How to Manage Cybersecurity on a Shoestring Budget
The size of your budget shouldn’t affect your ability to keep your business safe.
The challenge of keeping your business secure can feel impossible sometimes; especially when you know that 70 percent of threats go undetected. Not to mention, small businesses are just as much at risk as enterprises: 61 percent of small businesses experiencing an attack in 2017 and 54 percent experiencing a data breach, according to Keeper Security.
This can feel more stressful when budget is a concern. If you can’t pay for expensive software or an entire security team, and your CSO or other lead security employee is managing much of the work on their own.
PolySwarm COO, Nick Davis, shared his insights on how your CSO can boost security, even if you are working on a shoe-string budget.
The role of a CSO is largely that of risk management. When viewing the threats targeting an enterprise, CSO’s know that they have to prioritize the severe threats that can cause the most damage.
When I think about how a CSO can do more without additional staff or funding, I look at how to make the staff more productive and I look at techniques that can have a broad affect. The following is a short list that is in that spirit.
Enable 2-Factor Authentication (2FA)
This is generally a low cost solution that provides a lot of benefit toward the security of devices, email, and websites, and one that we use at PolySwarm for all of our employees and accounts as well.
I do not recommend using SMS as the 2nd factor, because it’s too easy to intercept. The best 2FA options are either a smartphone app or a physical device. There are smartphone apps, such as Google Authenticator and Duo Security, both of which usually cost less than the physical device options. If you want to weigh all your options, consider the suggestions from PolySwarm CTO, Paul Makowski. The best options, listed from best to worst, are:
- Hardware dongle, see: https://landing.google.com/advancedprotection/
- An app on your phone that doesn’t sync your secrets anywhere (e.g. Google authenticator)
- An app on your phone that does sync (e.g. Authy)
- Email based
- SMS based
Automation
Automating repetitive processes can free up a lot of time for an overworked staff. This is especially helpful because the lack of cybersecurity expertise and talent has lead to a fatigued security staff for many businesses:
“This skills shortage has multiple implications. Organizations don’t have the right sized teams and operate in a perpetually understaffed mode. Often, the cybersecurity team lacks some advanced skills in areas like security analytics, forensic investigations, or cloud computing security, putting more pressure on the most experienced staffers to pick up the slack,” says Jon Oltsick, founder of ESG’s cybersecurity service.
Learn more about this shortage and what it means for your business:
One way to combat this shortage is by plugging into PolySwarm, the world’s first decentralized threat intelligence marketplace:
“A crowdsourced marketplace approach can help to remove that duplication of effort, so there would be a smaller numbers of security experts required in a company’s on-site security team. Those on-site teams would be doing the work that is specific to that company, while the security experts in the marketplace will cover all of the common and duplicative work,” explains PolySwarm CEO, Steve Bassi.
Learn more about how PolySwarm can help you: 5 Reasons to Plug Into PolySwarm As a Business.
If you’re ready to learn more, sign up to get PolySwarm updates and information about when you can use PolySwarm for your business.
Training
Spending a little bit of time to provide training to end users seems like a lot of work, but the ROI comes in when those trained end users make fewer support calls and cause fewer security incidents. (This is especially valuable when you remember that 60 percent of cyberattacks are carried out by insiders.)
Not sure how to train your employees? Here are a few resources to check out:
- How to Audit Your Company Security Training Efforts
- Security Awareness Training Guide
- 8 Security Practices to Use in Your Employee Training and Awareness Program
Eliminate Red Tape / Busy Work
A busy staff should not be doing “busy work.” There are many possibilities here, so I’ll name a few:
- Processes can be simplified
- Document routing paths can be shortened
- Authority for common tasks can be delegated
A SWOT analysis is a simple way to assess your current processes and understand where the busy work bottlenecks sits. SWOT stands for Strengths, Weaknesses, Opportunities, Threats. For example, you may think:
- Our strength is this new employee, who has always been our go-to for organization and project management. Maybe he/she can help us re-think some of our processes?
- Our weakness is that we’re low on staff, but we can’t find talent that fits our needs. We need to outsource some of this work. (Find the best security consultant with these questions to ask potential security consultants, including a question from from the PolySwarm CEO.)
- An opportunity is the new software we purchased; if we can maximize that, we can offload some of the manual work on our team.
- The threat for us is our reliance on cloud storage. We need to mitigate that by…
Don’t Buy Low-Quality Electronics
I know we’re talking about saving money, but if you compare the labor costs spent troubleshooting finicky memory, motherboards, printers, and other electronics, against the cost of buying higher quality equipment, you will often come out ahead when you buy higher quality equipment. Simultaneously, your staff has more time to focus on important security needs.
Stop the Password Reset and Complexity Madness
Password resets and account lockouts use up a lot of time for both the security staff and the end users and generally provide little ROI. Review the recent NIST Digital Identity Guidelines, 800–63–3 available at CSRC.NIST.gov, and take a load off of your staff.
Want more business security tips? Check out our Enterprise collection for many more tips, tricks and cybersecurity insights.
