Defendify’s Rob Simopolous Joined the U.S. Chamber of Commerce to Talk Cybersecurity

Cybersecurity is a concern of organizations of every size. Large organizations often have dedicated security teams to ensure their systems are protected. Small and midsize organizations must address the same regulatory and security challenges, but without the resources of their larger peers. When these organizations sell to or partner with large entities, they need to be prepared to meet the cybersecurity requirements of those organizations.

Rob Simopoulos, co-founder of the All-In-One Cybersecurity® solution Defendify, recently discussed the cybersecurity challenges of smaller organizations engaging with big businesses with CO Editor-in-Chief Jeanette Mulvey. CO is the U.S. Chamber of Commerce’s digital platform for small business and is dedicated to helping business owners across the U.S. start, run, and grow successful companies.

Watch the full webinar here (skip to 15 min. 20 sec. in to view Simopolous).

Here are some key takeaways:

1. Big businesses are prioritizing supply chain security.

Working with large organizations means meeting their cybersecurity requirements. They are concerned about the ability of their vendors and partners to protect internal systems and sensitive information that may be shared with the vendor. A cyberattack can adversely impact a vendor’s ability to deliver goods and services. A breach can expose the organization’s sensitive data resulting in financial losses, regulatory penalties, and reputational damage.

Large organizations address this risk through cybersecurity questionnaires and assessments. These are a critical part of a vendor selection process and require new partners to disclose the cybersecurity controls they have in place.

2. Layered, comprehensive security is a requirement.

Most midsize organizations cover basic security requirements like network firewalls and antivirus solutions on computers and servers. A large business’ cybersecurity questionnaire will expect far more. Organizations looking to do business with big businesses need layers of security. In his conversation with CO, Simopolous compares this to protecting a building. You would have locks on doors and windows, but you also should consider a burglar alarm should a thief bypass those controls. In cybersecurity, an equivalent layer would be a monitoring service to provide a warning (and ideally, containment) when it detects activities that indicate an attack is beginning. It would also include a plan for actions required by personnel in the event of an attack. Finally, training employees on cybersecurity can help act as a “human firewall” and prevent phishing and other social engineering attacks while improving an organization’s security posture.

3. Cyber insurance doesn’t guarantee protection.

Cyber liability insurance can provide some protection after a security incident. However, this market has changed as cyberattacks have become more common and more expensive. Coverage is not automatic. Insurers, like big businesses, require completion of questionnaires detailing what controls and policies are already in place. Just as inadequate security controls can disqualify an organization from being awarded a contract, it can also result in denied coverage or higher premiums.

4. Small to midsized organizations should make cybersecurity a part of general operations.

It is common for Defendify to see organizations where security is only a concern of the IT department. With IT resources stretched to keep systems running and users productive, cybersecurity falls by the wayside, which is problematic. Building a good security posture requires support from senior management, as leadership can make security a priority, support a long-term plan, and provide the resources to make improvements.

Three things a small to midsized business can do today:

Improving an organization’s security posture is a journey. Simopolous recommends starting with a cybersecurity assessment by independent professionals. This includes questionnaires like those used by large organizations. Choose a standardized framework assessment questionnaire like NIST, the Center for Internet Security Critical Security Controls, or ISO 27001. The result is an understanding of an organization’s security strengths and weaknesses. An assessment provides a starting place for identifying steps required to meet the requirements of larger businesses.

Second, make sure you have the “burglar alarm” to provide early warning of an attack and train your employees on cybersecurity practices. This can prevent some attacks and minimize damage from others.

Finally, be prepared for attacks. Criminal hackers are aggressive and midsize businesses are attractive targets. The 2023 Verizon Data Breach Investigation Report found that organizations with fewer than 1,000 employees experienced over 67 percent more breaches than those with more than 1,000 employees.  Have a plan detailing exact steps employees should take when an attack is detected, then practice it and update it as new employees join your organization.

Interested in taking the next step toward comprehensive cybersecurity? Learn more at defendify.com