vulnerability management and aligns with your existing practices.
Technology is continuously evolving and becoming more affordable. If you’re in a Microsoft environment, Devicie offers automated device management, which includes OS patching, packaging testing and deploying apps, LAPS, zero-touch provisioning and more. When you add up the hours your IT team gets back, and the increased confidence you’ll have in terms of security and compliance knowing these tasks are always up to date, the ROI is significant. There are similar wins with other tasks and vendors.
Make your vendors work
This applies to both any security product vendors you have, and your supply chain vendors regardless of their role. I’d argue that all vendors are effectively security vendors, as their products should be reducing risks not adding to them.
For security vendors:
What is the scope of their product?
Are you using all the product features?
What actions are required from your team to use the outputs of that product? Document who’s responsible and timeframes if relevant.
For non-security vendors:
What is their security posture?
What are they bringing to the picture to improve yours?
Make security a requirement. Specify that there is an obligation on providers to make your security position better, not worse, and include security testing and remediation in contracts. Make security a contractual requirement and make your vendors accountable for their security posture. Collaborate with legal professionals to set security mandates, outline the course of action if they fail to deliver, and detail testing and remediation expectations and clauses.
Leverage existing resources
Don't just outsource offensive security (security assessment, penetration testing, red team, call it what you will), lean on the knowledge of your internal team to enhance your defences. They are the ones with insights into your environment and potential vulnerabilities. They already know where many of the pain points are and where the bodies might be buried.
Have a regular practice to surface security risks – this could be a dedicated inbox, a question in a survey, or any other practice that suits of your team and is repeatable.
Focus on protecting critical assets
If resources are limited, take a pragmatic approach to protect your assets effectively.
Rather than trying to protect every element of your environment, prioritise understanding and safeguarding the crown jewels, and then build out from there.
This approach helps allocate resources efficiently and effectively, enhancing your cyber security posture.
Understand the real value, cost, and threat—the adage that it may not be worth spending one million to protect $100,000 is still valid. Also consider other options to mitigate the risk, including insurance.
Build strong defences in line with industry standards
Aligning with a relevant standard allows businesses to assess their security maturity and sets a roadmap for continuous improvement.
So, pick a standard and stick to it.
Consider standards like AICPA SOC2, ISO 27001 and NIST 800-53. These provide actionable guidance for implementing and maintaining cyber security practices.
I recommend all businesses follow the guidance and resources available through the Australian Cyber Security Centre (ACSC). As the Australian Government's lead agency for cyber security, they have many resources for small businesses.
As a small or medium business, you have a role in protecting the broader business ecosystem. The ACSC guidelines can help you navigate the evolving landscape. The Essential Eight framework is a good starting point.
The cost of not being secure
The question is not: ‘can you afford to invest in cyber security?’. The question is: ‘can you afford not to?’
ACSC's 2021-22 Annual Cyber Threat Report reveals the high price Australian businesses pay for neglecting cyber security—averaging between $39,000 and $88,000 per incident. These numbers only scratch the surface. You also need to factor in the legal fees, insurance premium hikes, regulatory fines and reputational damage.
In the 2021-22 fiscal year, there were 67,500 cybercrime incidents, resulting in a financial loss exceeding $33 billion.
The cost of not investing in cyber security far outweighs the expenses of implementing a robust defence in depth strategy. The proactive approach of fortifying your digital defences can save not only your finances but your business's reputation.
Getting started with cyber security for small business
The journey to better cyber security starts with informed decisions and strategic actions. Cyber security is not a standalone concern—it's an integral part of risk management. Just as businesses wouldn't neglect physical security, they can no longer afford to disregard digital security.