Getting Started: Building the Foundations of Cybersecurity for Small to Medium-Sized Businesses


Cybersecurity has become a significant concern for all businesses. Most businesses have, at least, attempted to put in measures to secure their systems. While at it, small to medium-sized businesses or enterprises (SMEs) have shown lesser concern for the need for cybersecurity compared to larger firms. Often belittling the probability of attacks, SMEs risk their cyber infrastructure even more. The 2019 Cybercrime Report by Herjavec Group noted that almost half of the cyber-attacks are committed against these smaller businesses.

It is a no-brainer that SME’s need cybersecurity solutions urgently. The question isn’t whether their business could be attacked, but when the attack will happen. Now then, if SME’s could get advance notice of when an attack will occur then they could plan around it, right?  Of course, it is impossible to tell when these solutions are required to secure the systems against cyber-attacks. The current efforts by most of these SME’s to secure their network and systems are not as effective and efficient as they should be, accounting for the dynamics in cyber-attacks. Cyber-attackers continually evolve their tactics, and thus, effective cyber solutions must be proactive regardless of the size of your business.

Why SMEs are at risk

SME’s process transactions that contain their customers’ data and transaction information. Moreover, most of these businesses have adopted technology to scale their operations and enhance their efficiency. As data continues to pile up in the servers, however, threat actors get more interested in infiltrating these systems to steal the data. Most SME owners may say, ‘I really don’t have much to attract cyber-attackers,’ but the attackers are lurking. The slightest data breach could cost the company or its customers or both heavily.

Smaller businesses are more exposed compared to their larger counterparts. Larger corporations rank cybersecurity highly in their list of priorities. Small companies are apt to make minimal investments without considering the full scope of what they need. These cost-cutting measures could be justifiable financially but may prove costly in case of a successful attack. Giant corporations deploy redundant and diverse systems for defense, making the solutions resilient and dependable and resilient since multiple systems can take over in case of a single failure of one system. On the other hand, SME’s are more exposed and may find difficulty recovering from an attack.

Worse still, SME’s are often not only insufficiently prepared for a cybersecurity incident, but the consequences and the impact on their business. As noted by the US Securities and Exchange Commission (SEC) in 2015, 60% of SMEs closed down six months after a breach. SMEs are a preferred target for cyberattacks since they are less braced for the attacks compared to larger firms and thus an easy target for threat actors. Also, 54% of small businesses think they are too small for a cyber-attack, and a similar percentage do not have an existing plan for fighting a cyber-incident. In 2016, the average cost of a data breach involving the theft of assets in small businesses added up to $879,582, with an additional $955,429 spent to restore normal business operations after successful attacks. The numbers have gotten bigger ever since, and the stats show just how massive the risks are for small businesses.

Curbing the Risks

Curbing the risks

One of the biggest mistakes that small to medium-sized businesses make is to assume that their IT managed service provider (MSP), a third-party provider or some other provident source, is handling all their cybersecurity needs.  That is, somehow, having an IT MSP means that they don’t have to implement any practices internally to protect their information and enterprise value or that they don’t have to worry about security training. Moreover, they may see no need to independently test their systems for vulnerabilities to ensure or at least validate their protection against the most pernicious types of malware. Making cybersecurity completely a technology issue allows many business managers to put their heads back into the sand and not have to deal with the deficiencies they should be addressing.

People, Process and Technology Approach

Despite various resource constraints that SMEs may encounter in their operations, taking steps to put up an efficient cybersecurity program is critical for the present and future growth of the business. Going for the most expensive technology for cyber solutions does not guarantee you the most secure solutions. Alternatively, the cheapest solutions may end up being costly for your business. For SMEs, a holistic approach, including people, process, and technology, is vital. Being that your systems are as secure as the weakest link, a malfunction in any of the three components opens your systems to numerous vulnerabilities.

As noted in my previous blog, this approach strives to strike a balance between cost and efficiency to help each small business achieve its security goals. Each organization’s approach to addressing each of these three pillars will vary depending on how mature their security program is. Despite the varying operations of SME’s, there are necessary steps that each SME needs to take towards laying its cybersecurity strategy. The following are cybersecurity strategies that your SME can deploy to get started in building a solid cybersecurity framework:

1. Rightsizing Your Cybersecurity Solutions

There is no single universal standard for security SME’s and not every business needs to undertake the same steps to enhance their security.  To get started in laying that effective cybersecurity program, identify all operations that need to be secured and select the best solutions for each strategy. This process has to be accurate to eliminate overspending on unnecessary solutions, or otherwise missing out on necessary solutions for your cybersecurity program.

