What If There Isn't Any Budget?
Cyber Criminals = Marketing Geniuses
If you don’t think you’re a target, think again. Attackers are in the business to make money and smaller businesses are even more at risk because they most likely have less security and are more likely to pay a ransom. In fact, most small to medium sized businesses only last about six months after an attack.
Marketing tactics are everywhere and cyber criminals are just lurking in the shadows waiting. They know that an ad, email, social media post, or even a game created just the right way will get you to click. Like a marketing professional, they are creating leads with their mass emails and advertisements.
From Scare to Care
The old tactics aren’t working anymore and scaring folks into submission does more harm than good by creating distrust. IT and Security teams need to be the change, put themselves in the marketing seat, and find out what works for their audience. Getting out of the mindset that nothing else can be done to get through to anyone is a bad excuse.
So we know that the average person at home doesn’t need to have the technical jargon shoved down their throat. They thrive on effective stories that they can relate to. These stories should be to the point and just long enough to get to listen.
Stories that could help would be success stories. “If you take 10 minutes of your time, here is how I can help you and reduce risk.” Other stories are the lessons that are relatable, like how someone’s home was sold right out from underneath them. Security is now part of life for everyone.
I don’t have the money to do this? What can I do by myself?
Building a security program is like building a house. You have to start with the foundation. The best part is that it costs next to nothing to do and will eventually lead to business efficiencies that will save money in the long run. We’re talking about taking inventory. Figure out what your assets are when it comes to hardware, software, and data.
Did you know that college students are just waiting for you in the wings to jump at the chance to help with this? Yes, interns. These students need experience and credit and they are willing to help you with Asset Discovery and Vulnerability Scans. Free open source tools are available for both of these things. Not only are you helping your company, you are helping out young cyber professionals get into a difficult industry.
You can also create your inventory manually. Start with an Excel spreadsheet and go to town!
Understanding the Risks vs. Preventing Them from Taking Place
Having trouble figuring this out? Here’s one question to ask yourself and other people at your organization: What would it take to kill the company in 24 hours?
From here, you may get some different answers. Identify the most significant risk that is unacceptable to you. If you have any budget at all, it should start by mitigating that one.
Back It Up
Print and store everything, make backups to refer to later just in case. Make sure they are up to date and recycled as necessary. Extra data lying around is also a risk.
It’s Not Just About the Boogey Man
Electronics work…until they don’t and you never know when that’s going to happen.
The Lightbulb Effect – Whether it burns for 1 minute or how ever long it was made to last, it will burn out when you least expect it. Are you going to remain in the dark when this happens or are you able to replace the lightbulb and go back to business as usual? Be prepared for the worst.
Finding Trustworthy Pros.
MSP, MSSP, how do you find the right people without blowing the little budget you may have?
Find a friend. If you don’t know someone personally in the industry that you trust, work with a consultant that doesn’t sell anything so that you can approach this with someone who is unbiased.
Get on Infosec’s Twitter and see who they are looking to. Most people are helpful and can point you in the right direction. Call your local colleges, fact check it, do your homework, read reviews, and get on social media sites.
PurePlay is a good resource and you can even reach out to the panelists on this call... Evan, Chris, Ryan, or Gabriel.
Find vendors who have skin in the game with you, who are committed.
There is no such thing as 100% secure! Teach the people not the companies
Small to medium businesses do not have money to just throw around. Have empathy. Don’t think about yourself. Care about that company.
Educate Your People
Wizer is FREE. You don’t need expensive certifications or training. Focus on your protecting your people. Once their behavior changes, then the company will benefit.
People are the primary focus. Create videos and other content with the mindset of how to make them go viral. Tell stories. Security Campaigns play a huge role in risk mitigation strategy!
I’m a Company Trying to Help a Business With Little to No Budget
Small to medium sized businesses do not have money to just throw around. Have empathy. Think about that company before you think about yourself. To help them get started with their security strategy, you can...
Give them a "starter kit" to help jump start their asset discovery. Keep in contact with them throughout the process by letting them have a few short calls and or emails in the bank. In the long run, you are creating a customer for life!
Make it affordable and accessible. Accelerate them!
Progress IS Value
Progress is important and you need to be able to show that AND value no matter what your budget is. It takes a while. It needs to be blended as a part of your business. This week, pick one thing. Next week, a different thing. Write a policy, take inventory, going willy nilly and spending money on various things like apps and other features without understanding exactly how they work is not where to focus your time or money. If you don’t have the money, focus on the basics. The rest will come. Baby steps.
Research, Research, Research
Security needs to be as important as electricity. We are all living in a digital world at home and at work. It’s literally another utility. Don’t sell yourself short by not doing the research.
Google is your friend. Research other companies and their data breaches. Find out who is doing a good job and who isn’t. Additionally, research companies in similar industries as yours. This could also help you identify which assets and other areas to focus on!
You just have to start.