Cybersecurity Responsibilities for SMBs

Cybersecurity is a topic that many small and most medium-sized businesses care about due to all of the news stories about data breaches, identity theft, and ransomware that have appeared in the last several years.  Some small and medium-sized businesses have realized that having a strong cybersecurity program can be a strategic asset for their particular market niche.  It can be a way of attracting additional customers or a powerful way to distinguish the company from its competitors.

Unfortunately, few small and medium-sized businesses have that attitude when it comes to cybersecurity.  Too many companies still view cybersecurity as a distraction that takes away resources from other important priorities. They choose to do the minimum required by regulatory requirements or even customer demands.

Many small and medium-sized businesses with an Internet presence must comply with not only state and federal laws and regulations, but also European Union laws and regulations, or even other national laws.

The most common cybersecurity responsibilities that small and medium-sized business are responsible for include:

  • Protecting customer’s personally identifiable information in accordance with state and national laws
  • Protecting customer’s credit card information in conformance with the Payment Card Industry’s Data Security Standard (PCI-DSS) as well as state and national laws
  • Protecting customer’s protected health information (pHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Conformance with the European Union’s Data Protection Regulation
  • Conforming with any industry specific laws and regulations

Viewing compliance conformance as a check box rather than a culture or a strategic asset rarely results in a good cybersecurity program, as Sony demonstrated in 2015.

There are a number of security frameworks that companies can use to help them meet their responsibilities.  PCI-DSS is very proscriptive in some areas, while most regulations and laws place more responsibility on each company to make its own decisions about how to maintain a secure environment.

Whichever path to cybersecurity a business takes, there are some common areas that should be addressed.  These include:

  • Day to day IT operational practices including applying security updates, managing systems, managing network traffic, encrypting sensitive data, logging, monitoring, and ensuring technical IT controls are in place and update to date
  • Risk management, to ensure that the company is prioritizing risk remediation and tracking the risks over time
  • Compliance and due diligence, which includes ensuring that relevant laws and regulations are being followed, providing information to customers that are performing due diligence, and performing due diligence to ensure the company’s vendors and suppliers are meeting their security obligations
  • Security awareness training for all employees

How these tasks are organized, or who in a company is responsible for each task can vary widely.  For example in some companies all of these areas may fall under Information Technology.  In other organizations these may be split between IT  and Finance.  In still others the responsibilities may be split between Finance, Legal, and IT.  Some organizations have a dedicated Chief Security Officer and a separate Chief Information Officer.  In organizations dealing with protected health records, it is not uncommon to see separate Security Officers and Privacy Officers.  And of course, in very small businesses, a single person may be wearing all of the hats which makes segregation of duties a very difficult goal to achieve.

In the most secure organizations, cybersecurity is part of the culture. Every executive, manager, and supervisor understands its importance, is engaged in securing the environment, and understands the risk that an insecure environment poses to the future of the company.