Recently I’ve been talking to a lot of startups and small companies, and the cybersecurity awareness ranges from good citizen (oh, I want to do the right thing) to ostrich (oh, don’t slow me down).
Early stage businesses run like the Wild West - on free or basic SaaS subscriptions from Canva to Carta to Quickbooks, add some software to the cloud, and at some point, they outsource or appoint someone to "deal with" IT. Unless you’re weaving baskets to sell at the general store, digital assets are integral to the success of any business. So how can a small business get comfortable with the plethora of security guides, frameworks, and best practices as they apply to THEIR business? Is hiring a cybersecurity expert the only viable solution?
Current State
In 2023, 41% of small businesses were the victims of a cyber attack, yet small businesses, including startups, don’t have cyber security expertise. Engaging a consultant is expensive, and some security service providers drive a company into a preset managed service package anyway.
I've had many small and medium business (SMBs) tell me that their insurer, or maybe a customer, gave them a cybersecurity checklist, driving a flurry of one-time activity into a spreadsheet. Occasionally through this checklist, the COO might latch onto one angle - "we have encryption" or "we have started SOC2", so we're good, right?
Basic cyber hygiene and on-going attack surface management is not a priority for an SMB. Yet, an organization’s attack surface is the strongest predictor of cyber incidents. Most don't track supply chain either, making the impact of broad issues like Change Healthcare's ransomware-based outage, log4j or SolarWinds hard to assess.
Security Has to Understand the Industry
A CISO recently told me that every industry he's been in thinks that they are a special snowflake, yet meeting security objectives requires the same jobs. He did admit that the key to success is in mapping these same cybersecurity jobs to that businesses' outcomes. Large Enterprises have a team to interpret cybersecurity into their business. Small businesses do not have cybersecurity expertise to make that translation, having to trust external consultants when they decide to tackle cyber risk.
As an example, let's take one of the 16 sectors of critical infrastructure that the Critical Infrastructure Cybersecurity Agency (CISA) has defined, Healthcare, which has many small businesses from healthcare providers to pharma startups. The Change Healthcare ransomware attack affected 80% of hospitals' cashflow, and, 74% of hospitals reported that it directly impacted patient care. Managing risk includes understanding what operations can continue when single-threaded points fail, especially when the thread is a 3rd party+. It's not practical for a service provider to get to know a small business that intimately.
Essential Critical Infrastructure Sectors
Enter Artificial Intelligence (AI)
AI is the new hammer for every nail, but it needs data to train it. AI-driven detection mechanisms have long been tested in enterprise IT settings because of the need to make sense of enormous amounts of data. However, it's unclear that data to train large language models (LLMs) to guide small businesses, accounting for their specific outcomes, is reliably available.
NIST Cybersecurity Framework 2.0
Let's consider costs; the best data that I've seen on AI/LLM's efficiencies are Microsoft's large scale training of Security Co-pilot, which claims Security Operations Center efficiency gains of up to 60% (Detect & Respond). Now, as of April 1, any size business in some US regions can purchase Security Copilot at an hourly rate. The baseline recommendation of three "Security Compute Units" at $4/hour, that's over $2000 for one week of Microsoft's Security AI. For a business making $1M annually, that's probably more than half their security budget.
We know that AI can be trained to help security analysts, can it help non-IT experts? Beyond Detect in IT, training AI/LLMs to help a small business Identify, Protect and Govern sounds even harder to map. Where is the data to translate cyber security to the specific industry of a small business?
The Ultimate Cyber Assurance
Having sat on many customer incident response calls, the caller typically starts with "I'm not sure if this is a breach" - and, often it wasn't! The caller just needed backup, and some assurance that they weren't missing anything. With LLMs being probabilistic, rather than deterministic, are we ready for AI/LLMs to back us up?
Training LLMs to make cybersecurity easier to understand might help, but they need a lot of data. Data specific to the last mile, representing the context of a specific business, is hard. You can't automate for the "average" SMB.
In this ongoing cybersecurity saga, the showdown between AI and human expertise unfolds, with SMBs stuck navigating a complex landscape fraught with risks, hyperbole and return-on-investment (ROI) uncertainties. No wonder there are so many small businesses opting for "ostrich".
Left to fend for themselves in the digital frontier, small businesses will continue to be easy pickings. I predict that the number of small business victims will continue to increase until we have a solution that a small business owner can understand in the terms of their business.
Author Bio: Carolyn is committed to making cybersecurity easier for cleantech, where a lot of companies are SMBs. You can also find her hiking around her home state of Colorado, home to many cleantech wizards and warriors.
Comments