As you work to improve the security measures for each of your customers, it’s likely you’ll find small businesses to be particularly difficult for a number of reasons. They don’t think they’re a target, they tend to be far too lax on security, and it’s hard to get them to invest in security. So you have a hard time convincing them they need better security, right?
The truth is, your small business customers are actually in dire need of better security. According to the National Cyber Security Alliance, small businesses are twice as likely to be attacked today compared to five years ago, and should they be the target of a cyber attack, statistically speaking, 60% of them will close within six months afterward. The reason? They don’t have the necessary protection (making them an easy target), nor the ability to recover from losses of productivity, revenue, and customer trust.
Even if your customer buys into the idea they need more (read: the minimum level acceptable) security, it’s possible you don’t have the right offering ready that will actually protect the customer while still generating profitable revenue for your business.
So what are the essentials you should you offer to your small business clients?
The National Institute of Standards and Technology (NIST) recently put out a new (free) report, Small Business Information Security: The Fundamentals, that breaks small business security into a few high-level fundamentals:
Of these three, the first two translate into services you can provide. So, I’d like to walk through two of the three fundamentals by using some elements from the report, diving into each step just a bit deeper and giving you some ideas of the security services you should be offering to small businesses.
Every business needs to understand its security risks. The sources of risk are found in threats (e.g. hackers, environmental, and business-related) and vulnerabilities (read: weaknesses in security). For each source of risk, a likelihood and an amount of impact to the business needs to be determined. By having a discussion around risk and walking the customer through the Risk Source » Likelihood » Impact to Business model, the customer will have a better understanding of where they need help.
Some service providers do this kind of work for free (much like some tire shops do a “complimentary 10-point inspection”—it’s simply a way to find issues and upsell). You can also position this as a risk analysis service, incorporating an inventory, vulnerability scanning of the network and servers, and review of backups. This allows you to give the customer a more pointed—“here’s where I see the risks to your business”—type of report from a security and availability standpoint.
You probably already have a basic idea of what this fundamental entails—and the services you would provide—but let’s go through this to ensure you have every base covered. NIST breaks down the security of corporate data into five steps:
The UK Cyber Essentials standard affirms some of these very same security controls (albeit, using a bit more tactical approach) by calling for firewalls, secure configurations, user access controls, malware protection, and patch management.
At a minimum, you can provide a group of services that address protecting the customer and detecting threats (I think the UK recommendations nicely outline what should be included). You can also separately create an offering around backup and disaster recovery to help mitigate the risk of business loss due to hardware failure, acts of nature, or user error.
Because these disparately written sets of recommendations jibe in an almost “did you just copy and paste that?” kind of way, it gives credence to the content in each, providing guidance around what a basic offering should look like. One of the best parts of these recommendations is you have a credible basis when you discuss your newly formed security offering, demonstrating that the services align with security recommendations for small businesses.