Conventional wisdom would have us believe that only large enterprises excel at cybersecurity.
But small-to-medium-sized businesses can keep up with their bigger cousins — and with their agility and resourcefulness can even outperform in some areas, like aligning cybersecurity strategies with the business side.
This was a key finding in Cisco’s 2021 SMB Security Outcomes Study. And last week an episode of CiscoChat Live! picked up the theme.
In a session moderated by Hazel Burton, Cisco Secure Product Marketing and Thought Leadership Manager, security experts shared some of the strategies that successful SMBs are employing — and what others, large and small, can learn from them.
Burton began with a question for Wolfgang Goerlich, a Cisco Advisory CISO, about some of the SMB security advantages that emerged in the Cisco study, which included responses from more than 850 small-and-medium-sized organizations.
“In our study,” Goerlich answered, “we highlight a couple of things that small- and mid-sized businesses do better than their larger counterparts. And what we found is that these small and medium businesses were better at enabling and keeping up with the business. And some were good at operating efficiently. That last one probably makes sense, because if you have a small business, you don’t have much, but you have to make the most of what you have.”
Smaller businesses often contend with smaller security budgets. But the best ones learn to thrive with limited resources. Mike Storm, a Cisco Distinguished Cybersecurity Engineer, shared a good starting point.
“Well, everybody has budget issues,” Storm explained. “But I think first and foremost, having a strategy is paramount … Go after the elements that are going to be targeted first. Still today, email is the number one transport vector for threats, and endpoints are the number one target. So, if that’s all your budget allows at least have a strategy to begin there. And then expand with some of the more complex network capabilities.”
Other SMBs are looking to solutions like automation to speed their growth. Tazin Khan, CEO and founder of Cyber Collective, with some thoughts on the key goals of small businesses today.
“I do think that there are some trends that we can see across the board,” she said. “The key goals are increasing revenue, reducing expenses, operationalizing, and automating a lot of the operational tasks that exist within a business. … I think that most small businesses are focused on the future. And just within the community that I’m a part of, in the spaces of a lot of women-owned businesses and people-of-color owned businesses, I think everyone is just trying to navigate the space, to gain accessibility and more access to equity.”
From ‘department of no’ to business enabler
Security has too often been saddled with the title “department of no” and viewed as an impediment to growth, innovation, and new ideas. But Omar Zarabi, president of Port53, shared how smart security leaders can present security as a competitive advantage.
“Take the conversation away from the technical aspects when you’re talking to your board members, CEOs, or executive buyers,” he said, “and align it to what they care about. How’s it going to impact the bottom line? How’s it going to increase revenue, decrease costs, win more business, or become more compliant? Having that conversation with your executive team is absolutely essential.”
It would be nice to assume that our security measures are impregnable. But in the real world, everyone will be attacked sooner or later. How, Goerlich was asked, can businesses plan for a breach and lessen the damage if it occurs?
“One of the winning strategies that I see with security leaders and security teams,” he said, “is using resilience to build the business case. Because resilience starts with saying, we have all of this technology, what does it mean to the business? What is this piece of equipment and that person doing to enable our organization to meet its goals. And from there, do an impact analysis. How much money would we lose if the service isn’t available or this person couldn't contribute?”
“When you think about security,” Goerlich added, “it’s oftentimes ‘let's go tackle this one tool,’ but I would encourage everyone to be honest from a continuity and recovery lens, before building a strategy.”
Small but mighty — securing the future for SMBs
Overall, there was a sense of optimism in the discussion — as we enter the post pandemic era and for what smaller businesses can accomplish, especially with cloud-based solutions and flexible subscription models.
“The big shift that’s happened in technology is the cloud,” said Omar Zarabi. “It is allowing us as vendors and partners to deliver services in an elastic model. So, the power of the cloud with security solutions is that you, as a small business, don't have to go out and build that solution yourself. And that’s how we’re able to deliver enterprise-grade security and protection, like Cisco Umbrella, to a 10-person shop, or 200-person company.”
With access to such tools, Tazin Khan believes, SMBs can be more proactive, as opposed to just waiting for an attack to occur.
“A main security focus I’m seeing is being more on the offense versus on the defense with security,” she said. “You’re seeing a lot of tools and products come out. And I think it’s positioning organizations to say things like, okay, how do we defend ourselves to stop attacks from happening?”
This democratization of security is only part of what’s driving optimism for SMBs. Mike Storm finished with a few thoughts on the higher awareness around security — and how that bodes for a better future.
“The biggest security trend that I’m seeing is awareness,” Storm said. “This has changed drastically over the last three years. There was almost no awareness whatsoever of vulnerability at the small-company level. And I think that awareness leads to a desire to work with Cisco, Cisco partners, or someone like that— because I am vulnerable. And the data that I have is just as important as the data at some of the largest companies in the world, and I’ve got to keep it protected.”
To learn more and read the report, visit 2021 Security Outcomes Study for SMBs.