The Three Common Small Business Approaches to Cybersecurity 

Growing up in East Tennessee, on roads that were once cow paths, I learned that there were lots of ways to get the same place. Sometimes, no way to get there at all. These old country roads that rounded down mountains, over hills and through the woods, provide a variety of ways to make it to Grandma’s house. In modern terms, Google maps loves to tell me there is about 3 to 4 options to get to where I am going, all about a minute apart. Approaches to how to design, secure, and support IT systems, networks, clouds services and such, follow the same logic. Granted, there are some basic rules that apply to keeping us on the pavement, but beyond those there are more opinions on “how” to do IT, then there are political opinions, of course that is just my opinion, ha! 

For this quick write up, I would like to reflect on three common responses to IT Cybersecurity, that I have seen over the years working with hundreds of small businesses. I am sharing this from a small business perspective, but the reality is there seeming to be a lot in common with medium and large enterprises as well. One more quick note, I am not here to say which approach is right or wrong… I will let you be the judge, but I am sure you will be able to see I do have a favorite.  

The Do-Nothing Approach 

Ok, how can this be a thing, you ask. Do nothing when it comes to small business Cybersecurity? That sounds just haphazardly, dangerous, and reckless.  

The reality is, there are lots of businesses that run this way. Most times, their data and IT needs represent a point in time, the longevity or life span of their data is small, and historically it holds no value. How does this work? Their chances of a breach, attack, or corruption is small. They are willing to play the odds. The loss of data is little to no impact on them doing their jobs; yes, this does reflect an ever-shrinking group of companies, but the group is there. The cost of recovery is so small that it over comes the cost of prevention. 

So, is this the wrong approach? Well, it doesn’t allow for growth and scale, as you have to be ok with just living in the moment, so to speak. This approach also does little to grow the trust of clients and thus repeat business, and it does not help your IT neighbor out much when you start spreading malware. It is still a valid approach, just not one that lends itself to allowing a business to steadily grow.  

Cover gets anti-virus software, do the backups, buy the insurance, and pray… a lot. 

This is by far the most common, and yes, the prayer thing has been encouraged by IT professionals more and more with daily news of hacks and breaches. This approach is the most common, because logically it makes the most sense. We are doing all of the basic stuff to keep us secure, and knowing that we cannot prevent everything, we are backing up our data and bracing for the worst with insurance. Praying the whole time that it does not sink the ship. It is also the most common, because it is very business owner driven or CEO-centric. In the small business world, the owner that wears all the hats, including CTO and CIO, can easily see the logic in this approach. This also becomes the approach of on staff IT staff, they too can wear many hats at times and love to be in control of all things IT. Getting basics done is a good approach, we did what we know how to do, and did more than the do-nothing guys, and embraced the rest. The Grand Canon size whole in this logic is that in the ever-growing landscape of Cybersecurity, can one person keep up with it all? And how does one know if they are spending the right amount on the right stuff? What happens is, most end up spending too little or too much and, in the end, we wind up like Janis Joplin, praying for that Mercedes-Bens. This however for small business IT is the stable approach.  

The Village  

My wife always says, “it takes a village to raise kids”, I could not agree more. I usually say that this as I look for a place to send them for the weekend! All joking aside, I do love my kids and I have learned there are some things that I cannot teach them well, or at all. Grammar and basic English skills being one of them ha! There are experts in fields, not just because they do a job well, but because they have experience to be the experts. Thus, there is a third approach, one that is quickly growing, as the holes in the logic of the first two grow bigger. Bringing in an expert to support the Cybersecurity needs of a small business IT environment, that expert with their experience in securing IT. This approach in of itself can look very different, Managed Threat Response services, Manage Service Provider to handle all aspects of IT including Cybersecurity, or a Managed Security Service Provider to just handle security to name a few. This approach does not necessarily mean not doing parts of the second approach, but it does mean that there is an expert driving the Cybersecurity narrative deciding what it looks like to do the basics and more. Does it cost more than the other two approaches; you ask? Heck ya, but knowing you have ability to scale, grow and support your business allows you to overcome that cost. Plus, it helps avoid wasted costs and wasted time.  

You decide the approach that works for you knowing the costs, as in all businesses we make decisions to operate them knowing the risks and costs to the best of our abilities. Coming from a Manage Service Provider perspective of course, I would lean on approach three… but that is up to you to decide.  

Cyber protection in the world of Small Business IT is not easy do not do it alone, and do not “do nothing”, and always have a good bottle of bourbon on hand just in case. I guess that is my way of praying these days. Good Luck! 

Rob Glass – CEO

Computer Systems Plus – A 37-year-old IT solutions provider, creating smart, stable, and secure IT ecosystems that successfully support the lives and business of our clients through education, quality solutions and dedicated loyal services.