The sudden move to telework this year forced small and medium-sized businesses (SMBs) into a challenging new reality. Many of these organizations found it hard to focus on keeping their businesses afloat, their personnel employed, and their data and systems protected. During these trying times, the need for cybersecurity became evident.
How are SMBs reacting to these new work-related challenges to ensure security and business continuity? To find out, we at Cisco asked security executives, thought leaders, and other experts to share their thoughts. Here’s what they had to say…
There are many challenges to tackle. We need greater control at the endpoint and edge. We need more visibility into all devices, regardless of company-provided or BYOD or on-premise or cloud instances. Finally, in the longer term, organizations need to strengthen and enhance their capabilities in business continuity and incident response. By placing the emphasis on flexibility and response, organizations can deal with the current challenges while preparing for future ones.
Small businesses are likely to see many challenges in the areas of budgets and the governance side of security. SMBs are often trying to do more with less, especially when it comes to where to allocate funds. In relation to cyber and information security, do they invest more in internal programs to prevent, detect, monitor and alert on security events and incidents (which of course will have associated costs to people resources), outsource these activities, or perhaps embrace a hybrid approach? It comes down to identifying their most critical assets (physical, logical, even people and processes) and prioritizing the protection based on criticality. This is where business impact analysis (BIA) and risk assessment can be extremely beneficial before jumping the gun and deploying funds and resources in areas that may not result in ROI or achieve the “biggest bang for the buck” in risk treatment (potentially resulting in the risk mitigation activity costing more than if the risk were realized, for example).
Tips? Start small. Start with that BIA and risk identification process to drive informed decisions when it comes to IT and security. Having a dedicated resource to manage and champion this internally, liaise with appropriate stakeholders, and keep analysis and recommendations current and aligned to business goals and objectives will help to save a lot of headaches down the road and misallocation of resources.
Our business adapted quickly to the onset of the pandemic. Thanks to embracing cloud productivity tools and public cloud infrastructure along with a business continuity plan that equipped all employees with laptops by default, we were well positioned technologically to go 100% remote.
Our gap, and one we’ve seen for many organizations, was in comprehensive training to explain to our team how to work remotely safely. We created a new course using our tool that covered all relevant topics such as expectations for keeping personal devices used for work up-to-date, guidance on securing home Wi-Fi, as well as discussions on when it’s okay and not okay to print documents at home. Most importantly, the training wasn’t generic tips or best practices; it was easy to make specific to our policies and standards.
Far too often, the conversations around security awareness revolve around phishing simulations or a giant catalogue of generic computer-based training. The conversation that’s needed now in this pandemic is relevant materials that are contextual to the organization and ideally tailored to the individual.
Before the global shutdown, the changes, the duties, and the shifting operation model (on-prem to cloud) led us to say that these times were extraordinary for the CISO. Now add the work from home requirement, and I lack an appropriate description for the CISO. Apocalyptic, maybe?
I am certain we will see regulatory requirements for a pandemic preparedness response forthcoming. The regulatory approach will lag; we need to be more proactive and plan now, but the analysis should not come in the form of specific incidents (e.g., pandemic, earthquake, and other natural disasters; denial of service attack; ransomware). We need to plan on resilience based on business needs. Business and technology resiliency should not be addressed in a traditional form of business continuity and disaster recovery, but in terms of an incident negatively impacting critical information, systems, and other corporate assets for no longer (or not at all as in complete redundancy) than the business has determined.
Figuring out what kinds of attacks we will see in the 2020s that will challenge our ability to RECOVER and have the potential to cause IRREVERSIBLE harm is, in my opinion, our top challenge.
The following are some things that still need to be addressed:
The CISO is much more than the security expert. Today’s CISO is a strategist, master influencer, and arbitrator, and they are skilled with budgets, business processes, and HR issues. As we restart our digital transformation journey for the rest of this year and beyond, leadership, preparedness, and vision will be more important than ever before.
The biggest piece of advice that I could provide to small businesses would be to implement a cybersecurity framework and methodology very early into your business. If you’ve been in business for a long time, do it now. It’s never too late, and it’s probably something inevitable – especially if your business continues to do well and acquire a lot of revenue. You can visit nist.gov. They actually have a page specifically for small businesses. That would be https://www.nist.gov/itl/smallbusinesscyber. They teach you the cybersecurity basics. They go through different planning that you can do as well as guidance around the topic and implementation.
In congruence to that, I recommend that you work with vetted cybersecurity professionals. I think that it is a really big task to learn about cybersecurity as well as different laws and regulations on your own. There’s a lot that goes into it. Definitely work with an organization or an individual who can help to consult and implement a solid framework that works for what you do. There are lots of different frameworks that you can implement into your organization as well as methodologies that you can leverage. Having someone knowledgeable in that is going to 100% benefit you in the now and the long term.
We are experiencing a fundamental shift in the way we work where employees work from anywhere at any time and on any device. As such, embracing the digital transformation is no longer optional but an imperative.
