Larger companies easily engage companies like Webcheck Security for >$20-$60k regularly to perform cyber control gap or maturity assessments, usually against frameworks such as CIS 20, ISO 27001, NIST, or against limited scope surrounding PCI, HIPAA, or other privacy standards.
That's wonderful - but what about smaller companies? Verizon's annual data breach report has now indicated that for years, more than 43% of the businesses being attacked are in the SMB category. You hear about the large breaches, but not the small ones (which are equally as devastating to SMB.)
Small businesses tend to say, "But we have no servers or infrastructure internally (or very little) and we're not a target." Until they have a security incident which rattles the owners. Suddenly they get it - that cyber security cannot be an afterthought.
So what is it that Webcheck Security would do for a small business with limited infrastructure? What is the value of paying for an annual assessment and "renting" an information security officer for a few hours every month? Does it cost $20k?
Answering the last question first - no, a small business won't pay $20k for an effective assessment. What then is the actual value of shelling out a few thousand dollars to have a cyber maturity assessment performed?
First, it is important to remember that the in-depth analysis performed in a maturity assessment has less to do with copious infrastructure than systems of operation, procedures and policies. For example, as our experts proceed, he or she will be both doing an analysis of and asking questions about:
Disaster Recovery Policy
Business Continuity (intertwined with the former but distinct in purpose)
Password management and procedures
Storage of PII/PHI/PCI and other critical data and/or intellectual property/proprietary operational data
Security Awareness Training policies
Email defense mechanisms
Data Exfiltration possibilities
Corporate SaaS access, configuration, including Multi-Factor Authentication
Acceptable Use Policies
VPN and remote usage
Vulnerability scanning - internally and externally
These are just some of the things that would be reviewed for gaps and effectiveness. In many cases a small company may be doing some things right but there will be many recommendations for “moving the needle” and in other cases there will be significant exploitable policy/procedure gaps which our practitioners will identify and document in a prioritized manner.
Part of the trick with cyber security is the recognizance that it’s not an IT problem and IT controls, but a combination of policy, procedure, best practices controls as well as the application of the right controls in a way that makes sense for your business.
For example, for most small businesses, the practitioner won’t be recommending expensive SIEM software and monitoring on a limited budget and infrastructure, rather many of the improvements or recommendations will be based on a dozen small things that if done properly can make a monumental difference in the business' overall cyber hygiene!
Then post-assessment, the small business can choose to move forward with monthly information security "rental", in which it will have the advisement to move forward in the right order and right way in addition to actual policy writing assistance. Having a prioritized roadmap to move forward and improve cyber hygiene - which is really about mitigating risk - is a critical exercise for small business.
In summary, cyber maturity assessments for small and medium businesses are a critical component of risk mitigation. It won't cost an arm and a leg, and the risk mitigation ROI for budget freed to have a prioritized roadmap can be critical to successful business continuity in the face of ever-increasing cyber threats!