Prior to joining Pivot Point, I worked for a couple of large financial institutions that employed over 200,000 people. Now working with SMB cyber security clients as well as bigger companies, I see firsthand how fundamentally similar the process for implementing cyber security can be, regardless of the size and shape of the client organization.
Cyber Security for SMBs, Large Corporations, and Everything in Between
The specific tactics and many of the technology choices for implementing or assessing an information security management system (ISMS) obviously vary widely between, say, a large government agency and a local healthcare provider. But the goals of an InfoSec program—the risk management strategizing process, the application of frameworks/models, the core best practices—are pretty similar whether you’re a 100-person law firm looking to get ISO 27001 certification, or a multinational trying to wrap its arms around doing a risk assessment for 10,000 people.
If anything, evolving technology trends like cloud computing and “as-a-Service” offerings have made SMB cyber security practices and implementations even more similar to enterprise tactics. These days, cloud-based “enterprise-like” security products and services are available to smaller firms with limited budgets.
A large segment of the threat landscape is also common to businesses across the board. Ransomware, phishing schemes and mobile malware attack vectors target every organization, regardless of its size and purpose. It’s increasingly recognized—and rightly so—that no company is “too small” to be safe from cyber threats. If anything, hackers preferentially target SMBs because they’re easy targets. But data loss prevention, the practice of keeping your confidential data from being lost, stolen or “leaked” beyond those authorized to access it, involves similar themes and challenges for everyone.
What often matters most in terms of specific large business or SMB cyber security approaches is not the size of a business, but the type of data it must protect, because this largely drives the particulars of security requirements and also largely shapes the risk profile. A small FinTech startup will probably have a pretty different risk profile from a small manufacturer, while sharing many risks and regulatory concerns with a major insurance company.
Aligning cyber security implementation efforts with solid plans for risk assessment and risk treatment combined with a robust security policy is the right path for any size business. Even with all the new technology out there, the most effective techniques and approaches for ensuring information security and compliance scale right up along with the size of the business.
To start a conversation on how to scale and scope a pragmatic, cost-effective ISMS for your organization, contact Pivot Point Security.
For more information:
- An interesting infographic from neweggbusiness.com based on a customer survey of how small and large companies compare across foundational aspects of security posture; e.g., log reviews and software patching
- A thought-provoking post by Bruce Schneier on security ROI
- Operational excellence in InfoSec—this is applicable to any size organization