There is a children’s book, “Inside, Outside, Upside Down” featuring The Berenstain Bears, that teaches young children about spatial concepts. When it comes to securing your organization’s data, it may feel like you need to cover all of the spaces: inside, outside, and even upside down. It’s no wonder, since security risks exist everywhere: inside the network and outside the firewall, from employees accidentally leaking information via their mobile devices to outside phishing and malware threats trying to get in. With these increased cyber risks, companies of all sizes are constantly challenged with how to spatially navigate the security landscape.

Small to medium-sized businesses (SMBs) may not have dedicated security staff or security budgets compared to larger organizations. Yet their cybersecurity risks aren’t any smaller. In fact, ransomware is hitting SMBs hard. More than half of SMBs experienced a ransomware hack in 2017, according to a report by Ponemon Institute. Nearly 80 percent of SMBs said that ransomware was launched through a social engineering attack.

Your security needs are big, regardless of your organization’s size

Small businesses with little or no security staff can still have an effective cybersecurity program. The following can be done by your staff, even if they are not technically savvy:

1. Start with a healthy amount of paranoia! Having a good idea of the real risks facing your business and how threats to your business may accomplish their goals is an essential business trait that doesn’t always require a technical background.
2. Conduct a security review. Unless you know exactly what your business leaders want to protect and are required to keep confidential, cybersecurity efforts may be wasted even if you’re simply following best practices. Sitting down with key managers and leaders to understand the key assets and goals for the security program is an essential first step. 
3. Determine what data needs to be protected. What data do you work with every day? What data is confidential? What data is essential to making your product? What data is public? What data would scare you if it got out? What would you do if that data was unavailable? What information is regulated? Once you scope out the data categories, you can start developing policies and procedures.
4. Establish procedures and workflows. Start applying security controls at every step of the data handling transactions. Data security controls, according to the Infosec Institute, are used to safeguard sensitive and important information. They help to detect, minimize or avoid security risks to your computer systems. If you don’t know what data security controls are needed, then you may need to consult with a third-party technical professional. However, by performing a stakeholder workflow review, you have already done a great deal of work towards a proper risk assessment.
5. View technical data as a puzzle for the entire staff. For example, a SMB may be able to send the team to a technical conference to soak up knowledge, or spend one hour a week to listen to a webinar. Taking on technical challenges as a group, with a fun tone around the activity and rewards around solving puzzles, can help team comradery and teamwork. Technical content may be difficult, but having a staff that is eager to learn and crack hard puzzles will be an asset.
6. Leverage eager learners and career novices. There are many people in school or just out of school itching to get some real-world experience. Consider hiring an intern with technical experience. Many colleges and trade schools have well-trained students studying cybersecurity.

The more you know about your operations, network topologies, business workflows, and regulations, the better you will know what data could be at risk. Once you know what data is at risk, you can start researching and learning how a “bad guy” could get this secure data.

If you start doing both, regardless of your technical background, you can effectively manage and outsource the more technical items.

Leveling up your security

If your company has some technical experience, where should you prioritize? In addition to concentrating on your most confidential information, here’s a checklist of your core security must-haves – especially if you are under FFIEC, NCUA or HIPAA regulations:

1. Focus on the endpoints. This is where humans interact with machines, especially the mobile ones.
   1. Endpoint encryption
   2. Endpoint antivirus
   3. Email phishing/spam filtering
2. Firewalls and perimeter
   1. Encrypt your communications
   2. Ensure you pose a minimal attack surface
3. Employee security awareness training
   1. Especially around email usage, BYOD and best practices
4. Data loss prevention (DLP)
   1. On your network shares and outbound email
   2. Block USB ports and limit access to certain websites
5. Network and activity baselines set
   1. Monitor for availability
   2. Monitor for knowledge of what is normal in your network   
6. Perform risk assessments, obsessively at first
   1. Scan your entire enterprise for both vulnerabilities and new assets
   2. Remediate those vulnerabilities in a documented way
   3. Scan early and scan often
7. Keep improving!  If you made it this far, you have built a solid security foundation. Now a process of re-evaluation and external testing will determine your next steps and tools to automate all of the above.

When is a good time to bring in outside help? If your company has only one network technician who is busy installing new firewalls and routers, plus typical day-to-day troubleshooting and maintenance. You may find that the time and costs are too great or too inefficient for your organization to do it all. When it comes to maintaining and improving your security, you don’t want to be stuck inside a box like Brother Bear in The Berenstain Bears’ story. And you certainly don’t want to be stuck upside down inside a box.