Meaningfully reduce cyber risks

May 01, 2022

An actionable cybersecurity strategy can be established without significant financial investment, and with measurable results and rewards.

Small and midsize businesses (SMBs; fewer than 1,000 employees) are often unprepared for cyberattacks because they erroneously believe hackers are only concerned with attacking large enterprises with deep pockets. In fact, 43 percent of all data breaches involve small and medium-sized businesses, according to Verizon. SMBs prove an attractive target for ransomware, financial fraud, and supply chain attacks due to often having less mature cybersecurity practices. According to Coro, a cyber-security platform, unprepared SMBs are a staggering 490 percent more likely to experience a breach in 2022 compared to a year ago.

The state of small business cybersecurity in 2022. In the last year, cyber intelligence firm 4iQ reported a sobering 424 percent increase in new small business cyber breaches. On average it takes around $200,000 for a small business to recover from a typical cyberattack, according to Hiscox Insurance; 83 percent of SMBs are not financially prepared to recover from an attack, according to InsuranceBee; and 60 percent of impacted SMBs tend to go out of business within six months of a cyberattack, according to the National Cyber Security Alliance. Despite this, a report by InsuranceBee notes that 91 percent of SMBs haven’t purchased cyber insurance, leaving themselves vulnerable to an ever-looming threat with the potential to topple their business.

Risks of not doing enough. Firms not taking precautions against cyberthreats are at risk of significant interruptions to financial and business continuity, and a tarnished reputation. Additionally, breaches may affect client expectations and rights, particularly if compliance requirements are not met. Finally, obtaining cyber insurance may prove more difficult and costly for companies that are unable to prove some level of cyber hygiene.

Case study: Dudek. When I joined Dudek in 2017, the growing environmental and engineering consulting firm lacked a formal security program. Staff, often at the forefront of cyberattacks, had no security awareness training. The firm relied on a “last generation” antivirus software and an out-of-the-box Office365 email security configuration. Multi-factor authentication was not being used, there were no standards for patching, and the firm lacked visibility into vulnerabilities with unsupported server and desktop software and hardware in use. Under this setup, Dudek was left susceptible to cyberattack.

I sought to remedy Dudek’s cyber vulnerabilities by establishing a continually evolving and improving security program and framework. An audit revealed a primary threat of account/email compromise; this and other top risks were methodically addressed. With support from all levels of the firm, annual cyber maturity scores dramatically increased through the introduction of technical, physical, and administrative controls.

Setting up for cybersecurity success in 2022 and beyond. Small and medium-sized businesses need not have Fortune 500-sized IT budgets to protect their data and keep it out of the hands of hackers. In the very wise words of Benjamin Franklin, “By failing to prepare, you are preparing to fail.” SMBs are encouraged to reduce cyber risks in the workplace by employing the following steps:

  1. Perform a GAP analysis:
    1. Adopt a security framework. Pick a framework to benchmark against – based on industry compliance requirements or, if not required, something like CIS, NIST, or CMMC.
    2. Create an information security program document. Develop a living document that keeps track of where you are currently and that matures over time. There are a multitude of templates available on the internet. A template will provide a starting point for the security program document which can be modified to fit your organization’s needs. Describe your firm’s approach to risk management, and clearly outline roles and responsibilities, security policies, and controls.
    3. Conduct a GAP analysis. Revisit the standards established in your framework and analyze how the firm is meeting, exceeding, or failing against these benchmarks. The GAP analysis should document the firm’s current state via free self-assessment resources or a third party, if the budget allows for it. The analysis should identify the firm’s ideal future state and IT goals based on the established security framework. Periodically, gaps between the firm’s current state and goals should be reviewed and remedies should be prioritized.
  2. Start with quick wins. Address the low-hanging fruit and plan for more involved projects and programs. Focus on security solutions that will have the biggest bang for your buck. There are many no- or low-cost solutions that can have a major impact on cybersecurity.
  3. Develop a roadmap for constant improvement. Build an annual roadmap outlining initiatives for the year based on perceived risks. Revisit your roadmap annually, adjusting your plan as needed.

Operationalize security with limited resources. SMBs can rely on various resources to enact these initiatives in their cybersecurity roadmaps without endless coffers of cash. Managed cybersecurity services offer a variety of security tools and services that scale based on the number of end users/computers in question versus larger, upfront CAPEX expenditures traditionally associated with building a security capability. Additionally, there are many free resources available.

As technologies advance and change, it’s critical for businesses to remain vigilant yet flexible. Reducing cyber risks doesn’t have to rely on grandiose IT budgets. An actionable cybersecurity strategy can be established without significant financial investment, and with measurable results and rewards. SMBs can confidently step into 2022 with a solid plan in place to reduce cyber risks this year and well beyond. 

Brian Nordmann joined Dudek in 2017 and serves as chief information officer. He leverages more than 20 years of experience in information technology and has held various technology leadership roles throughout his career, including roles in environmental services, defense, transportation, and finance industries. Connect with him on LinkedIn.

Click here to read this week's issue of The Zweig Letter!

Free Resources:

  • FRSecure.com: cheat sheets, checklists, playbooks, policy templates
  • CISA.gov: cybersecurity assessments
  • MS Funds: Microsoft and many other vendors offer assessments for working with their cybersecurity partners.

No/low-cost solutions to move the needle:

  • Patch now!
  • 2FA/MFA
  • Security baseline policies
  • Document what you do when faced with security situations – include an incident response plan in your security program document
  • Security awareness program/training
  • Leveraging what you own with Microsoft
  • Pen tests and vulnerability assessments identify risk to infrastructure such as misconfigured BPN/firewalls, cloud services, or web apps

About Zweig Group

Zweig Group, three times on the Inc. 500/5000 list, is the industry leader and premiere authority in AEC firm management and marketing, the go-to source for data and research, and the leading provider of customized learning and training. Zweig Group exists to help AEC firms succeed in a complicated and challenging marketplace through services that include: Mergers & Acquisitions, Strategic Planning, Valuation, Executive Search, Board of Director Services, Ownership Transition, Marketing & Branding, and Business Development Training. The firm has offices in Dallas and Fayetteville, Arkansas.