Despite the name, Enterprise Security still applies to small and medium sized businesses. Why would a small business invest in that kind of level of security? Simply because smaller businesses often depend on larger clients to keep them afloat, and those larger clients mandate security requirements to be met in order to do business with them and they’re willing to dispel with vendors that are not willing to meet those security requirements.
It could be a matter of getting that next big client or being able to stay in business, because your largest vendor is requiring that you have certain standards met and the reasoning is that a smaller company that does not invest in security becomes a weak point in the access chain to the larger company. So all a hacker has to do is find out who the larger companies’ partners are and target them. This has happened successfully countless times. So if you want to work with larger companies with strict security policies, you’re going to want to consider how it affects your risk management decisions as a small company and what kind of an investment you need to make in order to do business with companies that have these requirements.
One approach to doing that is to get ISO 27001 certified and even if you don’t want to do business with larger organizations that require compliance, there’s a lot to be said for just following a standard certification so that you’re using best practices and protecting your business. So even if you don’t go after the formal certification, try and follow those practices. Another approach is to follow NIST 800-171 practices which are extensive and cover all security surfaces. If you are a US Department of Defense contractor, you are required by contract to meet these requirements.
One example I constantly run into at Consul-vation is business insurance requirements. If you have ever had to apply for errors and omissions coverage for instance, which is also known as malpractice insurance or more recently, cybersecurity insurance, you find out quickly how many of your processes, especially those which make you vulnerable, need to be considered. A lot of service based organizations usually get this type of insurance. Getting this insurance requires filling out countless pages of questions where you have to talk about your security practices. How are you protecting your website? How are you protecting your data? Who has access to what? What measures do you have in place from backups to policies. Because these are potential risks that the insurance company is using to help measure what your risk level is and that’s what insurance companies do, right? They measure risk and then determine a premium based on that.
Very often, we see companies recognize the value of best practices when they start doing and going through these processes and like, “Oh, help us fill out this information because we don’t know the answers to these questions.” And then they realize, “Oh well, you know what, you are probably right–we should be doing these things.” This opens up a whole new world in terms of how they can start mitigating their risk and minimizing their exposure. The bottom line though is that if you want to do business with larger companies, you may need to modify your IT security approach to be a little bit more enterprise, even though you’re a small business. It comes down to what’s appropriate for the situation and what will help you get to the next level.