In the past there have been some perks to being a smaller player in a bigger market. Whether related to workforce issues, governance or competition – small businesses across all industry sectors were able to stick to business as usual. And while there was nothing wrong with that – times are changing, especially when it comes to cybersecurity concerns.
During a CompTIA Volley podcast, guest Chris Cochran, co-founder of Hacker Valley Media and Advisory CISO at Huntress, shared some of the biggest cybersecurity challenges small businesses are facing today with hosts Seth Robinson and Carolyn April of CompTIA.
1. Not All Small Businesses Understand What Cybersecurity Really Means
Cochran made a point to note that cybersecurity is a kitchen table topic – everybody is aware of it. But there is a gap in understanding what it is and how to implement it. Because small businesses often don’t have access to the resources and specialized staff their larger counterparts do, tackling a broad issue like cybersecurity can be overwhelming.
Of course, learning how to integrate cybersecurity best practices into your business processes will continue to evolve as we all learn more. However, small businesses don’t have the luxury of waiting until they’ve figured everything out to take action. With that in mind, the Cybersecurity Infrastructure Security Agency (CISA) has created Cyber Guidance for Small Businesses. This resource breaks down cyber tasks by role, including the CEO, security program manager and the IT team.
2. Many Small Businesses Think They Are Immune to Bad Actors
Small businesses don’t compare themselves to larger enterprise corporations. In fact, they often create a competitive advantage by emphasizing how different they are. That mindset can be hard to shift. The truth is that criminals are looking at anyone they can get money from.
“If you’re leveraging cloud infrastructure, web apps or connected to the internet in any way, you can become a target,” Cochran said.
Even if you aren’t operating with deep pockets, bad actors want to get their hands on your valuable data. Customer credit card information, bank account credentials or your proprietary business information is easy to sell to other criminals – if they aren’t using it for themselves. Similarly, a cybercriminal may use you as a link to get to a larger organization. And sometimes bad actors aren’t interested in your data – but have their eye on your company’s computers to create a massive DDoS attack. And they all want your cash – no job is too small.
3. Most Small Businesses Don’t Have Cyber Pros on Their Team
Cochran says that most small businesses don’t have cybersecurity professionals on their team because it’s’ not their first language. Typically small businesses have a niche. They have taken something they do really well and turned it into a moneymaker. But when you’re so specialized, it’s hard to think outside those parameters.
Investing in cybersecurity talent can be intimidating for a small company that doesn’t really understand what they need. It can also be expensive. For those who fall into this bucket, yet still understand the importance of cybersecurity, third-party partners are key.
Related Blog: How to Talk to Clients About Risk
4. Cybercrime Is Becoming a Bigger Business
The fact is that cybercrime is becoming more organized. Cybercriminals that were operating on their own may now be part of a group that shares information, casts a wider net and makes everything more dangerous. Cochran says that criminal organizations are collaborating – and we should be too.
Membership in an information sharing and analysis organization – or ISAO – can be especially helpful to small businesses that may be lacking in threat intelligence. The CompTIA ISAO includes a Cyber Forum dedicated to helping everyone in the business of technology share real-time threat information, analyze potential impacts, coordinate response efforts, promote security best practices and educate staff.
Related: Learn more about the CompTIA ISAO
5. Cybersecurity Skills Are Constantly Evolving
We know how quickly the tech landscape changes and cybersecurity is about as fast paced as you can get. Cochran says the skills your practitioners have (and need) is a constantly evolving scenario.
“The attack surface is wider and there’s all these aspects of cybersecurity. You can’t have one person that covers everything,” he said. “You need people that are focused on compliance, threat hunting and incident response. You have to let your people grow and change because the technologies and the threats will grow and change.”
Skills gaps and user education are among two of the main items outlined by companies as cybersecurity challenges in CompTIA’s State of Cybersecurity 2024 research. Closing that gap could mean building relationships with third-party vendors, upskilling your current staff, training your non-technical staff or hiring for net new positions.
Related Blog: Securing the Future: How MSPs Can Close Their Cybersecurity Skills Gap
6. Small Businesses Think What They Are Doing Is Good Enough
When we don’t fully understand something, it’s common for it to consistently fall to the bottom of our priorities. Likewise, when we finally address the situation it’s all too easy to cross it off our to-do list – but cybersecurity doesn’t work that way. Cochran says that having a sense of being “good enough” can tempt organizations to trim their cyber budget or cut back on activities. “If you’re not going to grow or progress, you’re putting yourself at risk,” he said.
The best cybersecurity measures are being constantly reviewed and improved. Conducting a risk analysis is a great example of how small businesses can get started. Cochran notes that while you can never account for 100% of potential vulnerabilities, it’s important to decide where to put your money and fortify yourself.
Related Blog: Tackling Cybersecurity With the OODA Loop Approach
Once upon a time small businesses didn’t have to worry as much about cyberattacks. Those days are over. Today, small businesses have a target on their back if they don’t take cybersecurity seriously. All it takes is one weak link for a cybercriminal to wreak havoc on your business, affecting your livelihood and the fate of your customers and business partners.
Raise Your Cyber Awareness.
Learn more about earning the CompTIA Cybersecurity Trustmark.
Add CompTIA to your favorite RSS reader
.png?sfvrsn=a4291833_2)