Keeping a Clean Bill of Cyber Health – A Guide for Smaller Organizations

Written by

With recent figures showing that as many as two-thirds of small businesses reportedly fell victim to cybercrime last year, the age-old ‘too small to be significant’ mentality is clearly a flawed school of thought when it comes to cybersecurity. Generally, businesses have either had the false impression that they’re not a big enough target or fly ‘under the radar’ when it comes to having information exploited. 

In truth, the stakes couldn’t be higher. It’s common for attackers to target the path of least resistance, so smaller organizations should never assume that they are too insignificant to matter – they could be the first link to a customer’s larger supply chain network or high-value employee, or a pawn in someone else’s more nefarious endgame. With small businesses providing the lifeblood for the UK economy, it’s vital that their cyber-health is given a regular check-up.

To get a good overall insight into how organizations can reduce their cyber-risk exposure given the escalating threat landscape, here are a few considerations as a place to start:

Security Must be Data-Centric - Protect Information

Data is fast becoming the commodity of modern businesses. Therefore, they should be able to answer questions regarding what types of data they collect, how attackers could use that information if they got their hands on it; and most importantly, what is the business doing to protect that data? Answering these questions with authority is akin to having good genetics, a great basis for a clean bill of cyber-health. From there, a good rule of thumb is if the business collects data, then protect it. Follow the appropriate security measures to provide that customer and employee data is protected from unauthorized access, whether that’s internally or externally.

Put a Threat & Vulnerability Management Program in Place

This is often the most important thing to do to improve and maintain security, but it can be difficult for smaller organizations to know what to prioritize. Managing vulnerabilities inside the IT environment is tough and new attack vectors emerge daily. The attack surface is constantly changing due to IT device and platform lifecycle issues, changing operational priorities, and adoption of emerging technologies. With every change comes the risk that a new flaw or configuration issue will provide a threat actor with the final link in their attack chain, resulting in an impact to users, operations, and customers.

Free intelligence tools that provide context about threats and allow for collaborative sharing can help in this area, as can keeping the most vulnerable business-critical applications such as email and anti-virus software at the top of the list. Having the most up-to-date security software, web browser or operating system will also help defend against malware, viruses and online threats, so turn on automatic updates if they are available.

Make People an Asset to Cybersecurity

Employees are quite possibly the biggest potential asset in a business when it comes to cybersecurity, especially in smaller organizations. Yet, there are countless studies that prove employees can also be the biggest threat; whether it’s through sharing, not changing or using weak passwords or the inability to spot clever phishing emails. Training should be offered but keep it short, informative and relevant to the business. To get an idea of how the company is faring, test with controlled phishing attempts or prompt staff regularly to change passwords.

Keep in mind that a cybersecurity plan simply isn’t complete without a cybersecurity education and training program that helps build and foster a security conscious business environment. After all, employees don’t want to get it wrong or click a link that is detrimental to the business or their jobs, they do however, need to be given the guidance, tools and knowledge to become more cyber-savvy.

Addressing the Skills Shortage via Managed Detection & Response

Understaffed and overextended cybersecurity teams face an uphill battle against threats that are not only mounting but also becoming more sophisticated. Yet, often smaller businesses operate with an outdated mentality that security is too pricey for their slim profit margins and they lack the staff to manage it properly; they assume that cybersecurity is just for large organizations. Just like larger organizations, small businesses suffering from a shortage of skills can become vulnerable to financial loss, operational disruption, and reputational damage if the problems on security alerts volume and prioritization are not addressed.

Most companies cannot afford a large full-time team but having a security professional or pen tester from an outside firm come in occasionally to assist can make a huge difference. These security professionals are trained to spot the red flags and weak spots in an organization and can offer valuable insight about how to increase cybersecurity. In addition, cloud security offerings can assist in organizations of any size to achieve a good security posture and are built on different payment models that suit smaller organizations.

Put Cybersecurity & Risk Exposure in Context

A concept that most of us as consumers understand is a rating system, such as credit ratings. In a business context, a Cybersecurity Rating can also equip small business owners with actionable information that can help protect data and assets and help businesses maintain a pulse on their cyber-health. It’s ideal for business owners that don’t have large IT staff, or who lack some of the technical expertise necessary to stay ahead of the cyber-threat landscape.

Importantly, having these key elements as part of a regular routine will help inform an organization’s cybersecurity rating. These ratings will likely gain relevance as cyber insurers gather more cyber-risk actuary data to develop their policies to address the unique threat landscape faced by smaller businesses.


One key piece of advice for smaller organizations is not to overdo it. Many vendors would have companies believe in an impending apocalypse to sell their products, but it isn't as bad as it seems. By following best practices, patching, exercising common sense, and bringing in external help, businesses can fulfil compliance obligations to regulatory bodies and customers, and reduce the risk of a data breach and its impact on customers, employees and their reputations. At the same time, it will raise their ‘difficulty levels’ enough for most attackers to search for an easier target.

Remember, cybersecurity is an ongoing battle – not a tick-box exercise – so make sure cybersecurity is a continuous process. Just as one cannot simply visit the gym once to declare themselves ‘fit,’ smaller organizations need regular check-ups and fine-tuning to reach peak cyber-fitness.

What’s hot on Infosecurity Magazine?