To provide security at scale, organizations will require greater visibility to know what to protect, and the ability to automate key security workflows like threat investigation, hunting, and remediation. There must also be a shift in the culture where employees are seen as central to a company’s security strategy. This means creating a well-informed workforce and educating them to potential threats like phishing schemes and equipping them with technology that seamlessly fits into the way they work.
While we’re dealing with extraordinary times, it’s important to recognize that security cannot simply stop. In a bid to keep going and move forward as best we can, we need to consider how to do that with security in mind.
Let’s look at security awareness, for example. Organizations that had face-to-face awareness sessions planned may be tempted to postpone them until things “get back to normal.”
Rather than doing that and losing the opportunity to raise awareness, I would encourage organizations to get creative and think about how they can run virtual events and activities to keep security on people’s minds. Given the rise in phishing emails we have seen connected to COVID-19, specifically, it’s important that we adapt and evolve to meet the circumstances we find ourselves in. It’s better than allowing a vacuum to form, as cyber criminals could then exploit it.
The need for the digital transformation is becoming clear as the current pandemic is accelerating existing business and technology trends. Despite market uncertainty and tightening budgets, many companies are seeing improved productivity and cost savings through embracing remote working and cloud computing.
They are recognizing the value of being able to scale up and down the capacity based on customer demand, and they are paying for only what they use rather than maintaining their own data centers. Supporting staff and trusting them to do the right thing also pays off.
As we continue to change our way of work, it is important that organizations of all sizes not only adopt and implement technology solutions that can be accessed from anywhere and any device, but also understand that adopting these new technologies will require looking at cybersecurity in a new light. Historically, when employees came into the office and business resources were all on-prem or hosted in private data centers, the foundation of security was the firewall and protecting the perimeter.
Now with employees working from anywhere as well as accessing corporate information and data hosted across the world, it is absolutely essential to realize that although firewalls are still important, the foundation of security has shifted to the identity and the connection. Being able to ensure the secure connection to proper applications and data, not to mention forcing authentication at every turn (zero trust implementation), is going to be absolutely critical in protecting this new way of work.
Luckily for SMB organizations, more and more cybersecurity solutions are leveraging the cloud as a delivery mechanism. This will enable smaller organizations to not only implement proper solutions at an affordable, per-consumption model; it will also allow resource-restrained IT teams to build and manage a holistic, integrated, and proactive security stack without needing the engineering acumen in-house to do so.
I think the best tip I can share is this: Don’t assume you need tech. If physically seeing a paper test result and not writing that down will serve your purpose, why build apps or put in temperature checkpoints that only ever catch a subset of those infected folks and a subset of others who are warm for any number of reasons? Not to mention the burden of protecting sensitive data if it gets anywhere near anything that could identify staff.
Never put any measure in place if you haven’t planned and resourced for what has to happen next. What do you practically do if folks get told to work at home again, if they are sent for a test, or if you need to deal with traced contacts?
Don’t try to piggyback other purposes, e.g., evolving special COVID measures into permanent biometric access control. Now is not the time to push that through. No one has headspace to do that justice. It’s always a potentially high risk that requires robust due diligence, so save it until the dust settles.
Plan to roll back COVID-specific things and delete data. That should be your baseline position for everything right now, with the likely exception of remote work. Being very explicit about the intent to do that and following through will build huge trust for future discussions about data use.
The work-from-home mandate made my manager even busier! Even though I’m fine with conducting meetings remotely, it actually got harder to meet because of his increased hectic schedule. Since so much was done in the office with drive-bys and all of those 5- to 10-minute conversations, now EVERYTHING was sent his way by IM or email or phone call – simultaneously! In response, we had to be extra flexible and have more and shorter meetings to review and address things to keep moving business and security things forward.
On the people/morale side of things, one of our team leads set up a daily Monday-Friday remote meeting. He called it, “Reason to put pants on,” so that made it funnier. It’s a time just to talk and decompress with no judgment. Even our manager was on. People need to communicate at some level regardless of personality. And absent the usual office interactions, this call was the way to keep people connected on a personal level. It wasn’t necessary to attend. It wasn’t mandated to turn on the camera. But the attendees could share what was going on, share their screen for something they or their kids did, use their phone to show their backyard project.
Whatever it might be, people could attend and share at their own comfort level. People need to hear other people, and they need to see faces. A team still needs cohesion when working remotely, and the pandemic response required us to move beyond the haphazard in-house meetings to purposeful and planned meetings.
Small and medium sized businesses juggled numerous challenges while shifting to remote work. You can hear more advice from infosec leaders on how SMBs can bolster their security programs during these extraordinary times in the clip below
This is a series of blogs sharing insights into how organizations are adapting their cybersecurity strategies during these extraordinary times. Other blogs in the series include: Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes , Adapting to a New Way of Working in 2020 and, Investing in Your Cybersecurity Program During Extraordinary Times