In this article, we’re going to make some InfoSec Predictions For Small-Medium Businesses and we’re probably going to be way off.
We were having a a conversation with someone in our network where they said something along the lines of “Boy, it seems like cybersecurity is everywhere these days. It’s like you can’t do business without it!”
Their observation is correct. You see it constantly in the news, but things feel different, at least depending where you live and where your business operates. We’ve covered the Prospect Medical Holdings ransomware attack here (also here) where several hospitals across the country were held ransom and then the MGM ransomware event. Both impacted things at the local level.
Another thing that’s driving the “cybesecurity is everywhere” observation is States’ adoption of cybersecurity and data privacy laws, which we’ve written about here and here. Currently California, Virginia, Colorado, Connecticut, and Utah have their own data privacy laws. There are at least 7 more States that have their data privacy laws going into effect in the next two years. [Source: iaap.org]
Here is where the predictions start and perhaps where we get things wrong.
Doing business with other businesses
Due diligence of small to medium size businesses (SMB) will increase. Our guess is within 5 years, if a SMB wants to do business with another company, whether it’s forming a strategic partnership, providing valuable services, or that SMB needs access to another organizations resources, some sort of “audit” will be needed. What we mean by access to resources is, for example, a small retailer needs access to a supplier’s ordering system for inventory, or an IT service provider needs access to their client’s systems (on prem, cloud, or hybrid) to fix, maintain, monitor, or implement software/hardware.
This is already happening with those that are doing Federal government contracting or if you’re a sub-contractor. You’d then have to adhere to the DoD’s Cybersecurity Maturity Model Certification (CMMC), for instance. This is also happening to those that are considered business associates to healthcare providers, for example a business who provides medical billing software/services. These entities, while they aren’t healthcare providers, must abide by HIPAA.
State data privacy laws define what data controllers and data processors are. A data controller is an organization that is collecting and using personal data for a purpose. They are also responsible for responding to consumer requests about said collection of personal data. A data processor is a third party that processes personal data at the instruction of the data controller. For example, a payroll service provider would be a data processor for a business since they are using the organization’s employee data to send out their paychecks.
Depending on what your SMB does you might be considered a data processor to a client of yours and therefor need to show you have certain controls in place.
Getting insurance or bank loans
This prediction is based off a Reddit post comment, or two, regarding an employee trying to convince their small business employer on the importance of cybersecurity [Source: Reddit]
In the comments, someone brings up the fact that unless banks deny an SMB a loan or an insurance carrier denies them coverage/claims, nothing is going to change. Our prediction will be within 10 years you’re going to run into this. That you must show a financial institution you have the proper measures in place will force the behavior change. Some insurance (cyber liability) already requires that you fill out a lengthy questionnaire about what you have in place, but at some point this process might be required to just get a general business policy. With the ransomware attacks already costing organizations millions in losses this year and more damaging than ever in scope, banks and insurance companies are risk adverse and will tighten the screws to protect their interests.
If you’re an SMB, start preparing now. Incremental proactive steps over time can help with your security posture.
How Bsquared Intel helps
- External risk/threat assessments
- Guidance with cybersecurity frameworks
- Consulting
If you’re a small to medium sized business, contact us in the form below to request time for a free strategy call.
