408 373 7327
info@frictionlessecusirty.com
Follow us at
https://www.linkedin.com/company/frictionless-security
Sanjay Mathur CISSP, CISM, CRISC
Its an old saying, "A giant oak-tree was once a little acorn."
The journey of an acorn to become a giant oak-tree is very similar to a small start-up growing into a large corporation. Well, the conventional wisdom is to give the right amount of air, water, soil, and a little protection to a good seed and expect it would grow to its potential, may it be an acorn or a start-up.
The question is, how much is the right amount? The answer lies in knowledge, skills, and experience. I did a little research on the Internet and found a great site that prescribes a method on how to grow oak-trees from acorns. Their method is developed based on research, and skills gained through experimentations. https://www.wikihow.com/Grow-an-Oak-Tree-from-an-Acorn
It was a great read and made me think: What if the acorn seed is excellent, and it gets just the right amount of air, water, food, and sunshine. It grows into a small oak-plant. Without a protective fence around it, it would be vulnerable to the threats, such as lack of support to survive, wild animals grazing it, or a curious kid plucking if off the ground just for fun.
Quickly, I realized this scenario was not very different from the methodology we have been developing over the years to help small businesses and start-ups. It helps mitigate the information and cybersecurity risks for them, and provides a differential advantage for gaining business.
Small Business is like an acorn fighting to become a big oak-tree.
Cyberattacks on SMBs (small to medium businesses) have been growing over the years. These kinds of attacks are known as Supply-Chain attacks. SMB vendor/supplier with less robust controls in place than the customers, becomes a weak link for hackers to exploit, find their way up in the supply-chain and attack their main target, the business that is consuming the services.
If you are an SMB and a third-party vendor to a large corporation, information, and cybersecurity is an essential consideration for you. You don't want to be a conduit in a cyber-attack and be in the news for wrong reasons. https://www.databreaches.net/delta-airlines-sues-247-ai-over-2017-data-breach/
Recall the data breach that happened in the 2017-2018 timeframe at [24]7.ai – an SMB that provides online customer chat for their clients' web sites, and in turn, affected large companies, such as Best Buys, Delta Airlines, Sears, Kmart. Recently, Delta Airlines sued [24]7.ai and 24/7 Customer Philippines Inc. alleging them for inadequate security controls, lack of PCI/DSS compliance, and unacceptable delay in reporting the data-breach.
As per DarkReading(1), the average cost of a single occurrence of a data breach for SMBs was around $120 in 2018. The post-facto breach cost is not only higher than the setup cost of the controls; but it may cost much more, with an irreparable brand-damage, or even a threat to the business existence itself.
The Challenge.
However, the challenge is that SMBs have limited time, resources, and money. Yet, the customers, investors, partners, and regulators demand trustworthiness. While the focus of SMB is on growth and sustainability. Also, SMBs are typically not formally trained on information and cybersecurity, and require help in setting and managing right controls to mitigate risks.
I was recently talking to a bright young entrepreneur on this topic, and he said, "Only if we knew at the time we started my business how vital information security would be at the stage we are in now, I would have paid more attention to it and that too much before."
I consoled him, "It is still not too late, all you need is to ask for the right help. However, I agree with you, security should not be an after-thought, but a part of the initial design and architecture of the product/service offering. We call this approach, "security by design."
He agreed and asked me to write more on security by design. I agreed. I'll do it soon.
Help for Acorns is available.
At Frictionless Security, we believe that information security should not be viewed from a cost-centric optic but a value-centric optic. It should be used as a unique selling proposition (USP) by SMBs and not just a simple demonstration of compliance with a regulation or an industry standard.
We have a Security Hardening for SMB's © framework that maps significant security activities on a typical SMB and start-up life cycle. It has a step-by-step guidance for SMBs to build data security and privacy as a part of the overall process and not as an after-thought or a surprise.
Figure 1: Security Hardening for SMB's © framework: Typical security requirements mapped on the Start-up/SMB lifecycle of growth.
Reference:
For a deep-dive discussion on Security Hardening for SMB's© framework, please feel free to contact Frictionless Security.