Brian Berger is the executive vice president of commercial cybersecurity for Cytellix, a turnkey cyber managed service for small to medium sized businesses.

The Small and Medium Business’ False Sense of Cybersecurity

October 5, 2017

Brian Berger

I have been meeting with many small and medium business owners over the past few weeks and months discussing cybersecurity, and have noticed a few common themes or objections in their responses. The first objection to a proper cybersecurity program is typically the cost – most small and medium organizations have not budgeted for or considered cyber as part of their business continuity plan. Yes, it will cost some money to start and to remediate the cyber gaps in an organization, but these costs are lower than the average cost of one cyber incident.

A second common response to cyber incidents is, “It has not happened to me, and we are not even a target.” As a security professional, this one compels me to want to help even more. The small and medium business market is unprepared and woefully understaffed for proper cybersecurity measures.

The fact that a cyber incident can cost an organization more than $200,000 on average should be enough to compel immediate action, but this is not the case. There is either a misunderstanding about the magnitude of impact on the budget, the impact on ongoing operations or the plausibility that every business is a target. I can say with certainty that the business owners who I have met who have realized that it’s time to act are the ones who have had a cyber event in their business. They are the lucky ones whose businesses have survived the event, while the ones who have been attacked who I have not met may be among the 60% of businesses who do not survive a cyberattack.

As a call to action for our hundreds of thousands of small and medium businesses who have not proactively started to address cyber preparedness, please do! Your livelihood, your employees’ jobs and the services you provide to our economy depend on your diligence addressing cybersecurity. Cybersecurity is a well-prepared journey, and it’s not a single product purchase, but rather a combination of knowledge, facts, awareness, training, planning, implementation and preparedness.

There are a lot of discussions about assessments and assessors. Assessments are needed and are the first step in the process; however, they come in all shapes, sizes and costs. Additionally, they identify a point-in-time context using the provider’s assessment technique. Is the technique a question and answer process, a test and verify process or a combination using both tools and technology? This is an area to really ask questions of your assessment provider. At the end of the process, a high-quality set of deliverables that identify your cyber posture from a physical, logical and digital perspective with actionable insights is critical for the business. Since cyber posture is fluid, due to networking, social engineering, insider threats, outsider threats and platform integrity, a plan for real-time situational awareness would be a valuable part of the assessment as part of cyber risk management.

Here are a few suggested deliverables for a high quality cyber assessment:

Measured cyber posture: physical, logical and digital.
- Understand your cyber posture from the time someone enters the building until data transmits to and from digital assets.
Identified cyber gaps with clearly defined steps to remediate.
- During the assessment process, a clearly defined set of organizational “cyber” gaps should be documented. In addition to identification of gaps a clear set of steps necessary to “remediate” the gaps need to be put into a step by step plan.
Ranked vulnerabilities by criticality.
- Organizational vulnerabilities are typically digital assets and their posture. Within the asset analysis a set of criteria should be examined to rank the asset vulnerabilities in a minimum of four categories: Critical, High, Medium and Low.
Plan of action, improvement plan, policies and training materials.
- The plan of action should be a prescriptive document that identifies, Gaps and Vulnerabilities in a actionable plan. Issues need to be identified with both the risk level and solution to bring each item into a proper cyber posture. In addition to the plan of action, the availability of policies and internal training materials for the company are critical to maintaining cyber posture and actionable policies and training when a cyber event occurs.
Baseline and continuous improvement through real-time situational awareness.
- Once an organization has been assessed, a baseline is created. From this baseline tools and technology should be deployed to monitor behavioral changes to the network and assets. Real-time situational awareness is critical to understand when an organization is under attack from both internal and external bad actors.

A critical event is defined as an incident that disrupts normal operations, such as severe weather, crime, violence and critical equipment or technology failures. Business continuity and crisis response plans can only go so far if there isn't buy-in across functions, with executive-level support.

In this webinar, security expert Pieter Danhieux explores how CISOs and CIOs can inspire real change, fostering a positive security culture that enables their development teams to become more security-aware, more aligned with internal AppSec specialists and, ultimately, securing code as it is written.