When it comes to digital fraud attempts, size doesn’t matter: 28% of today’s breaches occur at companies with fewer than 1,000 employees.1 Despite this reality, many small and midsize businesses have yet to improve in this area. According to a 2020 survey, 43% of small-business owners admit to having no cybersecurity provisions in place.2
But there’s good news. You can take simple steps now to start improving your organization’s cybersecurity—without blowing your budget. In fact, spending on cybersecurity without a strategy may give you a false sense of safety while doing little to improve your situation
“Spending thousands and thousands of dollars on cybersecurity protects you—on the first day,” says Darren Learmonth, SVP and chief technology officer at Nortek Security & Control. “On the second day, there will be a new persistent threat.”
Instead of focusing just on technology, put these simple ideas to work as soon as you can.
1. Be direct with employees about their responsibilities.
In companies of all sizes, social engineering remains a huge attack vector. Most midmarket executives acknowledge that a social engineering attack could compromise systems in the future.
“Employee education and awareness are two of the best investments in protection,” says Tyler Leet, director of risk and compliance services at Computer Services, Inc. “And you don’t have to invest tens of thousands of dollars in equipment to minimize employee mistakes.”
Share examples of how easy it is to fall victim to common phishing strategies, whether that’s clicking on email links to malicious sites or plugging in a wayward thumb drive. Once employees understand the power of these cyberattacks, they’ll be better versed in how to recognize them—and how to report them before they hit your organization.
“Spend $50 on a really good privacy filter for every employee,” Learmonth suggests, especially ones who travel frequently. “I can’t begin to tell you the number of people who pull out their laptops next to me on an airplane and have their full P&L spreadsheet or source code visible.”
2. Assess risk in a realistic, priority-driven way.
As cybersecurity is an ever-evolving field, there will never be a solution that guarantees total invulnerability.
“If you’re aiming to be bulletproof, you’re setting yourself up to fail,” Leet notes.
Safeguard your company by focusing your protection efforts on the assets that matter most to you—and those with the greatest appeal for attackers.
As Learmonth suggests, “Ask yourself: What’s the value of what you’re trying to protect, and how much would an adversary spend to get your secret sauce, whether that’s your patent portfolio or designs for next year’s products?”
3. Tighten access controls systematically.
Launch a coordinated effort against an overreliance on passwords. Don’t just introduce stricter controls on frequent password changes and increasingly complicated character combinations. Such approaches typically drive people to write their passwords down, undercutting security.
Instead, organize your authentication practices to be consistent with modern cybersecurity theory. The National Institute of Standards and Technology provides guidelines for three distinct tiers of authentication, ranging from “some assurance” to “very high confidence” in the asserted identity’s validity. These tiers are based on combinations of passwords, biometrics, and tokens and can help you sort out which combinations provide greater certainty—and which aren’t as helpful.
4. Stay on top of legal developments at the federal and state levels.
While there is not yet a federal law regulating breach notifications, all 50 states (plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have directives in place requiring businesses to notify certain government agencies and affected customers of data breaches.5,6 Outside of high-profile industries (like finance and health care), federal regulators have typically operated in a hands-off manner, but efforts to change this are increasing, especially in light of COVID-19-related scams and escalating misinformation on social media.
“There’s growing interest in regulating privacy and data online,” says Sarah Fulton Hutchins, a partner at Parker Poe, a law firm specializing in cybersecurity and data privacy issues. “Legislation is introduced each year that could very well affect smaller businesses.”
5. Appoint a business-minded cybersecurity czar.
A full-time chief information security officer is less common in the midmarket, but it’s important to have a leader who can translate cybersecurity strategy into the language of business risk and opportunity.
Whether you find this professional in-house or via an outside contractor, designate a business leader as your cybersecurity czar. Duties should include regularly reporting threat assessment to the C-suite and other key executives as well as evaluating the risks and returns of ongoing investments in products such as cybersecurity insurance.
Hutchins cautions, “A lot of companies assume that [the impacts of fraudulent attempts] are covered under umbrella policies and, increasingly, they’re not.” She suggests buying it now as the price tag is almost certainly far less expensive than the cost of a potential breach. “Cyber insurance is still relatively cheap now,” she says. “That won’t be the case in 10 years.”