Updating and strengthening cybersecurity can be a costly proposition for small and medium businesses with limited budgets. With that in mind, the Biden administration has offered some relief to the tune of $9 billion.
But what do cash-strapped businesses do in the meantime? Tugboat Logic CEO Ray Kruck, explains how small businesses can keep up with the current security demands, even without the coveted government dollars.
The Biden administration has proposed a $9 billion upgrade to the nation’s cybersecurity capabilities as part of his proposed stimulus plan. What might that mean for SMBs?
I heard that there might be funding for implementing basic security. Email security may be one area where [the government is] willing to reimburse investments. Actually, building an information security policy for your company is another area where they [may be] willing to reimburse companies for investment in either a technology or a consultant to do that for them.
But it’s pretty limited to some fairly basic elements, most of which are already addressed by security from cloud platform providers, whether it’s using Gmail for your company email or using Amazon or Microsoft for other services. It’s expected to be on the platform, so a lot of the investment from the federal government side is around “we’ll reimburse you for investing in a plan” on how you can put process or technology in place to address basic cybersecurity threats you’re going to face as a business.
The focus has been around how you collect customer data – how you configure IT systems to collect and store data, then the policies governing how your employees handle that data. Basically, doing an asset inventory of all of your assets, where all your data lives. Doing that kind of inventory is one of the key aspects of the plan. Then the other is about best practices being implemented, according to NIST guidelines.
I think at the federal level that’s about all you can really do – you can’t mandate specifics like use this specific access control, or this specific firewall, or this specific email security. They can’t really prescribe at that level. They can basically just force companies to think through a plan like restaurants have had to do with COVID.
That might be basic, but at least it gets the conversation started.
If you wait for government to help you out, you’re going to be waiting a long time or it just won’t come. So, you have to be self reliant, you have to figure out what to do for yourself, and then the question is how do you prioritize. The difference between big companies and small companies is big companies have the resources, they understand the risk that they’re facing, then they mitigate that risk or they invest in mitigating that risk by hiring either smart people, deploying technology, implementing best practices and process.
I think there’s a good level of awareness among even small entrepreneurs, small companies, that there are some risks that they’re going to face. Their email could get hacked, their payment point of sale system that they use to collect credit card data could have vulnerabilities or exposure. But in terms of priority and what to do, they worry about every day. Of course, in the last year what they worry about is staying in business, not worrying about a cyber threat to be perfectly blunt about it.
Have they sacrificed a little bit of security for that?
They have sacrificed a little bit in that they prioritized as number one staying in business. They prioritize making sure that when they invest, it’s making sure their application or service is running online or in a cloud-based service. They’re just making sure that the application is available and that their customers have a good experience using it. And many, many of them have not made the connection that a cyber threat could completely undermine that availability or that experience for a customer.
Unfortunately, it’s still the case in 2021, where you have to get burned or you have to know someone who got burned to take action. Or something bad has to happen before you really proactively spend money to take action to solve or mitigate a risk.
What are they spending their attention on when it comes to cybersecurity?
Where we see the most effort and focus being right now is on the classic stuff. When I say classic, I mean basic application security – passwords and making sure that if you’re using cloud-based service from either Amazon or Google or Microsoft that they’ve got some of those security features toggled on. The platforms are getting better at promoting their own security controls that come natively with those platforms. So, creating an awareness around taking advantage of those things is really important. And that’s one of the first areas where we point customers is, whatever service you’re on, to go look at the native security features. Many of them are free, many of them are available. Many have good documentation or plain English explanations around it.
Given that their apps are key to keeping small and medium businesses up and going, is there any concern on their part about the friction security measures might create?
It depends whether the company is in the B2C market or in B2B. That’s a bigger concern. However, where we see the most effort being spent right now is on privacy and being upfront about privacy – ‘here’s how we collect your data,’ and providing a disclosure. It’s not a bad thing in the B2B world. The security providing friction is actually welcome now, especially if you’re selling to large enterprises – they expect it to be there, they want to see friction. They want to see that you’re doing things to proactively protect them as a consumer of your product, but also that you’re conducting yourself, holding yourself to a higher standard. So, we don’t see friction as as much of a concern in the B2B world. We see many companies using security as a business enabler or as a competitive advantage actually.
What kind of measures are being taken in the face of SolarWinds and other supply chain attacks?
In prior years large companies would try to mitigate that risk by forcing smaller vendors to fill out these large security questionnaires or assessment forms and try to gather the data upfront before they engage. Now, the burden is on the large enterprise to not just do the due diligence once, but on an ongoing basis. That is a heavy burden. You may be secure one day but things could slip and slide and then get lax a year or two or six months later. They’re the vector for an attack. So, what we’re seeing is the growth of industry accepted standards that large companies want their small vendors to adhere . The NIST Cybersecurity Framework is fairly common and becoming like an open standard that some large vendors are requiring their smaller vendors suppliers to adhere to. Another very popular one is SOC 2 or SOC Type 1/Type 2 certifications. It’s an independent, auditable standard refreshed every year. And now it pushes the burden and the obligation on the company and its auditor to provide that level of assurance to the large company versus the large company carrying that burden. It’s become very, very, very popular as a B2B security standard in the industry.
Has the approach to risk and risk management changed for SMBs?
Most small companies don’t always think about risk and if they do think about risk, they actually think about it in very specific, technical ways (like phishing attacks or not putting passwords on Post-It notes). What they don’t think about is what kind of business or service do I offer, what data do I typically handle and gather and process and spit back out, and how does that map to my business – like taking your business and your business purpose in life, and mapping that on top of a framework.
What steps do SMBs need to take to harden privacy and data security even without federal relief money? Where do they need to put their resources?
Even if you’ve taken a step to figure out you have cybersecurity risks, technology isn’t the answer to all of it. So process, better security awareness training – just having a policy and talking about it, documenting it for your company and getting everyone to spend an hour once a quarter talking about privacy or security.
There are some basic things every company can do that don’t cost any money. They can make those small little baby step – investments in setting up policy, making everyone aware of it, and taking baby steps to address how they collect PII. Just asking these basic questions of yourself and writing down what you’re going to do about it, pays dividends later on in terms of when the company gets acquired or goes public. The building blocks of a good security program are just thinking through these issues and writing down your starting point answer. That’s what we’re seeing happening now with SMBs quite a bit.
What other forces in the market will push SMBs to further harden their cybersecurity postures?
I’m predicting that the expectations, and the demands and maybe the future regulations, are all driving towards a consolidation in the technology industry – amongst cloud providers, amongst devices and amongst applications. We’re going to have fewer applications and fewer vendors that are very powerful, that we can both identify and hold accountable for things like privacy.
The reaction now is let’s consolidate – let’s make Google even more powerful, but then we’ll tax them and we’ll fine them and we’ll call them in front of Congress and we’ll hold their feet to the fire, same as we did with Facebook. What I worry about is that innovation will suffer as a result, and then for the SMBs or the little innovators trying to grow and create that new technology, there’s going to be enormous pressure to align with these large players.