Small Business & Big Threats: Protecting Your SMEs Against Cybersecurity Threats

Being in the cloud doesn’t mean your data is automatically secure. With a growing number of small and mid-size companies steadily running more of their operations through public clouds every year, many are more reliant than ever on the cybersecurity capabilities of their cloud service providers (CSPs).

Cloud cybersecurity can be complex. With wide-ranging capabilities across public, private, and hybrid offerings for various software, infrastructure, and platforms “as a service” solutions, partnerships with CSPs can significantly assist SMEs in growing their businesses and protecting their assets.

However, finding a trusted partner is paramount. To navigate a crowded landscape and evaluate CSPs on their cybersecurity posture, consider asking the following questions:

• What’s their reputation?
  Seek out independent reviews, and ask the CSP to provide customer testimonials or current clients you may contact. Talking to an existing customer can help you gauge their confidence in the provider and gain insight into customer service, support, and response rates.
• Have their controls and storage solutions been independently assessed? What certifications do they have?
  They should be able to provide a summary of independent assessments confirming that they comply with any applicable regulations and maintain the necessary certifications.
• What security systems do they have in place?
  How does the provider secure its hardware to the cloud? How do they encrypt data stored there? Do they include cloud monitoring capabilities, allow single sign-on, or support multi-factor authentication?
• Who is responsible for what cybersecurity tasks?
  Because the CSP manages the cloud, it should be responsible for most, if not all, of its security tasks. However, providers typically expect client companies to perform some security responsibilities themselves, such as practices to prevent internal cyber incidents or breaches from their end. Ask any prospective provider to inform you of everything they’ll perform and which tasks you’ll remain responsible for.
• How will they notify you of cybersecurity incidents or data breaches?
  Even with the proper cybersecurity systems in place, breaches can happen. A provider should promptly notify you of any security breach in their data centers and remedy it immediately, even if your data is not at risk. In cases where your data is affected, providers should outline steps they will take to secure it until they can contain the breach.

Malicious cybercriminals launching targeted attacks aren’t the only cybersecurity threat organizations must worry about. A lack of thorough employee training can turn any company’s well-meaning workers into unintentional insider threats.

While small and mid-size enterprises are correct to safeguard themselves against external attacks from maliciously minded hackers and greedy cybercriminals, it’s easy to overlook the potential threats looming within their own organizations.

Negligent employees who simply don’t know better can cause unintentional damage, expose data accidentally, and be the root cause of insider incidents. In its 2022 Cost of Insider Threats Global Report, the Ponemon Institute surveyed more than 1,000 IT and cybersecurity personnel—with 57 percent responding that insider incidents involved employees’ inadvertent or accidental behavior.

The report identifies five signs that an organization is at unnecessary risk:

• Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work, which affects the organization’s security.
• Employees are unaware of the steps they should take to ensure that the devices they use—both company-issued and personal—are always secured.
• Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
• Employees break company security policies to simplify tasks.
• Employees expose your organization to risk if they do not always keep devices and services patched and upgraded to the latest versions.

Comprehensive and company-wide cybersecurity training can significantly increase an SME’s defenses against cyber threats. Areas of focus such as password strength, recognizing and avoiding phishing attempts, and proper device security should be mainstays of ongoing employee training efforts.

Dedicated infrastructure, tools, training, and personnel are all critical parts of an SME’s cybersecurity equation. However, implementing a strong, active, and informed overall company culture of cybersecurity plays a crucial role in the entire organization’s security posture at every level.

Business leaders and their employees can’t afford to brush off cybersecurity efforts or think of them as solely the IT department’s responsibility. Basic cybersecurity skills—such as safe and strong password usage, spotting social-engineering phishing attempts, or understanding multi-factor authentication, for example—don’t require advanced technical computing skills. Emphasizing basic precautions across the board, throughout every level of an organization, should be a core business-strategy element for nurturing a culture of commitment to cybersecurity.

According to Cybersecurity at MIT Sloan, an interdisciplinary consortium for improving critical cybersecurity infrastructure, more mature organizations reinforce their cybersecurity culture at three levels:

• Leadership Level: CEOs talk about security in all-hands meetings, and management clarifies to everyone that it’s an intrinsic part of the company values. Along with cyber-focused executives, executives in non-cyber roles are noticeably aligned with cybersecurity missions and goals and display proper actions and behaviors to their subordinates.
• Group Level: Cybersecurity topics and issues begin to permeate relevant discussions between employees and affect how they work together. Meetings include more discussion of cybersecurity-related topics, and even non-technical groups seek advice and guidance on operating more securely. Group-level activities show that cybersecurity is important to the team, driving better and more-secure behaviors and interactions daily.
• Individual Level: Employees gain a general, heightened awareness of possible threats and cyber incidents in their day-to-day work. More importantly, they feel empowered to take individual action and know how to respond in the event of an incident.

“Failing to plan is planning to fail.” Cybersecurity incident response plans are essential for SMEs who can face catastrophic losses or even be driven out of business by a sophisticated and targeted attack. Creating a clear, focused, and easy-to-follow incident response plan is critical.

