As someone who has recently started their own business, the title of this article is one that I have seen in different formats in multiple courses, videos, webinars, etc. (I will just refer to them as courses moving forward) on what to do to get your business going. These courses talk about very important things when it comes to starting, funding, and running a business. A topic that is rarely covered (with a few exceptions) is how to properly protect and govern your business systems and client data. This omission has become more and more evident to me as I work with small businesses, especially when trying to help them navigate through a security incident. So, let’s see if I can add some information into the standard “start-up” process.
With few exceptions, a new business is going to require technology.Email, web sites, cloud storage, payment processing, etc. are all part of how we do business these days. There are very few businesses which are not reliant on these items. It is also a place that threat actors of all sizes and flavors know can be a point of entry. I have worked with clients who have had their entire environment compromised for months. The criminals just sat in the environment until they saw the best time to act. The bad guys just watched the emails go by while they waited for a big invoice to jump in to get that financial fraud high.
In many of the incidents that I have worked on, the collaboration tools are simple, non-business level tools that are being resold by a partner (Microsoft, Google, etc.). In talking with the victims, they were chosen due almost completely due to cost (other factors were familiarity, and ease of use). The small business owner believed that because they were buying it through a third party, they were also getting security, especially when it is from a well-known or recognized brand. However, these same resellers made it very difficult to get access to logs, message traces, etc without paying extra for that access, or more often, letting them handle any and all forensic investigation. Because of this insurance claims (another topic here), became more and more complicated as did proving/ identifying initial access, and attacker access across the environment. Worse, it made booting an attacker out of an environment very complicated as you are not often dealing with the A-team.
Now how does this relate to small business courses? Well in most of the courses I have reviewed, they talk about business plans, funding, go-to-market strategies, marketing, etc., but nothing about business tool selection. You are often left to your own devices to purchase software and hardware without understanding the inherent risks of utilizing “budget services” like the ones I described above. In fact, there is no conversation at all about these types of risks mentioned during most small business courses, but there should be. I am not saying that these courses need to be a deep dive into information and cybersecurity. I am saying that there should be a conversation about building or selecting a robust and resilient system (or systems) for your business needs. The wrong incident can end the dream of many a small business owner.
Another item of note is that many banks and other funding organizations (venture capital) are going to look very deeply into how you protect and manage your clients’ data as well as your own. Going in saying you are using a personal account for email and storage, or a third-party system with no evidence of security tools is going to be a big hit on your chances to get additional funding for your business. The same is also true when you get into liability insurance (outside of simple errors and omissions). Cybersecurity liability insurance companies can and often do ask for proof of security measures in place before they issue a policy. Oddly enough most small business courses talk about getting the right insurance, but not what you will need to actually get and maintain a policy (similar to current funding coverage in these courses). It is a bit of a glaring omission in an industry that claims to arm small business owners for success.
I am sure by now you are wondering if I actually have a solution to this problem or if I am just going to complain about it. Well, I do have something of a solution to this, but it is one that is not likely to be implemented any time soon. Business courses of all types should at a minimum discuss the connectivity between info/cybersecurity risk and business risk. Right now, the focus for business risk is solely on financial risk (profit and loss), there is little to no conversation on the significant negative financial impacts of a poor security posture. Adding this one small item in can make a huge difference between success and litigation-caused failure.In addition to this change to how business basics are taught, I believe that there should be some liability imposed on companies who sell a personal service to a business and those who cut costs by not offering proper security tools or access to forensic artifacts to outside parties who their clients may choose to utilize. This is in-line with current efforts on “secure by design” as well, and should be part of any new laws/regulations covering these services. I believe it will make companies take a more vested interest in their clients’ data and security, but as I have said many, many times before, it is not going to be easy or done overnight.
For now, it means that small and new business owners are at a potential disadvantage while they are building and growing their business. They are, as we have seen, open to attack and not protected by obscurity in the same way they were before simply because of the use of cloud services which concentrate businesses into smaller target environments. Initial access and organization compromise in smaller organizations might not be the primary goal of an attacker, but if they can get in while testing new tools or if they are part of a larger access dump, why not sit and wait to see if your investment pays off (as I have seen more than once).
I know that this might sound like a terrible scenario and possibly over the top, but sadly, it really isn’t. It is a side effect of cheap cloud “business tools” which are attractive to businesses that do not have the budget to have their own IT/Security team, or even an MS(S)P. It is not the best place to be in as a small/new business owner and given the lack of awareness on this topic only adds to all of the other stresses which go along with it.
There is good news though. There are organizations out there who can help you find the right technology tools for you and won’t break the budget. The best ones are actually groups that do not sell any tools as there is no benefit to steering you one way or the other. Instead, they are going to help you identify what works best for you and potentially configure it in the most secure manner possible given the toolset you can afford.
