SMBs: Cybersecurity Is Everyone’s Responsibility

It’s hard to go a week without learning about a new cyberattack. And while it is often the Fortune 500 companies that draw the most media attention (Marriott International, Morgan Stanley, T-Mobile, Target, and more), small and medium businesses (SMBs) are more frequently threatened and have much more to lose…such as their entire business. To avoid becoming a statistic, SMBs need to develop a security culture that reinforces the idea that cybersecurity is the responsibility of every team member.

Figures from IBMOpens a new window show those incidents are incredibly costly for small to medium-sized businesses (SMBs), defined as having less than 500 employees. The average cost per individual incident in 2023 was a whopping $3.3 million. Unfortunately, that level of expense usually means the end of the line for many. It’s likely no coincidence that small business owners believe they can resolve a cybersecurity attack. However, the National Cyber Security Alliance reports that 60% of small businessesOpens a new window that experience a cyberattack go out of business within six months.

Those frightening statistics make it very clear that cybersecurity is a company-wide issue. It impacts everyone across every department and every element of operations. Cybersecurity is a collective responsibility. During this Cybersecurity Awareness MonthOpens a new window , let’s debunk the pervasive misconception that cybersecurity is strictly an IT issue.

From the founder who sets a security-focused tone to the specific teams that implement the policies, to the HR department responsible for onboarding new employees, to the IT team setting system password requirements, and to every employee that can potentially open a phishing email triggering a security incident, it’s a collective effort to stay aware. All individuals need to be trained, vigilant, and engaged. The devil is in the details, as it’s the tools, tasks, and routine activities each team member performs that will protect the company.

Make Cybersecurity a Team Responsibility

Here are four ways to ensure everyone in your organization understands cybersecurity is everyone’s responsibility and needs to be a team effort.

1: Commit to ongoing education and awareness

Cybersecurity awareness training should not be limited to once a year! Take the time to not only educate but also train employees on the policies and procedures in place. For example, don’t rely on annual training videos that state and re-state obvious information. Cybersecurity should be a priority for your organization. To demonstrate this to employees, you must do more than “check the box” regarding security training. Leverage real-life examples, games, and good old-fashioned storytelling customized to your organization, or even individual departments. You need to capture the attention and interest of your employees so they understand cybersecurity is an individual responsibility. Make helpful materials and resources easily accessible and ensure everyone on your team knows who to contact if they have questions or concerns. 

2: Explain the “why” behind your policies and controls

Organizations often put controls in place but don’t take the time to let their employees know the controls exist or why they exist. If you want to build a culture of security advocates, bring them into the fold, articulate your reasoning, accept feedback, and showcase your security best practices. Certainly, this level of open communication instills trust. Employees should never feel shy about reaching out if they have questions or concerns but rather feel like they are part of a team on the lookout for a potential incident, unusual activity, or breach. Encouraging communication and participation between colleagues and departments will ensure your assets are protected daily. 

3: Know where your assets live and who is responsible for them

Every asset within your organization, from laptops and mobile devices to wireless printers and unused apps, can present a potential vulnerability. Therefore, every member of your organization must understand the risks and best practices required to handle data, devices, and systems securely. A great first step is to develop a map of your key data and technology assets. Identify the data types that you collect, process, and share. You’ll also need to account for the systems and physical assets within your organization. After creating an asset map, ask who is responsible for the data and technology and who safeguards it. What’s required to protect it? The answers may surprise you.

4: Consider a company-wide risk assessment

Building out a risk profile is often something SMBs are hesitant to complete in favor of “high priority” activities. It’s a little like buying life insurance. No one wants to think about it, but it’s best to be prepared for the worst-case scenario. Understanding your risk profile is a critical factor in the effort to safeguard your organization. A comprehensive risk assessment will provide better understanding of your organization’s specific threats and vulnerabilities. After all, it’s challenging to protect your business from threats you don’t know to exist. Once you identify your vulnerabilities – like unpatched systems or phishing attempts – you can address your weak points. Most importantly, evaluating risk on a regular basis provides awareness of evolving threats and ensures it remains a company-wide initiative.

Battling Cyberthreats Together

Small businesses are the number one target for hackers, perceived as underprepared and ill-informed. After all, the industry narrative has long been that your team is your greatest vulnerability. According to the 2024 Verizon Data Breach ReportOpens a new window , human error causes 68% of breaches. On the other hand, the reality is far more nuanced, which Verizon acknowledged by excluding malicious privilege misuse from the statistics. 

To keep your organization out of harm’s way, focus on building security into the very DNA of your operations. Don’t leave all of the work up to your IT team. Instead of keeping security in a silo, empower your entire organization with knowledge. Leverage employees as your first line of defense against cyber threats. It’s time to use your entire team as your company’s greatest asset in preventing cyber attacks.

MORE ON CYBERSECURITY

• Top-Down: Mitigating Cybersecurity Risks Starts with the Board
• Recovering From a Cybersecurity Earthquake: 4 Lessons Companies Must Learn
• Importance of Cybersecurity Awareness for Rural Communities, Minorities, and Small Businesses