Three Ways Small Businesses Can Capitalize on Their Risk Management Plan

Risk management is a multistep process performed to increase the security posture of an organization. It involves assessing, analyzing, evaluating, and then addressing risks. In a previous article, we looked at how to assess and then analyze threats. We also discussed how to create a cyber incident response plan (CIRP). A CIRP is a great way to address risks that are realized when your company suffers a cyberattack. The final element of a risk management strategy is how to plan for and address risks before they become incidents. For a small business, this needs to be done in a resource-effective manner. In this article, we will look at three ways to make sure your risk management plan provides the most benefit to your small business.

#1 – Have a company culture that promotes security

What is company culture?

Company culture describes the priorities and behavioral norms that exist within an organization. These norms are in part set by upper management’s expectations, policies, and actions. Company culture extends from upper management down to employees. In order to have the best risk management strategy, it is important everyone in the organization is on board. This means that they are educated on the importance of security and that they understand their roles in maintaining that security.

External vs. internal threats

We often think of cybersecurity risks as external threats. External threats originate outside of the organization. These can be in forms such as malware, ransomware, or DDoS attacks. Internal threats originate inside the organization. Three types of insider threats are careless or negligent employees, credential theft, and malicious insiders. Breaches caused by the first two of these categories are accidental while breaches caused by malicious insiders are done intentionally. Overall 66% of all breaches can be traced back to an internal threat.

Statistics of internal threats sourced from the Ponemon Institute’s 2022 Cost of Insider Threats Global Report

How company culture can improve internal threats

A company culture that promotes security can improve both accidental and intentional threats. First, let’s look at accidental threats caused by careless or negligent employees. A root cause for these threats is a lack of employee education.

Remote work has become commonplace and brings with it many vulnerabilities. One vulnerability stems from employees using work devices for personal reasons. This can occur when a company gives them a device or when a bring your own device policy is in place. In both these situations, employees can negligently use these devices for non-work-related purposes. Sometimes they also share these devices with family members.

Social engineering is another threat to employees. Social engineering involves hackers sending phishing emails that look like legitimate messages. In reality, they contain links that introduce malware into the organization’s systems. We go into more in-depth solutions to these in our article on threats caused by remote working. But for now, consider how company culture can impact these threats.

A company culture that emphasizes security will stress best practices. This includes the mantra “if you see something, say something”. Employees should know what to look for and report suspicious activity. It should also be stressed that if employees believe they have introduced a risk to the company they will not be punished for doing so. Quicker incident identification leads to quicker incident response. An employee who does not report a potential breach out of fear of punishment allows the breach to be much more impactful.

Another good value to instill in company culture is open communication about why security measures matter. An employee that understands why certain security measures are in place (such as not sharing devices with family members) will be more likely to follow these procedures.

The last way company culture can increase security among employees deals with intentional insider threats. Malicious insiders are most commonly disgruntled employees. A workplace that monitors morale among employees and does background checks during the hiring process is less likely to suffer an attack by a malicious insider.

Company culture extends to the executives

Getting employees on board with security is important. The same principle also extends to upper management. One way to get executives to focus more on security is to show them data on why security is important for small businesses. It can also be beneficial to frame risks in ways that connect to their lives outside of work. For example, they are probably concerned with their parents or children clicking on phishing emails. If you explain that the same risks exist for employees they may be more likely to recognize it as a real threat.

Another option is to take a page out of Enterprise Risk Management frameworks. ERM focuses on the importance of the whole enterprise working together to manage cyber threats. In this model risks found in risk assessment and analysis are often put in financial terms. Quantifying risk allows executives to consider the return on investment of addressing specific risks.  In this framework, executives establish organizational goals, risk appetites, and security budgets. All of these aid in the risk management process.

#2 – Find the right balance between security and user experience

In talking with cybersecurity professionals we consistently hear this problem. How do you deliver secure systems that are also non-intrusive? It’s a balancing act to find effective security measures that are also simple enough that employees will follow them and that will not interfere with user experience. 

User experience can be interrupted if too many security measures are in place. This might drive customers away if they get frustrated with your service. In a recent interview we did with the co-founder of startups Sutori and Curvo, Yoran Brondsema talks about how 2FA can be a hassle for customers. “2FA for instance is more secure, but it’s also really more annoying. I lost my phone and then all my 2FAs were gone. I had to go to the notary to prove who I was, it was a whole ordeal. It’s a trade-off and that’s what’s annoying.”

In our interview with Dipul Patel, the CTO at Soluna, he gives us insight into how he thinks about security for his employees. He says, “When it comes to security, what I always tell my people and my team is that security is simple if you’re okay with dealing with inconvenience. But if you’re not okay with dealing with inconvenience, then you’re not okay with security. And most people will pick convenience over security. If you want to make your car not get stolen, put four boots on it. Every time you park, that’s a pain in the a**.”

He goes on to say, “Most people will pick convenience. If you make the passwords too hard they’ll write ’em down… We assume that the people will fail. So we have redundancies, and we have lots of testing and training that we’re rolling out now. We run phishing attacks, and keep people sharp. We share a lot on Slack about our operational security.”

