While working as a senior security analyst who assessed vendors’ security posture, I saw the glaring cybersecurity risks for businesses, both large and small, daily. Recently, while sitting in an awards ceremony breakfast for nonprofit organizations, the enormity of cyber risk went through my mind as representatives received their grants. In the past, I only thought about and discussed this risk for law firms and small businesses that participated in vendor relationships with my previous employer, my alma mater, and the fraternal organization in which I am a member. I did not fathom the vastness of this risk until I sat in this breakfast. At that point, I realized that countless small- and medium-sized organizations – both for-profit and nonprofit, a subset of educational institutions and churches – are sitting ducks for hackers looking to prey on weak security postures. How significant is this problem? The United States is home to 32.5 million small businesses that employ 46.8% of the private workforce. More than 1.5 million nonprofit organizations are operating in the country.There are about 1900 colleges and universities that are medium- and small-sized.A large amount of these institutions lacks the funds to remain afloat and relies on donors. People in the industry know that when funds are low, there is a high probability that an organization’s security posture is weak, neglected, lax, or non-existent.A cyberattack of these most vulnerable institutions could affect more than half the United States’ population.
Due to the small size of these institutions, most do not employ a CISO or an employee who understands cyber risk. They do not even have a security department or staff to manage cyber incidents and secure the network. It is plausible, the business does not follow any popular cybersecurity risk management frameworks and does not have security controls.
Sixty-six percent of small and medium businesses have experienced a cyber-attack in the past year.Businesses buy cyber insurance to cover these costs. However, these smaller institutions may not have cyber insurance. If they have this insurance, it may not be enough to cover the business’ liability for a data breach involving sensitive customer information.
While assessing vendors, I found that most smaller organizations do not perform vendor security assessments. If they do perform these assessments, they are inadequate. Fifty-one percent of businesses have suffered a data breach caused by a third party.Per Ponemon’s 2021 Cost of a Data Breach Report, third-party-related breaches can cost more than $370,000.Organizations must manage their third-party risk to identify and reduce security threats.Organizations should incorporate this into their security framework.
Lack of Employee Training
Because of the lack of cybersecurity leadership within these organizations, security awareness training may not be required, including phishing, vishing, smishing, spearfishing, or whaling. Not providing security awareness training leaves users at a disadvantage when they encounter these social engineering tactics. Security breaches occur because of untrained or under trained people. Because of lack of or inadequate training, these organizations probably:
- Do not patch and run unsupported software and systems.
- Use FTP or have ports open.
- Use weak wireless security encryption.
- Send data unencrypted or use insecure protocols.
- Do not separate their guest networks.
- Do not configure their network to use a DMZ.
- Use outdated, insecure, manual processes.
Insecure code in web applications remains the prevalent cause of confirmed breaches. Many small organizations do not employ developers who use secure coding practices. Cyber experts recommend that developers get periodic in-person training to identify vulnerabilities in their code. However, the lack of funding may impede developers from getting necessary OWASP Top Tentraining.
Security Audits and Penetration Tests
In most organizations, everyone hates an audit and does not want to spend the money to have someone tell them what they are doing wrong, but in today’s world, audits are necessary. Security audits and penetration tests check for missing controls and exploitable vulnerabilities. They give organizations a holistic view of needed security changes. Large organizations have these assessments performed annually, but smaller organizations may not follow suit.
Over the last year, I saw two breaches that shut down two medium-sized universities comparable to my alma mater for about a month. When reading articles about their breach responses, it appears that the universities did not have a good disaster recovery plan or never tested their existing plan. From what I read, the universities did not plan for disruptions and recovery effectively, which is a huge problem. Truthfully, I was not surprised by their responses as many of these institutions’ small IT department manages everything tech-related and lack funding for multiple sites.Small organizations face this issue too. Those that are financing disaster recovery initiatives areunderfundingthem. To fully ensure 99% availability, a small organization will pay about $150,000 a year.
Ordinarily, the solutions to fix the cyber threats for these organizations would be simple as:
- Hiring a CISO.
- Incorporating a popular cybersecurity risk management framework.
- Buying cyber insurance.
- Performing vendor security assessment.
- Developing a robust disaster recovery program.
- Patching systems.
- Upgrading to supported infrastructure and software.
- Employing consultants to perform security audits and penetration tests.
- Training their employees.
However, the remedy to fix the vulnerabilities for these organizations is not this simple. One must consider the available funds for these organizations. Standard fixes are excessive for these smaller organizations. My suggestions are to hire a managed security service provider and move to the cloud. However, smaller organizations still must understand their cyber risks and threat landscape. They will need to perform an analysis of and secure identified vulnerabilities. Next, these organizations should use existing security awareness training to educate users on the latest cyberattack methods for network entryanddata theft.Then, ensure in-house and external developers know and use secure coding practices or used SaaS. For other suggestions, visit NIST’s Small Business Cybersecurity Corner or review the “Security for Startups: The Affordable Ten-Step Plan for Survival in Cyberspace” by David Cowan.
((SBA), Small Business Administration, 2021)
((NCCS), National Center for Charitable Statistics, 2020)
(College Total, n.d.) and (Education Unlimited, 2019)
(Data Foundry, 2019)