With data now considered one of the most valuable commodities on earth, it is little wonder that its theft has become big business for cybercriminals. Yet, although the laws and regulations around cyber security apply to businesses of all sizes, those running small businesses and start-ups often lag behind in their responsibilities. Fortunately, there are programs dedicated to detecting and responding to potential cybersecurity incidents. Cybersecurity frameworks are a set of controls that, when met, represent a fully functional cybersecurity program. This will provide your organization with the capacity to rapidly and efficiently respond to a cybersecurity incident.
Focused on the pressures of developing products or services and the day-to-day running of your company, you may overlook the fact that because you hold data belonging to customers, suppliers and third parties you are ultimately responsible for keeping that information safe. But by leaving cyber security as an afterthought, you could be risking everything you have worked for.
The UK Cyber Security Breaches Survey 2019 found that 31 percent of small businesses (employing fewer than 50 people) suffered a cyber breach last year. The impact of these breaches varies but the accumulated cost of fines, lost revenue and reputational damage can spell disaster. Figures from the US estimate that 60 percent of small businesses fold within six months of a data breach.
Investing in cyber security is therefore of vital importance and should be near the top of every board agenda. But what exactly should you do? Where should you deploy your budget? The range and scope of options available to businesses are extensive so what should be the cyber security priorities for small businesses and start-ups? Here are three critical areas to consider.
Vulnerability Assessments
A good starting point for any company looking to build its cyber security profile is the vulnerability assessment. There are several advantages to vulnerability testing, which for small businesses can be highly beneficial. Firstly, the assessments run automatically and can therefore be set to take place regularly throughout the year. Secondly, setting up a vulnerability assessment is straightforward. Enter the details of your business into the automated system of your choice and let the assessment take place.
Once the results are produced, it is beneficial to have a cyber security expert analyse how best to proceed and what changes need to be made to improve the security of your system. It is worth noting, however, that the potential failure point of this type of test is that vulnerability assessments are automated and as such can only identify known threats. New or previously unidentified threats will not be flagged up.
Penetration Testing
In contrast to a vulnerability assessment, penetration testing employs human skills to simulate the ingenuity and persistence of a malicious hacker. Having previously highlighted the weaknesses of a system through a vulnerability assessment, a penetration test will then attempt to gain access to your system through those weaknesses, further developing and exploiting them to highlight how a hacker might proceed. This type of test can uncover previously unidentified threats.
Cyber security professionals carrying out a penetration test will then be able to advise your business how best to fix the issues the penetration test has identified. Regular penetration testing as your business grows is advisable and something to keep in mind when planning a cyber security budget. A synergy of automated vulnerability testing and manual penetration testing will deliver the optimum result.
QSA Support
Vitally important for companies who process credit or debit card transactions, a QSA (Qualified Security Assessor) provides technical and professional support to ensure that your business complies with PCI DSS (Payment Card Industry Data Security Standard).
A QSA will work with you to reduce the risk to your cardholder information and, following an assessment, will provide you with remediation advice. This is particularly important for small businesses or start-ups who may not have broad knowledge of PCI DSS or cyber security. It’s highly recommended that companies look into PCI secure coding training in order to broaden their knowledge and thus increase their cyber security.
The best QSAs will visit regularly to get to know your business and will work collaboratively with you. Ultimately, a great QSA should make you feel they are as invested in the success of your business as you are. They will also communicate any changes to the PCI DSS regulations as they occur; and because a retained QSA has the benefit of understanding the way your business operates, they can also help you with other elements of your cyber security strategy.
Although the key to successful cyber security for small businesses or start-ups is investment, it isn’t just a question of spending money. Cyber security investment is only truly effective if it is done strategically. Engaging with a professional cyber security consultant will ensure that your budget is deployed effectively and, because you will only pay for what you actually need, it represents good value for money. Furthermore, being able to demonstrate good data security will provide your customers with reassurance that you take the safeguarding of their data seriously.