Security solutions should be kept as simple as possible. This does not mean ignoring security. Instead, consider how much security is necessary for your business. Are you a small business that deals with a lot of personally identifiable information (PII) of your customers? Then having a strong 2FA is important. If you are a company that does not store PII it may not be necessary for customers to enter a 2FA each time they log on.

The best security solutions should aim to solve security issues in a cost-effective manner for the company. They should also have features that are not an inconvenience to users and employees. This brings us to our third way to capitalize on risk management.

# 3 – Consider easy to implement solutions to big problems

A good way to capitalize on your risk management plan is to focus on solutions that are easy to implement and greatly improve security posture. Three areas to look at are employee education, access control, and automation. 

Employee education

We have already touched on the importance of employee education. Now we will look at easy solutions you can use to increase education. A large focus for training should be on phishing. In our recent report on how companies are adapting to predicted threats from Russia, we found that the main concern among all businesses sizes is phishing. 30% of respondents also said that their company is investing in employee training and awareness programs. 

Many vendors have tried and tested methods on how to educate employees about phishing. An example is KnowBe4. This tool’s videos give employees awareness of the threat of phishing and how to spot phishing emails. It also offers a free phishing security test to show you how prone your employees are to phishing. It was recognized as a leader in security awareness and training by Forrester in Q1 2022.

Other tools use methods such as awareness videos featuring celebrities to keep employees’ attention. Whatever method you choose, it is good to both provide awareness training as well as to test them with phishing simulations. Testing employees allows you to gauge how large of a risk phishing poses to your organization.

Access control

There are a couple of elements of access control that should be considered in your risk management plan. One element of access control we have already brushed on. That is the use of 2 Factor Authentication (2FA) or Multifactor Authentication (MFA). It is a security best practice that this is used by all employees. There are ways to make this process easier for these employees, which in turn makes them more likely to use it properly. One example is a tool such as the YubiKey. This tool allows employees to authenticate using their fingerprints.

Passwords should be strong and automatically generated so that no hacker can easily guess the password. This can be an inconvenience to your employees, but using a password manager can solve this problem. An example of a password manager is Bitwarden. Bitwarden offers a free password manager for personal use as well as a paid product for companies. Using a password manager allows employees to easily use multiple complex passwords without having to remember them all. 

Top 10 password managers sourced from Expert Insights

In an interview we had with the VP of technology at Sercante, Adam Erstelle talks about why he uses a password manager with his employees. “With our password manager management tool, you can only auto-fill the passwords on the right websites. So for example you can’t take your Google password and fill it into Salesforce. So there’s a very low risk of cross-contamination unless you’re extremely purposeful. And it takes a little bit of effort and luckily, most humans are lazy.”

While this might not help with malicious insiders, it does help with accidental insider threats. To mitigate the threat of malicious insiders (as well as to further mitigate the threat of accidental threats), an additional element of access control needs to be implemented.

This element involves limiting access where it is not required. The principle of least privilege says that only the minimum amount of access should be available to employees for them to do their job. Additionally, access should only be available for the amount of time it is necessary for that employee to have access. This minimizes damages that can be caused by insiders.

Sourced from Thycotic

If an insider does not need access to company data for their job, they should not be able to access it. Other access controls include ensuring all access is revoked when an employee changes positions or leaves their position. Passwords should be changed any time that occurs.

Automation

For small organizations with minimal employees, time, and infrastructure, automation can be a necessary part of your security arsenal when it comes to risk management. Here we will discuss a few tools and vendors you can use to manage and mitigate risk.

MSSPs can provide you an opportunity to outsource much, or all, of your security roles. It is always beneficial to have someone inside your organization who understands the security architecture and who can communicate with the MSSP. Beyond that MSSPs can take the place of an in-house team entirely to automate all of your security needs.

Larger organizations with large security budgets may like to keep their security team in-house to maintain control. Smaller businesses have a less complicated architecture and likely will not suffer from some loss of control. Much of the incident response process can be outsourced. As we discuss in more detail in our risk assessment and analysis article, these processes can also be automated using vendor tools. In this way, a small business can rely almost entirely on automation and vendors to handle the risk management process.

More tools to prevent and identify incidents are firewalls, antivirus software, packet sniffers, bug bounty programs, and encryption tools. We will discuss these in further detail in an upcoming article on the most helpful tools for small businesses. 

One thing which cannot be automated in the risk management process comes from executives’ roles. Defining the goals, risk appetite, and security budget of the organization is not a process that can be automated or outsourced. 

Conclusion

Small businesses have limited resources including a minimal number of IT employees. The IT employees they do have hold many roles in addition to security. Managing risks in a resource-effective way is necessary for these businesses. The tips provided are meant to help guide a risk management strategy that maximizes returns without having to go over budget or sap too much time from your IT team. Sign up to receive additional insights on how small businesses can tackle fundamental aspects of cybersecurity.