For years a company's cybersecurity needs were left up to their IT Department. IT was responsible for every decision, every purchase. The C-Suite and its occupants had bigger fish to fry and what little attention InfoSec received, typically dried up before anyone dug in deep at that executive level.
A lot of companies still operate that way. It's unfortunate but true. Especially in the small to medium-sized enterprise space. The executive(s) are just too busy to dive into the issue head first. They have other things that need their immediate attention.
It's no easier for the other side of the coin. IT professionals in smaller organizations typically find themselves stretched incredibly thin. It's hard to focus only on security when countless other tasks keep popping up on their radar.
Currently, cyber attack is the biggest threat to businesses of any size, worldwide. On average, a cyber attack cost enterprises in the United States $1.3 million in 2017 and shows no sign of decreasing (CSO Online: https://www.csoonline.com/article/3227065/security/cyber-attacks-cost-us-enterprises-13-million-on-average-in-2017.html).
To make matters worse, a lot of small to medium-sized enterprise (SME) or small to medium-sized business (SMB) don't have the necessary resources or personnel available to them to help them out of this predicament.
It's very rare to see an SME or SMB that has corporate officers beyond the Chief Executive Officer and Chief Operating Officer. Trying to find Chief Information Officers (CIO) or Chief Information Security Officers (CISO) at that level of enterprise might be more difficult than finding a needle in a haystack.
Add on top of that how difficult it is to keep highly skilled IT/InfoSec staff in today's market, the severity of the problem multiplies.
Having said that, and taking into consideration the risk a cyber attack poses to an enterprise, it only makes sense that cybersecurity is taken very seriously by C-level executives and discussed in the boardroom, regardless of how inconvenient it is to work an InfoSec discussion into a meeting schedule.
Even after you make the time to start openly discussing the cybersecurity health of your business and what it might take to secure it, it's a daunting task actually to put any of those plans in motion or know if they'll work.
It's enough to make your head spin, right?
One of the first things you should probably do is audit your current security set up. You need to ask questions like:
- What products (if any) are we using to protect our end-points?
- Have our Firewalls been updated lately?
- What are we doing about Identity and Access Management?
- Are we following a set of best practices (NIST security framework)
Those are only some of the questions a CEO or COO (again, if you've got one) might be asking themselves once the cybersecurity discussion rears its head during a C-level conversation.
There are some things you can do relatively quickly that'll get the ball rolling.
A great place to start might be with something as easy as a FREE cybersecurity risk scorecard. We offer them personally, and they're a great way to get a quick understanding regarding what might be at risk in your organization. (http://content.security7.net/cybersecurity-risk-scorecard).
Just because you know where the problems are, it's incredibly difficult for many SMEs and SMBs to find the personnel they'd need to bring on to address those issues. That's why many SMBs and SMEs have started to consider bringing on a Managed Security Services Provider (MSSP for short)
A Managed Security Services Provider is an IT/InfoSec professional (or team of IT/InfoSec professionals) that offer security-as-a-service to their clientele.
An MSSP can offer services such as:
- 24x7 Performance and Availability monitoring
- Compliance Management
- Identity and Access Management (IAM)
- InfoSec Services (including cloud, domain, email, end-point and network security services)
- Security Awareness Training
Once you've answered a few of your security status related questions, there are a few you should ask yourself before engaging an MSSP to help with your InfoSec needs. We compiled a helpful list you can find here: https://www.security7.net/news/7-questions-you-should-ask-before-hiring-an-mssp