Undertaking such tasks could prove hectic for SMEs, and it is necessary to seek consultation from a reliable cybersecurity solutions provider to assistance for rightsizing. An imprecise sizing of cybersecurity solutions may overload your small business with too much unnecessary responsibility than it can handle. This may result in unmotivated personnel and loss of support from other team members. As a result, your business risks more as tasks are left unfinished, opening more security holes that can be exploited by threat actors.

Build and demonstrate your successes with expert solutions from Helical’s product modules to ensure the ongoing success of your cybersecurity program, starting off with professional cybersecurity expertise to optimally plan and size your cybersecurity program.

2. Educating Your Team

People quickly form the weakest link of any cybersecurity program in an SME. All employees must be equipped with basic cyber hygiene practices and undergo training on best practices. Ensure that your team is trained on information security and associated risks.

Also, SME’s are favorite targets for business email compromise (BEC) attacks, primarily through phishing scams. We provide phishing simulation exercises, which are powerful tools to make your team aware of how their actions can expose the company to more significant security risks. Security training is vital for your team. Helical has been a reliable firm for offering up-to-date training for SME’s and has contributed to researching the most effective ways to provide solutions that adapt to SMEs. This proven record has made our solutions perfect for SME’s looking to set up a solid cybersecurity framework and has had many growing clients return for more services we offer. Equipping employees with skills and knowledge on information security has a demonstrable impact on the security of your enterprise.

3. Protecting Your Systems

Technology must be deployed in various tasks of identifying, detecting, reporting, preventing, or recovering from an incident should be applied continuously.  Surprisingly, many SME’s are not employing a program of continuous vulnerability scanning (also known as a vulnerability assessment). This essential tool protects against all types of malware by identifying system weaknesses in computers, networks, and communications equipment before threat actors discover them.  Penetration testing is different from vulnerability scanning in that it is a more controlled process of attempting to infiltrate your systems and databases.  It is an effective tool that is particularly effective where proprietary development or automated processes are involved since vulnerabilities may not be known yet and thus not captured as part of traditional vulnerability scanning.   

Just like the big corporations, vulnerability assessments alone cannot be successful alone. Integrating other solutions into an integrated monitoring and reporting system is an economical approach for your SME’s to comprehensively manage their security across all systems. Such a tool allows unified management of intrusion detection and prevention, antivirus, web-filtering, incident monitoring and reporting solutions.

4. Implementing the Right Processes

The SMEs must develop seamless cybersecurity processes that will help them routinely assess their cybersecurity strategy and the functionality of the framework they have set up. Getting the right processes starts by establishing processes for maintaining the best cybersecurity practices within the organization. These processes secure your internal environment from possible vulnerabilities. The other processes involve identifying suspicious incidents and reporting, and response and recovery from successful breaches.

This is where the cybersecurity risk assessment is particularly important as it is generally the first step SME’s should take when contemplating comprehensive and cost effective improvements to their organization’s security posture. SME’s need to ensure that the assessment is based on the best industry practices relevant to your company’s security risk profile to optimize the functionality of the solution. This can be done cost effectively, such as through Helical’s risk assessment modules which are tuned for the differing needs of SME’s to identify right sized prioritization of actionable steps to be taken to improve an SME’s cybersecurity program.


SME’s are a frequent target for most business-related cyber-attacks. Phishing and drive-by downloads are common forms targeting these businesses. Since they are resource-constrained, SMEs risk either by failing to implement an effective and efficient cybersecurity solution or implementing an ineffective solution. To get off on the right foot, SME’s must apply the best solutions that do not drain their limited resources while offering complete and simplified security to their cybersecurity infrastructure. These companies should ensure that their programs comply with the latest security standards since cyber-attacks are continually evolving.

First steps are to identify and prioritize gaps in internal processes and practices, ensuring that teams are trained on the cybersecurity risks to the SME and active monitoring and management of developing system vulnerabilities. 

That is not the end of the process, as cybersecurity requires a continuing circle of identifying gaps, remediating the gaps, testing the gaps and starting all over again.  As you should never end up where you started, hopefully that cycle is helical and not circular.  Helical is there to make sure that it is!

Tags: Cybersecurity | Cybersecurity solutions | Cybersecurity solution | Cybersecurity risks | Cybersecurity program | Cybersecurity programs | Cybersecurity strategies | Cybersecurity framework | Cybersecurity infrastructure

Leave a Reply