[BreachExchange] How SMBs Can Leverage Managed Solutions to Overcome Budget and Talent Constraints

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/smb-managed-solutions-budget-
talent/

The health of the US economy depends on the health of small business. Small
businesses(those with fewer than 500 employees) make up more than 99% of
all US businesses, and employ nearly half of U.S. workers. Including the
category referred to as SMBs (small-to-midsize businesses, defined as
100-999 employees), those numbers are even larger.

Under attack
Anything that threatens SMBs threatens the global economy. Cyber-attacks
against SMBs are on the rise and pose a grave danger to businesses
struggling to defend themselves with smaller IT budgets and limited access
to an information security expertise.

Recent reports by the Ponemon Institute and the Better Business Bureau
(BBB) put a spotlight on these risks. Half of the SMBs surveyed by Ponemon
experienced a data breach in the past year. The BBB results show that half
of small businesses couldn’t stay profitable for more than a month if they
lost access to critical data; 19% believe profitability could be sustained
for only a week.

Many SMBs assume they are not lucrative targets for cybercriminals. This is
misguided for several reasons: first, poorly protected businesses are
“low-hanging fruit” and an easy money grab for hackers. Second, many
exploits are now automated and succeed by attacking at high volume, without
discriminating as to size or type of business. Third, targeted attacks on
unsecured SMBs are sometimes carried out in order to gain backdoor access
to a larger enterprise’s network.

No budget for tools and talent
Given all that is at stake, why aren’t SMBs better prepared to defend
against attacks and respond effectively to incidents? The primary answer is
lack of funding and resources. Layered, proven security solutions are often
costly and difficult to implement. Many SMBs simply do not have the
technical or information security expertise to understand the threats and
risks they face, let alone the ability to fully address them.

Cybersecurity and IT management processes often include volumes of data
from dozens of sources. Even large companies struggle to manage all of it,
and are increasingly seeking automated, intelligence-driven solutions to
ensure they can keep up with all the threats, alerts, and regulatory
obligations.

Cybersecurity talent is expensive, hard to find, and hard to retain.
Smaller businesses are competing with enterprises and government agencies,
which can offer higher salaries and more interesting work.

A better way
SMBs seeking better protection and a way around prohibitive investments in
infrastructure, security software, and information security hires are
turning to comprehensive, best-fit solutions from managed security services
providers (MSPs). MSPs with integrated security and risk management
offerings can cost-effectively and safely secure physical hardware,
networks, data and sensitive information.

It's a viable option for smaller businesses that have critical assets to
protect — data, technology infrastructure, operations, revenue, customers,
partnerships — all these require coordinated and systematic processes for
governance and risk management. Also, most businesses have compliance
obligations: protecting PII from credit card transactions, safekeeping PHI
under HIPAA regulations, proving workplace safety measures for OSHA.
Increasingly, even businesses without much regulatory burden must pass risk
and security assessments in order to pass muster with clients and partners.

Integrate, automate, collaborate
Governance, risk management, and compliance (GRC) activities are an
essential component of an overall cybersecurity program, and should be
tightly integrated with network and endpoint security measures. This
approach, known as integrated risk management, is the most effective way to
protect data and assets, enforce policy, increase risk visibility, and
strengthen incident response.

MSPs that offer GRC solutions can provide SMBs with the tools and expertise
required to assess cyber risks, centralize data and documentation, and map
policies to controls. These platforms are cloud-based, so they don’t
require upfront CapEx investment, and can scale and flex to the particular
needs and business model of an individual business.

Streamlining and automating security-related workflows, systems monitoring,
and remediation activities allows SMBs to make the best use of the
information security tools and staff they do have, while ensuring that
fewer important processes (patching, configuration, privileged access,
etc.) fall through the cracks.

Integrated risk management and GRC solutions are designed to centralize
data, tracking, and documentation. This breaks down siloed record-keeping,
reduces duplicated efforts, and ensures that all data and technology assets
are visible to all stakeholders. It also encourages interdepartmental
collaboration and reinforces accountability.

MSP advantage
When SMBs subscribe to these solutions through a managed service provider,
they gain access to more and better tools than they could purchase (let
alone install and manage) separately. They can leverage the MSP’s network
of resources and call on their dedicated experts for technical support,
help with risk assessments, employee training, and GRC advice.

SMB executives can work with the MSP to ensure that individual risk areas
have been thoroughly addressed — vendor, policy, incident, cybersecurity,
regulatory compliance, and more.

As businesses of all sizes and types become increasingly reliant on data
and digital processes to run their businesses, operations become more
complex, more interdependent — and more vulnerable. Cybersecurity and risk
management tools should no longer be considered an add-on: no one runs a
legitimate business without a bank account to store, process, and protect
their money. In the digital era, no one should try to run a business
without services that intelligently store, process, and protect their data.

Just as an astute financial advisor can be a competitive advantage, having
access to an MSP’s experts and resources can help smaller businesses stay
on the leading edge. Security and GRC solutions, when implemented
strategically, can help SMBs build resilience, prepare for growth
opportunities, and win deals. Most importantly, engaging with an MSP to
implement security and risk management solutions that fit your model,
budget, and capabilities is the best way to steer clear of downtime, data
loss, and other disasters that could break your business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171214/0be763a1/attachment.html>