Are large organizations better when it comes to cyber security? There are areas in which small and midsize businesses achieve stronger outcomes. Cisco recently released the 2021 Security Outcomes Study - Small and Midsize Business (SMB) Edition, which revealed a number of somewhat surprising findings about SMBs and how they compare to their larger counterparts.
The entire report can be viewed at: 2021 Security Outcomes Study for Small to Midsize Businesses (SMBs) (cisco.com)
The report found that 44% of SMBs reported that their security efforts are successfully keeping up with the business, which is higher than what was reported by large enterprise organizations. SMBs were also better at managing risk and are increasingly making gains at operating efficiency. This all makes sense when you consider that SMBs are more constrained in terms of resources than large organizations. Therefore, SMBs aggressively make the most out of what they have. The strong results for SMBs could also be a reflection of their flatter organizational structure, in which there are fewer degrees of separation between business and IT leaders.
Good security deters the adversary without deterring the workforce. To get to that point, it's essential to understand what people in the organization are doing to get the work done. One winning strategy that security leaders and security teams in SMBs are applying is using resilience to build the business case for security. Resilience starts with asking: What does the technology mean to the business? What is this piece of equipment or that person doing to enable the organization to meet its goals? How much money would we lose if a service isn't available? By answering these questions, a security leader can drive a number of security outcomes with continuity, recovery and response initiatives.
The study found that continuity and recovery have emerged as primary factors in SMB security success, which is especially critical now as business resiliency is more important than ever before. Across 25 different security practices evaluated in the study, prompt disaster recovery capabilities surfaced as the biggest differentiator of success between SMBs and large organizations. Organizations with rapid disaster recovery capabilities reported having a better overall security culture and greater executive confidence.
A core element of resilience is incident response, which is another area where SMBs score well. While preventing bad things from happening is always a good idea, incident response is about minimizing the impact of security incidents when they do occur. According to the study, in small organizations, incident response capabilities yield the highest correlation with successfully managing security risks.
Often security is thought of as being about a single tool or technology that can solve a given problem. But resilience does not come from buying any one thing. It comes from having the ability to manage data risks, maintain efficient and appropriate security controls and implement incident response plans quickly.
While SMBs might be doing solid security work, their employees lack the time and resources to create large reports that track every minute detail of IT operations. Large organizations often have more metrics and security dashboards for tracking their security initiatives. But although SMBs might not have strong metrics, the data shows they compensate by focusing on the right priorities.
SMBs should be encouraged to have good metrics to start instrumenting some processes and measuring the efficacy of controls. The prioritization and focus that SMB security teams have apply directly to metrics. Select, develop, implement and manage to specific key performance and key risk indicators.It is also valuable to track exceptions and determine where there is friction in the process. SMBs should evaluate the workforce concerns and make sure that security maintains a balance between preventing risks and enabling the business.
SMBs are making the best of the limited resources that are available to them. It is important that they avoid over-engineering their security programs and continue to focus on the data and the priorities that provide business resilience and enablement.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
What can SMBs do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.
Weekly Cyber Intelligence Briefings: