In 2017, cyber security incidents and intrusions are expected to rise for small and medium-sized businesses. In 2016 cyber criminals doubled down on attacks such as Ransomware and e-mail compromises because they are easy to execute and tend to be very successful. Unfortunately, smaller companies are the perfect target for these types of crippling attacks because their security is either lacking or non-existent. We recommend that every business start or maintain some type of cyber security program in order to stay protected against at least the simplest of attacks. This is a practice known as Minimum Viable Security (MVS).
Minimum Viable Security, Explained
You may be familiar with the concept of a Minimum Viable Product (MVP), which is the minimum amount of product development required to launch and prove the viability of an idea. MVPs protect businesses because they require less time and money than the full product, thereby containing the investment loss if the product fails. For example, a company focused on developing a mobile app may first only release it on one platform (Android OS, for example), and not choose to invest in an iPhone or Windows version until the demand for that app is proven.
Minimum Viable Security (MVS) builds on the same concept. Instead of investing in all aspects of security from the very start, we suggest that companies invest the minimum amount of time and effort to mitigate against their most dangerous cyber security risks. This might include user access controls, malware protection, and basic encryption (initial steps will vary depending on your business’ risk environment). By mitigating the most dangerous risks, your business can be secured from the most common (and usually most dangerous) attacks. There’s a lot of low-hanging fruit that can be eliminated with only minimal investment.
After you achieve MVS, you can improve your security through small, iterative improvements. This helps you to slowly build an effective program, not invest too much at once, and ensuring that a large “all-at-once” security roll-out doesn’t add unwelcome side effects to your operations.
One of the best guides we recommend is the Federal Communications Commission (FCC)’s Cyber Security Planning Guide. It includes a list of initial steps to secure computer networks, systems, devices, and users. While the first few steps of the guide should be implemented in sequential order, most of the suggestions in the guide can be implemented at any time. You can prioritize implementation based on your business risks and needs.
It’s time to get a plan together for your business. If you need assistance understanding your risks and planning initial steps, contact us for more information.