Cyber Hygiene 101 for Small- and Medium-Sized Businesses

Theo Lebryk


Industry reports and surveys paint a frightening picture of the cybersecurity landscape for small- and medium-sized businesses (SMBs): Between 2019 and 2020, cyber intrusions increased by 400 percent around the world, while the FBI received up to 4,000 cyberattack-related complaints per day. Forty percent of cyberattacks target SMBs, and up to half of all SMBs experience a breach each year. In 2020, the total cost of ransomware payments was $350 million, a 311 percent increase from the previous year. In 2020, the average cost of repairing a data breach was $2.64 million for companies with fewer than 500 workers. A report on critical infrastructure SMBs found that 46 percent of hacked companies lost customers and 59 percent reported losses in daily productivity because of a breach. No wonder 60 percent of small businesses go out of business within six months of a cyber incident.

SMBs are often unprepared to respond to cyberattacks. Nearly two-thirds of SMB CEOs confess that their companies lack an active, up-to-date cybersecurity strategy. This report consolidates advice from industry and the U.S. government on cyber best practices. It provides SMBs a high-level overview of how to integrate investments in people, processes, and technologies to mitigate the risk of the most common types of cyberattacks. For a more comprehensive list of industrial cybersecurity standards and technological controls, the Foundation for Defense of Democracies has also released a “Comparison of Cybersecurity Guidance for Critical Infrastructure Sectors.”

Cyber Hygiene: People, Processes, and Technology

All businesses face a choice when it comes to technology management, cybersecurity, and risk acceptance: Should the company employ a dedicated, in-house security operations center or outsource these tasks to a managed service provider? In general, outsourcing is the cheaper and more practical solution for SMBs. Regardless of who manages security functions, however, businesses have to understand the risks that stem from the combination of people, processes, and technologies, and weigh their tolerance for those risks.

Cyber hygiene entails persistent due diligence and comprehensive due care. Due diligence is the continual evaluation of security practices; due care is the action taken to ensure security. While the practices listed below should help reduce risk, it is equally important for businesses to be ready to adapt to new exploits presented by the adversary. It is worth noting, then, that enterprise cybersecurity is as much about mindset as it is about any single person, process, or product.

RADM (Ret) Mark Montgomery is the Senior Director of the Center on Cyber and Technology Innovation (CCTI) and a Senior Fellow at the Foundation for Defense of Democracies. Theo Lebryk was a CCTI intern during the spring of 2021. Follow Mark on Twitter @MarkCMontgomery. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

Courtesy: (FDD)