How small business owners can reassess their cybersecurity strategies during economic downturns
The economic headwinds are blowing, and that has a lot of people nervous, not the least of whom are small business (SMB) owners across the country. With talk of recession in the air, SMB owners and their investors are paying extra attention to their bottom lines to maintain efficiency and innovation while managing costs. In many cases budgets are being squeezed, body counts are being leveled or reduced, and programs thought to be outside the core function of the enterprise are being slashed. It is unfortunate, however, that cybersecurity is often among the programs on the chopping block as it is perceived to be a less-than-essential expense.
As a former (and current) small business owner whose previous business was decimated by a malicious cyber-attack, I can attest to the short-sightedness of the belief that cybersecurity is an add-on, not a must-have.
Keep in mind that during economic downturns, security risks can actually increase as downsizing occurs and employees become anxious and distracted as they worry about the company’s future. This may lower their defensive posture, creating greater opportunities for cyber criminals, and increase their incentive to engage in nefarious activities. To address these concerns, SMB executives should consider consolidating and improving their security capabilities to as great an extent as possible considering the circumstances.
Reassess Security Risks, Priorities, and Capabilities
To begin, companies need to reassess those risks that may be exploited during times of staffing and budgetary contractions. For example, they need to consider prioritizing efforts on ensuring that laid off employees no longer have access to critical systems or proprietary information as well as reducing the potential of internal fraud or theft. They also need to augment efforts to communicate the importance of cyber-vigilance throughout the organization. It my experience, the more communication the better. Keeping people informed and engaged is one of the most effective ways to keep them focused and reassure them they are valuable members of your team.
Executives should also assess their organization’s overarching security capabilities to determine areas for improvement and consolidation. This involves evaluating their security processes, policies, and technologies and reviewing their security team's capabilities and performance. This assessment will help executives identify gaps, overlaps in capabilities, and inefficiencies in their security operations to develop the right plan to improve and consolidate their security capabilities. The assessment may also uncover opportunities for company leaders to recalibrate some internal resources by revising some job responsibilities and reporting alignments and perhaps shifting some technological resources from one department to another. Such moves may be short-term yet deemed to be effective during times of economic upheavals.
Evaluate Outsourcing Options
SMB leaders must also consider whether to outsource pieces of their security operations to third parties to reduce operational costs while still maintaining a high level of operational security. Outsourcing specific security functions, such as monitoring, incident response, or program management, to a third-party partner has proven to be a massive benefit to both protection and cost savings for some companies. With that said, executives should carefully evaluate the potential risks and benefits of outsourcing, including the impact on their security posture and associated cost savings.
Leverage Technology
Executives should also leverage technology to consolidate and improve their security capabilities. This may involve implementing new security technologies, such as advanced analytics or artificial intelligence (AI) to improve their security monitoring and response capabilities.
Executives should also consider consolidating their security technologies to reduce costs and improve efficiency. For example, they may wish to consolidate their security information and event management (SIEM) solutions or endpoint protection technologies. I often see an overlap of technology capabilities due to disparate security goals across departments. This can be addressed by a security conversation between people within all business departments, which I call a Security Committee. Such a committee can help formulate a holistic perspective on security operations throughout an organization which is sorely lacking in many SMBs.
While technology can play a significant role in improving security capabilities during economic downturns, companies must overcome the temptation to cede control of their cybersecurity posture to non-humans. At the end of the day, it is your people who direct the technology, not the other way around!
Focus on Employee Training and Awareness
Let’s face it -- employees are a critical part of an organization's security strategy, especially during an economic downturn, so it is essential to maintain employee training and awareness. Regular security training and vulnerability testing for all managers and staffers will help ensure they understand the importance of security and how to identify and report security threats.
Company leaders should also focus on cultivating a culture of security awareness throughout the organization to encourage and enable employees to be proactive in identifying and reporting potential security threats before they become a business issue. Cybersecurity is an all-hands-on-deck exercise, perhaps no more than for small businesses during periods of downsizing.
By following these guidelines, small- and medium-size company leaders can actually improve their security posture while also reducing costs, improving efficiencies, and remaining competitive in their industries.
Photo Credit: Luis Molinero/Shutterstock
Greg Tomchick is Partner and CEO of Valor Cybersecurity, headquartered in Norfolk, which provides cybersecurity services to leading small to medium-sized businesses in technology, defense, and investment communities.