In October 2012, the National Cyber Security Alliance and Symantec published the results of a survey of U.S. small- and midsized businesses. The report said that more than three-fourths (77%) of the respondents claimed their company is safe from cyber threats such as hackers, viruses, malware or a cybersecurity breach, yet 83% have no formal cybersecurity plan.
It’s clear that SMBs don’t believe they are vulnerable to cyber threats, but industry statistics prove otherwise. In fact, Symantec reports that cyber attacks on small businesses have jumped 72% in the past year. One-third of all attacks now target SMBs.
Some observers may view SMBs as just a target of opportunity, but the situation is more serious than that. Orla Cox, senior manager of security response at Symantec, says that hackers regard small companies as “stepping stones” to attack larger corporations. This notion is not going unnoticed by large companies that use smaller companies as suppliers.
The Greater Houston Partnership (GHP) recently hosted a panel discussion on the State of Cybersecurity. Panel members included leaders from some of Houston’s largest organizations, including Shell, CenterPoint Energy, NASA and the Federal Reserve Bank of Dallas.
The panelists acknowledged that their companies have started to cut off work with smaller businesses that are not keenly aware of online threats. As Rashi Bates, general manager for Shell WindEnergy put it, “We can protect ourselves, we can protect our people, we can protect our assets, but when we have these collaborative workspaces and we interface with other people, now we’re trying to protect their assets also.”
As more and more large organizations adopt vendor risk management programs – and they are being compelled to do so by industry regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) – they will be scrutinizing the cybersecurity practices of their suppliers and service providers. Unfortunately, small companies with limited resources are not exempt from the requirement to have strong security measures in place.
The question is, where to start? How does a small company begin to evaluate its cyber security posture and then take measures to fill the gaps? I believe that many SMBs don’t have a formal cybersecurity plan because they simply don’t know what to do or even how to get started.
The Greater Houston Partnership made this same observation and put great effort into developing a 60-page e-booklet entitled “Cybersecurity and Business Vitality”. This is a guide to “what every Houston-area business leader needs to know” pertaining to security in the digital world. Despite the emphasis on Houston business, the security guide can be used by any SMB (or enterprise) in America.
The guide is quite thorough, covering topics such as:
- The top cyber security risks for SMBs
- Regulatory activity
- General guidelines for protecting a business
- Guidance for company leaders
- Employee awareness of cyber threats
- Containment in the event of a breach
- What to do to respond to an attack
- Risks and important security measures by various industries
This guide is no fluff piece. Dozens of the leading cybersecurity professionals in the greater Houston community worked for months to pull together a thorough document that can be the blueprint for SMBs to develop and implement their digital security plans. Many of the measures are low or no cost, so there is no reason to use the excuse “we don’t have the budget to put security in place.” Every company can learn about ways to enhance its security posture.
GHP also developed a companion tool: an online cybersecurity self assessment. It only takes a few minutes to go through the assessment for a company to learn its current cybersecurity position.
As the GHP guide points out, cybersecurity is a complex issue but there are many simple steps that businesses can take to protect themselves from cyber threats. Further, many steps don’t require a large financial commitment. What they do require, however, is a time commitment to understand the issues, take preliminary steps, and continue to treat cybersecurity as a priority for the business.
By Linda Musthaler, Network World