Building SMB Security Programs

A few weeks an article came into my feed from Inc. that spoke about helping SMB's build a security program. @JamesAzar is who shared the article asking for comment on what security executives thought. I read the article and commented on what I believe is smarter approach. Below I will build on my initial comments in hopes I can influence how we approach SMB when discussing security. Here is a link to the original article. https://www.inc.com/neill-feather/this-5-step-cybersecurity-plan-is-simple-to-build-and-its-virtually-foolproof.html.

Listen. If you want to partner with a small or medium business to build security, it starts with listening. Sit down with business owner. Ask the owner to talk about his/her business. Ask about their story. Talk about their businesses challenges. Put on their shoes and walk a mile with them.

Ask about their business plan or roadmap. Ask them about the technology they use. What partners/vendors do they use to help solve business? Web site? Web Store? Email? File Shares? Where is their data and most important- where is their IP stored? Then inquire if they have a part-time IT resource, an on call person or a jack of all trades internally?

Ask them how long and hard it was to get to this stage in their business. Compliment them for sticking to it.

 Armed with all of the above information from listening to their story, then talk about how many days they can be down or offline before their business fails. Relate to them about how many SMB's close their doors after breaches. Discuss the business impact, fines, reputation, legal woes and financial issues that are incurred due to a breach or malware attack. Then, when that sets in, start talking about awareness to threats in their industry and their business.

Work from here to suggest steps in reducing risks and getting stronger security hygiene. Then pair them with local info sec folks from your tribe that offer pro bono consulting or work with security mentors that have signed up with hackers for charity to guide them. 

Technology is not the answer. Buying a security tool or service is not their first step. The first step should be more conversation. Help the owner and business understand threats as if are a tough competitor. Then help them improve their processes and employee's awareness of these threats. Help them understand their technology, architecture and the flow of data. Discussing patching and hardening and explain that the basics of patching and hardening are the foundation that keeps them more secure. Hopefully more secure then their competitors. Help them make smart and affordable investments to secure their business against a “hostile takeover”.  

For a SB- how many have IT teams or the ability to setup a WAF or web tools and maintain them. I mean really?  Setting up a Web Application Firewall, SIEM or SOC is beyond small businesses and most medium businesses. For a small business they need community partners that can help them thrive and survive. For most small business, patching/hardening , AV, firewall and secure wifi will be a full plate.

Listen, be patient and offer to help. Educate. Help them develop checklist of activities they can do. Find some peers that can check in on them several times a year and help them. Local communities are ripe with talent - most of who are in security for the love of making a difference/turn the tide.

Eventually, they will invest in their own security, once they see what they can do to keep their business secure and thriving and realize the competitive edge they get.

Heck, you may even learn something in the process! Something about business, marketing and finance that may aid you in your infosec career!