We Are Failing With SMB Information Security
Greg Schaffer
Servant - SMB Advisory CISO - vCISO - Author - Podcast Host - SME Contributor - Mentor - Entrepreneur - Owner vCISO Services, LLC and Second Chance Publishing, LLC - CISO Novelist - Veteran
According to the U.S. Small Business Administration (SBA), there are 33.3 million small businesses in the United States, comprising by number 99.9 % of all U.S. businesses[1]. Many of these provide services for larger organizations. Small businesses, as defined by the SBA as approximately 500 staff or less, are essential components of the country’s economic system.
However, from my perspective, the information security needs for small and midsized businesses (SMBs) are underrepresented in our industry. As an example, the sessions and vendors at a typical information security conference seem mostly geared to large organizations with corresponding large budgets.
I work with small businesses daily. I also operate two. Small businesses have many of the same information security concerns as large corporations, much of which goes unaddressed, creating a significant risk.
Look at the Bank of America breach earlier this year. A third-party had a vulnerability leveraged to compromise Bank of America information assets. Does this sound familiar? It should because it’s not new. Those who have worked in the industry for some time will recall the Target breach in late 2013, which also began as exploiting a small businesses’ information security vulnerabilities[2].
Yet our usual conclusion is that third-party risk management failed. This is the common response, followed by TPRM vendors leveraging the most current supplier breach to showcase how their product would have likely prevented the loss of information.
Why do we ignore the root cause of the problem?
Small businesses not only don’t have the resources and expertise to identify and address information security concerns, but they also often prioritize such low. It’s understandable; they are trying to grow a business. Margins are tight, and personnel wear many hats. Most rely heavily on SaaS products, and often assume incorrectly because of this they are secure and have effectively transferred risk.
Larger organizations come knocking on the door with questionnaires to assure the security of their partners, who will inevitably answer the questionnaires in a favorable light. They need the business, and anything less than a great response risks revenue loss. The process stops, and down the line a breach occurs.
I’m not saying this was the case with Bank of America. What I’m illustrating is that the process failed with the introduction of the self-assessment questionnaire. The large business did nothing to help the small business’s information security posture. In fact, both parties likely didn’t care much. They both just wanted a completed, clean questionnaire.
领英推荐
This is backwards. Our industry needs to focus more on ensuring small businesses have a solid information security posture. There are resources available, such as CISA’s Cyber Guidance for Small Businesses[3], which while is an excellent base for securing small businesses, how many small business executives know, or care, about it? How many information security practitioners? How many industry associations?
I’ve been in IT and information security for over 30 years. It’s not hyperbole when I say I believe this to be a serious issue. On The Virtual CISO Moment podcast[4] I always ask my weekly guest what is the most significant risk to small business’ information security? The best answer I’ve received, which I agree with, is “bad advice” (I would add no advice as a part of that as well).
I want to help change that, drawing from my seven years’ experience as a virtual/fractional CISO practitioner. In future articles, I'll look closer at some ways we in the information security industry are failing small and midsized businesses and offer possible directions to consider to help solve these problems.
Fractional CMO| Sales and Marketing Strategist| Board Advisor| FCIM
12 个月Greg, thanks for sharing. There is a similar challenge in the UK where we have 5.5 million SMB's (1-249 employees) which make up 99% of our market.
Chief Technologist
12 个月It takes dicipline to cater to SMBs. But it is worth it. So many companies try to chase the big sales and big money. This article is correct SMBs make the world go around, they just don't get the press of the mega corps. We need to help them with their security. So much of that is security practices. (their the ones with passwords in notepad, not changing passwords, not locking down systems, thinking it won't happen to them...)
Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative
12 个月You can lead a horse to water....but can't make them implement basic security measures.
Founder & CEO at Hire a Cyber Pro | Cybersecurity Consultant & Recruiter | Helping Business Leaders Identify and Reduce their Cybersecurity Risks | M.S. Cybersecurity | CISSP | More Certs | vCISO | CMMC | USAF Vet
12 个月Providing more education is important to help SMBs. Most folks don’t know where to start. I’ve been able to partner with local chambers and Tennessee Small Business Development Centers (TSBDC) to help educate folks on cybersecurity. Companies focused on bigger clients, don’t so this.