While large organizations typically have full-time, on-site dedicated cybersecurity teams, SMEs often rely on one individual, a small team, or a managed third-party cybersecurity and threat response contractor. Regardless of organization size, the main goal of any cybersecurity incident response is to limit the damage done or systems compromised within an IT environment in the wake of a cyberattack or data breach and restore full operations as quickly as possible.

A successful and effective incident response begins as a proactive, not reactive, process. Improving response capabilities relies on sufficient planning—the Swiss Cyber Institute lays out four steps for responding to a cybersecurity incident:

1. Identify the Incident: For many organizations, this can be the most challenging part of the process. While some incidents can be easily spotted, others are nearly unfeasible to discern.
2. Examine the Situation & Determine Objectives: As soon as a cybersecurity incident has been identified, objectives for immediate response activities should be determined. Questions that may need to be answered can include:
   • What networks or assets have been corrupted?
   • What is the scope of the incident or attack?
   • What information has been stolen?
   • What potential impact does the attack have?
3. Take Necessary Action: This critical step involves containing the incident’s damage, keeping it from spreading and minimizing its immediate influence. The main objective is to make the greatest efforts to return to full functionality as normal.
4. Recover Systems & Information: The last step is to restore all systems to normal operations. Make sure all elements of the incident have been exterminated, and conduct thorough penetration testing to ensure sophisticated cybercriminals can’t repeat or carry out further attacks.

Like any aspect of cybersecurity, Payment Card Industry Data Security Standards (PCI DSS) compliance is an ongoing, continuous process. Non-compliance can lead to data breaches causing costly financial losses, priceless loss of consumer trust, and a damaged reputation.

Updates are regularly published by the PCI Security Standards Council, which spotlights four ongoing steps to protecting payment account data with PCI DSS and what they entail for compliant SMEs:

• Assess: Identifying all locations of payment account data, taking an inventory of all IT assets and business processes associated with payment processing, analyzing them for vulnerabilities that could expose payment account data, implementing or updating necessary controls, and undergoing a formal PCI DSS assessment.
• Remediate: Identifying and addressing any gaps in security controls, fixing identified vulnerabilities, securely removing any unnecessary payment data storage, and implementing secure business processes.
• Report: Documenting assessment and remediation details, and submitting compliance reports to the compliance-accepting entity (typically an acquiring bank or payment brands).
• Monitor & Maintain: Confirming that security controls put in place to secure the payment account data and environment continue to function effectively and properly throughout the year. These “business-as-usual” processes should be implemented as part of an entity’s overall security strategy to help ensure protection on an ongoing basis.

Best Practices for PCI DSS Compliance
PCI DSS compliance can be complex, inspiring major changes in an SME’s security perspective, culture, and ideology or requiring the adoption of many new cybersecurity tools and solutions. The following steps include best practices organizations should employ to effectively implement and maintain PCS DSS compliance:

• Determine—and Minimize—Your Scope of Compliance: Begin by identifying all infrastructure in your organization for storing, processing, and transmitting cardholder data, defining all payment channels, locations, and data streams. Minimizing your scope of necessary compliance coverage is crucial in streamlining and speeding up the implementation of PCI requirements. Network segmentation or tokenization methods can help narrow the necessary scope of PCI compliance coverage, minimizing an SME’s overall cardholder data environment (CDE).
• Separate Cardholder Data From Other Business Data: By segmenting consumer cardholder data from the rest of an organization’s standard business data, it’s better protected and also helps limit the scope of a PCI audit. Cardholder data must be encrypted or masked as soon as it interacts with your payment platform, ensuring its future security when not in use and staying siloed in case other portions of an organization’s network are breached.
• Scan & Test Early & Often: If required to perform quarterly scans, use an approved scanning vendor (ASV) early in the quarter in order to give your team ample time to fix any issues or address any discovered vulnerabilities. Annual penetration testing is also among some companies’ PCI compliance requirements, although when performed more regularly can alert organizations to small, seemingly unimportant details that could become big threats or vulnerabilities for a CDE. Never overlook issues arising from security testing, take quick action to identify their causes, and retain all records generated during the process for any future audits or risk assessments.
• Continue Regular Risk Assessments: The PCI DSS emphasize the importance of conducting risk assessments on a regular basis to better understand an organization’s likelihood of a breach or cyberattack and the extent of damage possible in order to determine if additional data protection measures are necessary.

The Cost of Non-Compliance
Failure to comply with the PCI DSS can be costly. The payment brands can levy exuberant fines against the bank or financial institution that processes an offender’s card transactions. These penalties are often passed on from the banks to the merchant company or service provider, and can cost $5,000 to $100,000 per month depending on the severity of the non-compliance violations.

The more an SME adheres to compliance standards, the less costly a potential breach will be: IBM’s 2022 Cost of a Data Breach Report highlights that there’s roughly a 50% difference in the total cost of a breach between organizations with high levels of compliance vs. those with low to non-compliance.