Author Karen Walsh
Purchase the book from Amazon.
The year is 2017. A green-haired, tattooed, pierced mom sits in the back of an elementary school auditorium. After settling in, she begins chatting with another mom, and the two begin discussing their jobs. After a few conversations and emails, our green-haired heroine sets forth to speak to the senior leadership of this mid-sized company, in the area of $200M with about 30 employees. During the course of the presentation, the following conversation ensues:
Person: Well, it doesn’t matter. That vendor is too big to fail.Heroine: That’s… not how it works.
Person: They’re way more important than we are. We don’t have to worry about their security.
Heroine:That’s… not how any of this works.
Person: I don’t know why you think we need to worry about this. If something happens, it’s the vendor’s problem, and they’re too big to fail.
Heroine: Look, I don’t want to come out and say you’re wrong. But, really, you’re wrong. If the vendor has a breach, you’re responsible for not having done the appropriate monitoring.
Cut to a few days later. The original mom has spent more than 40 hours on the phone with the Managed Services Provider (MSP) to understand their Microsoft landscape, learning that they’ve had 40 open user accounts for people who haven’t worked for the company, some for close to 18 months.
Who am I? (Hint, not 24601)
As someone who spent the first 12 years of her post-law school career as an internal auditor for community banks, this experience didn’t surprise me. After passing the CT Bar in 2004, I turned to compliance. For 12 years, I worked with community bank c-suites, listening to their compliance challenges and, often, their complaints. The reality for those clients was similar to the reality that this mid-sized local business faced - limited resources at the financial and workforce levels.
In 2016, I moved into cybersecurity, working as a freelance marketing content writer specializing in compliance. As a small business owner since 2004, I feel connected to the under-served small and mid-sized business (SMB) market. If you ask most cybersecurity vendors about their target demographic, they will automatically say “the enterprise level of 5000 employees or more.” These prestigious logos may come with large account values and prestige, but targeting them often means that products fail to meet SMB needs. Further, these businesses often lack educational resources that understand and respond to their needs.
SMBs are different, and that’s ok
As a writer and educator, I wanted to create the resource that I felt many SMBs and future entrepreneurs need because everyone deserves having information presented in a meaningful way. The SMB with 500 employees faces different challenges from the enterprise organization with 500,000 employees. While the two face the same cyberattackers, they have different financial resources and IT environments.
For example, an SMB may have an Azure cloud environment with supporting Software-as-a-Service (SaaS) applications. Looking at research about the SaaS trends, an SMB environment likely includes at minimum:
Microsoft 365
Salesforce
LinkedIn
Docusign
Atlassian
Jira
Meanwhile, the enterprise organization may start with the same SaaS applications but also include:
Multi-cloud deployments
Hybrid cloud infrastructures
Additional SaaS applications
Homegrown applications
Legacy technologies
Both companies need to implement and maintain the same types of security activities, like multi-factor authentication. However, the tools and processes will be different because the way they define “complex environment” is different.
Vendor-agnostic educational resources remain hard to find. More than anything else, I wanted to write an educational “Security First 101” course for business owners and business school students. The next generation of business leaders should focus on building data protection into their organizations from the beginning.
The Best Bang for Your SMB Budget Buck
Security-First Compliance for Small Businesses focuses on giving definitions and basic background so that people making decisions can cut through the marketing noise and ask the right questions. As someone who spent 12 years teaching introductory college courses, I wanted it to be an easy-to-understand textbook that defined basic principles and regulations, giving a high-level overview of the cybersecurity tools that many companies purchase.
However, the biggest security bang for the buck is implementing a strong Identity and Access Management (IAM) program and investing in centralized log management. Even if the SMB requires people to work on-location, the applications and resources are going to have a WiFi connection. Very few organizations rely on people in an office being connected directly to the corporate network. In fact, very few workstations have a direct input for the local area network (think those old-fashioned cords with the little plastic ends that had the little plastic lever).
Most compliance mandates or frameworks require companies to assign access according to the “principle of least privilege,” meaning giving people the most precise amount of access to only the resources they need to do their jobs. In practice, managing access is extremely challenging, especially when people have various needs across different applications that all use different access terminology.
