Many SMB owners do not spend the time and resources required to establish a robust and sound Information Security framework for defending their company from attacks. While there are many reasons for this, probably top on the list is a lack of awareness and expertise on the subject. But when you consider that the National Cyber Security Alliance reports that 60 percent of small companies close down sometime within the six months following a cyber attack, the urgency for developing or acquiring the necessary expertise becomes obvious.
Cyber attacks on SMB’s is on the rise, more than doubling in the last few years. Since many SMB’s are involved with larger corporations as links in a supply chain or as a 3rd party provider of goods and services, cyber criminals are seeing the often less protected SMB as a potential gateway into other companies that might have more mature security at it’s doorstep. By breaching a trusted 3rd party, there is a chance that the trust relationship will gain them access to the bigger fish. Many large corporations are now beginning to take an aggressive and active role in driving security requirements for their suppliers and vendors for this very reason.
The National Institute of Standards and Technology (NIST) publication, which is based on their larger Framework for Improving Critical Infrastructure Cybersecurity, was written with SMB owners in mind. It provides a framework of six domain areas, each broken down into actionable categories, and then provides a cross reference list of the various security standards and the applicable sections that apply to each. This will help you navigate the myriad of standards and frameworks, and allow for a systematic approach to developing your information security policy. The six action areas are;
- Identify – Increase your understanding of resources and risks
- Protect – Limit or contain the impact of a potential attack event
- Detect – Enable processes for timely discovery of an attack
- Respond – Reduce or contain the impact of an event by having a response plan
- Recover – Resumption of normal operations following an attack
Even with theses guidelines, there is a reality that Information security planning and implementation is a daunting task. It is not one that can be avoided without major risk to your company, but it does not always make sense to develop the expertise required in-house. Instead of developing this expertise, you can acquire it by engaging a consulting firm like Intrinium, an Information Security Consulting Firm specializing in integrating IT technology in the financial, healthcare, state and local government, and retail industries. They have information security expertise already developed, and experience in implementing solutions for companies like yours. Consider these types of areas of expertise, and the value of acquiring versus developing information security expertise, begins to make a lot of sense.
- Managed Security and monitoring
- Information Security & Compliance Consulting (HIPAA Compliance, GLBA, PCI DSS),
- Managed IT (Fully Managed IT Services, IT Consulting, IT Project Management)
- Cloud Computing & Hosting Services (Business Continuity, Disaster Recovery and, Cloud Backups)
The NIST guide is a great tool to give you a place to start, and a road map to follow. Even if you do engage a consulting firm to help, you need to have an understanding of what makes sense for your business, and to ensure you wind up with a complete and functional solution. The task is daunting looking from the outside in, but the risk of taking no action is far too great!