This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.
All enterprises, large and small, must safeguard against cyber threats. However, small-cap companies face many unique challenges that increase their risk exposure. By understanding these risks and developing an appropriate cybersecurity strategy, small-cap companies can significantly reduce the likelihood – and potential severity – of a breach.
Q: Why are small-cap companies targeted by cyber criminals? How can small-cap companies become a less attractive target?
A: Small companies tend to be focused on growth, revenue, and running the business — as they should. Cybersecurity is often an afterthought, leaving many companies without the programs and staff necessary to prepare for, or respond to, a security breach. Cyber criminals know that small companies rarely have strong, well-planned, and fully-patched security devices, programs, and protocols. As a result, they become attractive targets, especially as testing grounds, for new cybercrime techniques.
To reduce the risk of an attack, small companies need to improve their security posture. Companies should develop an incident response plan and consider retaining a service provider that can act immediately when a breach is suspected. Outsourcing to a company that specializes in overall IT security management is often the best choice for a smaller company, as the ongoing monthly costs are usually less than maintaining a qualified and continually-trained in-house IT security staff.
Q: Why is a “culture of security” important to cybersecurity resilience, and how can companies develop such a culture among their employees?
A: In an era of teleworking and employee-owned electronic devices, it can be challenging to develop a security-conscious corporate culture. Too often, managers try to create a culture of security by simply imposing new rules and security constraints, which can inadvertently send a message of mistrust. Instead, companies should begin by making sure all employees understand what is at stake — that with a single misstep the Company and their livelihoods could be irreversibly damaged. Companies should begin by ensuring that everyone, including management and the Board, possesses a baseline understanding of cybersecurity principles. This requires training on how to maintain good cybersecurity hygiene, as well as personal vigilance, regardless of whether an employee is working in the office or at home.
Q: What is the role of planning in developing and executing an effective cybersecurity strategy?
A: Proper cybersecurity planning and execution can be the difference between a suite of tools and procedures that work seamlessly together or a patchwork of duplicative tools, sold by different vendors, that increase cost without delivering a secure environment. All companies should develop a plan that systematically ensures good cyber hygiene by, for example, properly segmenting and isolating various networks, regularly performing and testing data backups, and requiring everyone to use dual authentication with regular refreshes. Small companies with limited budgets and internal resources should consider partnering with a firm that can guide them through security planning, installation, and ongoing operations and maintenance.
Q: What is the role of the Board in cybersecurity oversight?
A: If the Board doesn’t have a member from the cybersecurity discipline, it should get one. Fast. A breach can erode Corporate value through the loss of intellectual property or customer trust, and new regulations, such as the European Union General Data Protection Regulation (GDPR), can turn breaches into massive penalties and expenses.
The Board can take a proactive approach to cybersecurity governance by designating Director(s) to conduct oversight and aligning them with the appropriate executive team members so that a clear line of responsibility is established. Second, the cybersecurity posture of the Company should be reviewed at least quarterly, ideally separate from regular Board meetings until security protocols have been institutionalized. Third, the Board should require regular third-party audits to assess the Company’s overall level of cyber hygiene. Rather than focusing on procuring the latest technology, these audits should evaluate the Company’s processes, procedures, and employee adherence to best practices. Lastly, benchmark, benchmark, benchmark. Imitation isn’t only a form of flattery, but where basic cyber hygiene is concerned it is sensible policy. This doesn’t mean copying the exact approaches taken by others, but it DOES mean maintaining awareness of the practices employed by similarly-positioned companies and gaining insights and useful knowledge from their mistakes. By doing so, your team members can have access to timely information on threat intelligence, necessary practices, and when appropriate, new technologies.
Q: You’ve been breached (!) … now what?
A: Call CyFIR. Seriously. Yes, it’s a shameless sales pitch, but no other company is in possession of technology that will help you triage and contain a data security breach faster. Within hours of deployment, you will know every impacted system on your network and likely be completing containment and remediation steps. Competing service providers and technology companies will take months to arrive at the same point of resolution. Want to know if your breach is attributable to an external actor or an internal operator with legitimate credentials? CyFIR is unique in its ability to rapidly answer this question. And if you want to take action in court, respond to a regulator, or pursue any number of other activities associated with a data breach, you will need forensically-assured data. Collecting that data is often prohibitively expensive, unless you’re using CyFIR. To learn more about what happens after a data breach, click here.
