When it comes to cybersecurity, small and midsize businesses (SMBs) have gotten a bad rap. Every once in a while I will see media coverage of something like this CNBC survey, which claimed to find that more than 60 percent of small business owners are not concerned about the risk of a cyber attack, and it makes my head spin. To put it bluntly, I don’t buy it. I work with SMBs every day and can tell you firsthand that the issues they are facing around cybersecurity are not related to ignorance or a failure to prioritize. It’s that cybersecurity is really hard as an SMB!
Same challenges, different budget, different consequences
If you think about the security challenges facing SMBs, they’re really not that much different than the ones facing large enterprises. Malicious actors developing increasingly sophisticated and varied methods of gaining illicit access to valuable assets and data? Check. Attack surface expanding exponentially due to a host of factors including the rising adoption of hybrid work? Concerns about the tradeoff between security and ease of use/productivity? Check and check!
But where the similarities between enterprises and SMBs begin to diverge is simple: the resources available for mitigating escalating threats. It’s hard enough for enterprises dealing with these issues when they’ve got high-tech SOCs filled with analysts informed by the industry’s most powerful tools. But what about when it’s a small IT team without the firepower or expertise? The problem isn’t that SMBs aren’t aware of or concerned about security. It’s that they lack the budget, the staff and the skill set to adequately defend themselves.
This is a problem that is exacerbated by the potential impact of cyber attacks on SMBs. There is no question that some attacks on enterprises can be disastrous. You just need to read the headlines on this site to come to that conclusion. But for the most part, cyber attacks against enterprises will result in financial damage that amounts to a rounding error in the accounting department, coupled with some reputational damage. SMBs simply do not have the luxury of letting attacks roll off their back.
The numbers are staggering. According to the National Cyber Security Alliance, cyber attacks are a death blow to SMBs more often than not: their report found that 60 percent of small and midsize businesses go out of business within six months after falling victim to a data breach. At the end of the day, cyber attacks are an existential risk for SMBs. Combined with the fact that attackers understand SMB cybersecurity limitations and actively target these companies because of them, and it paints a pretty bleak picture.
Many enterprises have turned to the Zero Trust cybersecurity model to mitigate risk. At its essence, Zero Trust boils down to the concept of “never trust, always verify,” where any and all requests to access data and systems are verified, and companies prioritize the concept of least privileged access. It’s an expensive, complicated journey for even the most advanced security teams – so is it fair to expect SMBs to employ Zero Trust principles?
Is Zero Trust realistic for SMBs?
As it stands today, this is a pretty easy question to answer. Zero Trust is too complex, too difficult, and too expensive for SMBs to realistically achieve it. But this doesn’t mean that it’s time for those tasked with securing SMBs to throw up their hands and hope that theirs is the business that attackers choose not to target. There are incremental steps that small and medium businesses can take that steer the ship closer to Zero Trust, even if it doesn’t entirely comply with the guidelines and principles. The “zero” in Zero Trust makes many think of black and white extremes, but SMB security teams need to take steps toward the elusive goal post – even if they may not reach it any time soon.
The first step in this process is getting employees on board and instilling a sense of shared responsibility for security across the business. If an enterprise suffers an attack, most companies will survive. But we’ve already learned that attacks on SMB frequently lead to the shuttering of the business. It’s critical to convey that sense of shared risk across the employee base, because employees are frequently the targets of these attacks.
Beyond the need to make security a cultural priority there are tangible steps that SMBs can take to get closer to Zero Trust, starting with developing an understanding the roles and identities of your employees. Identity is at the heart of any effective cybersecurity strategy, so it’s critical to classify your people and understand at a granular level what types of information you have and who may need access. At the same time, you need to make some tough decisions prioritizing what you want to protect. This will vary from business to business, but you need to understand that you can’t protect it all overnight. Identify the critical data and prioritize strengthening the security posture around it.
No company, big or small, will achieve Zero Trust overnight. And right now, I don’t think any SMB truly can. But as an industry we are moving in the right direction. Tools are getting more powerful, and access to them is starting to get democratized. I believe that someday in the near future, SMBs will be able to roll out and maintain a Zero Trust posture, but the priority now must be identifying small, incremental gains that allow you to move in the right direction.