Richard Stiennon is Chief Research Analyst of IT-Harvest, where he focuses on data-driven cybersecurity industry analysis. Richard is also a former Gartner Vice President of Research and security auditor for PriceWaterhouseCoopers (now PwC). He is also the author and curator of the annual Security Yearbook, which tracks more than 2,800 cybersecurity vendors.
In a previous post based on his “Everything Compliance” conversation with Trustero Vice President of Marketing and Business Development Kimberly Rose, Richard described how the pursuit of SOC 2 compliance can improve cybersecurity for SMBs. This post features his thoughts on some common cybersecurity mistakes SMB decision-makers make and how best to avoid them.
What are some of the mistakes you’ve seen made or traps fallen into by SMBs trying to improve their cybersecurity?
Quite often, they start with a product. They say, “We have to be secure, so we must do something. Then they buy the best firewall, ignoring employees who work from home and aren’t behind the firewall and that app that’s been moved to the cloud and isn’t behind the firewall either. They don’t take an architectural systems approach to design their security. Instead, they often fall prey to their friend, the salesperson from the reseller who calls them up and says, “Hey, you really need this. It’s awesome, it’ll save you money,” and all the rest. Too many SMBs take a piecemeal approach to cybersecurity and don’t have a wide enough view of all the things you have to do to be secure.
Is there an optimum time or maturation level at which SMB leaders should expand their thinking or take action instead of being reactive in their cybersecurity?
I love that question. I’ve written about giving up on telling people to do security first or in conjunction with the launch of their products because nobody does it. Why should you invest in all this security when you don’t even know if you’re going to have users or if your start-up will be a success?
Twitter was the best example. Twitter soon had a million users because it was so easy to sign up. You just grabbed a handle and provided an email address, and you were in. They did no checking on password length or strength. Users would use the word “password” as their password. And sure enough, Twitter became a big thing, then was in the news because celebrities’ accounts were easily hacked when a kid in Southern California ran a brute force password-guessing system against it. Twitter quickly scrambled and fixed the problem, but only after the fact of the hack. Zoom had all sorts of security issues when it went out to the world, too.
Individuals go through similar cycles of scramble and recovery. How many people have you seen on Facebook message you and say, “Hey, ignore any messages you get from me because my account was hacked?” And that’s when they say, “Oh, maybe I should use two-factor authentication, like Richard has been telling me for the last 22 years.”
Ransomware is having similar effects on SMBs now. The printer for my books got hit by ransomware in early April. Luckily, they had backups and they’re recovering from it. And you bet they’re changing their systems. Cybercriminals are the best security awareness training tool there is. There are companies that have had to shut down after a ransomware attack because they could never win back their customers or get all their data back.
Every SMB should have at least one person on the team who understands security. And it’s never too early to start thinking about it.
What does the near-term future look like for compliance for SMBs?
It’s going to be a long uphill battle for SMBs. They don’t fall under a lot of regulatory regimes, but they do fall under pressure from their customers and partners to show they have effective controls in place. Getting there isn’t something you can just do in six weeks. You’re going to have training, a deployment phase, an audit phase, and then a certification phase. And then you’re not done because you could be re-audited at any time. And you can easily fall out of compliance if you’re not continuously watching the controls you put in place and making sure they stay up to date.
Fortunately, there’s hope coming for SMBs. As they move to the cloud, there are going to be automated systems and tools that make it very easy to monitor and defend your cloud stuff and remain compliant. So, it should get a lot easier.
To see and hear more about SOC 2 compliance and cybersecurity from Richard, see his complete Everything Compliance interview with Kimberly here. And to learn more about IT-Harvest or purchase the 2022 Security Yearbook, visit https://www.it-harvest.com and use the promotional code “trustero1” for a 20% discount.