Defendify co-founder Rob Simopoulos had the chance recently to discuss the cybersecurity challenges smaller organizations face when engaging with big businesses with CO— Editor-in-Chief Jeanette Mulvey. CO— is the U.S. Chamber of Commerce’s digital platform for small business. CO—is dedicated to helping entrepreneurs and small business owners start, run, and grow successful companies.
Here are some key takeaways:
Supply chain security is a big deal to big businesses.
Leading cyber insurance provider The Hartford cites a study claiming, “63 percent of all data breaches can be linked either directly or indirectly to third-party access.” Large organizations know this and therefore demand their vendors and partners meet their cybersecurity requirements for protecting internal systems and sensitive information that may be shared with the vendor.
A successful cyberattack can expose the organization’s sensitive data, cause financial losses, damage their reputation, and adversely impact a vendor’s ability to deliver goods and services. Large organizations address this risk during the vendor selection process by requiring vendors to complete cybersecurity questionnaires and assessments. Supply chain risk is reduced when vendors and partners have adequate cybersecurity controls in place.
Large organizations require layered, comprehensive security.
Most midsize organizations deploy basic security controls like network firewalls and antivirus solutions on computers and servers. A large business’ cybersecurity questionnaire will require far more. Organizations that wish to do business with big businesses need layers of security. In his conversation with CO— Simopolous compares this to protecting a building. Locks on your doors and windows is a good first step, but these can be bypassed by a determined criminal. A second layer of defense could be a burglar alarm. In cybersecurity, an equivalent layer would be a monitoring service to provide a warning (and ideally, containment) when it detects activities indicative of the early stages of an attack. It would also include a plan for actions required by personnel in the event of an attack. Finally, training employees on cybersecurity awareness can help prevent phishing and other social engineering attacks while improving an organization’s security posture.
Cyber insurance coverage isn’t guaranteed.
Cyber liability insurance has grown in popularity and can provide some protection after a security incident. However, this market has changed as cyberattacks have become more common and more expensive. According to Fitch Ratings, insurance payouts on claims compared to earned premiums (direct loss ratio) have increased from 34% of premiums in 2018 to 65% of premiums in 2021.
Because of this, coverage is not automatic. Insurers, like big businesses, require completion of questionnaires detailing what controls and policies are in place. Inadequate security controls can result in denied coverage or higher premiums.
Cybersecurity cannot be confined to IT.
We often see organizations where security is only a concern of the IT department. It’s easy for cybersecurity to fall by the wayside when IT resources are stretched to keep systems running and users productive. Keeping cybersecurity as a priority and building a good security posture requires support from senior management. These are the people who can ensure that all departments take security seriously, promote long-term plan, and provide the resources to make improvements.
Top three action items for small businesses:
There are deliberate steps teams can take to improve their organization’s security posture. Simopolous recommends the following:
- Start with a cybersecurity assessment by independent professionals. This can be conducted using questionnaires like those used by large organizations. Using a standardized framework assessment questionnaire like NIST, the Center for Internet Security Critical Security Controls, or ISO 27001 is best. The result is an awareness of an organization’s security strengths and weaknesses. An assessment will serve as a benchmark for identifying improvements needed to meet the requirements of larger businesses.
- Make sure you have layers of defenses – the “burglar alarm” to provide early warning of an attack. Include cybersecurity training to help your employees avoid common social engineering attacks and minimize damage from others.
- Finally, be prepared for attacks. As noted, midsize businesses are attractive targets and criminal hackers are persistent. Have a plan detailing exact steps employees should take when an attack is detected, then practice it and update it as new employees join your organization.
Ready to talk?
If you’re ready to learn more about what you can do to improve your cybersecurity posture, let’s talk.