Limit User Access
When onboarding a new employee or responding to a user access request, you want to understand:
Why the person needs access to a resource
Whether other people in the same job or department have or need access to the resource
Whether you should limit the amount of time the person has access based on a specific project or deliverable need
Implement and Enforce Multi-Factor Authentication (MFA)
MFA requires users providing at least two of the following:
Something they know, like a passphrase
Something they have, like a token or smartphone
Something they are, like a fingerprint or face ID
While a best practice would be using an authentication app, like Google Authenticator or Microsoft Authenticator, text MFA will still be better than no MFA.
Understand Who and What Normally Accesses Resources
While an SMB may not have the budget for an expensive, fancy user and entity behavior analytics (UEBA) tool, it still needs to understand what “normal” looks like. When you give users access to SaaS applications, you should understand how and when people use them.
As a baseline, you should know:
Which departments use the applications
Why they need access to the application
Which users need extra access to an application, like having the ability to make payments or see customer details
When users or departments use the applications
For example, your sales, marketing, and customer service teams may all use Salesforce. However, you should limit each team’s access within the application. Customer service needs access to the customer account and financial information to answer questions or provide support. However, sales may just need a primary contact and current contract details, not payment information. Marketing should have access to an email address but not the contract details or payment information.
Invest in Centralized Log Management
While not an IAM tool, centralized log management tools help you manage the monitoring. Log files record the activity across your systems and environment. Each technology records this activity in a different format so when you use the vendor supplied monitoring tools, you have no visibility into how the moving pieces all fit together.
Centralized log management takes these different formats, standardizes them, and applies analytics so that you can connect the dots. For example, too many failed user logon events followed immediately by a successful user logon can indicate cybercriminals gaining access with a brute force attack.
Digital Trust and Creating Sustainable Digital Ecosystems
Compliance is - and has always been - the stick used to force companies to do things they hate doing. Incentivizing good security practices would be far more effective than punishing poor cyber hygiene. After all, any organization can choose to “accept” a risk and leave an opening for cyberattackers. However, incentivizing security requires spending money, while punishing poor cyber hygiene brings in money. In the end, the economics don’t work.
Meanwhile, cybercriminals are financially incentivized to stay ahead of corporate data protection best practices. For every new application or device you connect to your organization’s network, attackers are financially motivated to collaborate and find a way to compromise it. A few years ago, the main risks were SaaS applications, especially as organizations rapidly moved to remote business models during the COVID pandemic lockdowns. Today, we see attackers increasingly targeting Internet of Things (IoT) devices and software supply chains.
The key theme throughout Security-First Compliance for Small Businesses is the idea of building security into business systems so that they become sustainable for the long term and drive customer digital trust. When SMBs focus on how data protection enables their revenue streams and where compliance fits into those goals, they can justify the costs. Today’s customers - both businesses and consumers - do care about data protection. Whether an organization is business-to-business (B2B) or business-to-consumer (B2C), the buyers are still people making decisions, people who increasingly care about how well organizations manage security and privacy.
Just like the coral reef consists of highly connected, symbiotic organisms, digital ecosystems consist of highly interconnected, symbiotic technologies. For example, if you connect your Salesforce to Docusign to make signing and managing contracts easier, the two technologies support each other. If cybercriminals compromise your Salesforce deployment, they can undermine your Docusign deployment’s security.
To build digital trust, you should architect systems around security and privacy. Just as we focus on sustainability in the physical ecosystem, we should implement it across the digital one. Governments, regulatory agencies, and industry-focused organizations will continue to create new compliance mandates, standards, and frameworks. However, their bureaucratic nature will always keep them behind the fast-moving threat landscape, leaving them outdated before they’re even finalized.
For SMBs, compliance may be an end-goal, but security should always come first. As data protection best practices continue to shift and evolve, SMBs should start by securing their systems, documenting their activities, and engaging in regular gap assessments to find areas of improvement. By doing this, they have the opportunity to prove to customers that they take security seriously, building digital trust, cybersustainable systems, and revenue.