Security Poverty Line: What It Is And What You Can Do About It

The state of cybersecurity for SMBs and municipalities is precarious. On the one hand, plenty are suffering cyber threats that are affecting their ability to conduct business. In a 2021 survey, nine in 10 SMBs that suffered a digital attack revealed that the incident had affected their business. This was followed by 48% that had shut down operations for at least a day, 41% that had lost money, and 26% that had still not fully recovered, reported Help Net Security.

On the other hand, few of these organizations have prioritized cybersecurity, believing incorrectly that digital attackers are inclined to go after enterprises or large targets only. The truth is threat actors behind today’s most common cybersecurity risks go after SMBs in nearly half (43%) of digital attacks, reported CNBC at the end of 2019 – not to mention small businesses may represent a conduit to a larger prize at the end of a complex supply chain. And of course, we all know what happened to 22 Texas cities in 2019.

What’s Behind This Weak Security Posture?

Part of this discrepancy can be explained by what’s known as the “Security Poverty Line.” Wendy Nather, head of advisory CISOs for Cisco, is responsible for having come up with the concept. Here’s her explaining it to BankInfoSecurity back in 2011:

There’s what I call the Security Poverty Line, where if you don’t have enough money, even for IT, obviously your security is going to suffer as well in a lot of different ways. You won’t have the expertise on-site that you need for ongoing investments in security. You can’t go out and buy everything.

Nather went on to note that the lack of a finish line compounds the Security Poverty Line. SMBs can’t know what they’re going to need ahead of time because security is a journey that’s continually evolving. New security requirements are always emerging, so SMBs will never be done—even if they happen to obtain an unlimited security budget.

How Can We Remove the Security Poverty Line for SMBs?

Gus Hunt, former chief technology officer of the Central Intelligence Agency, explained that the Security Poverty Line affects everyone because of the nature of our interconnected world.

“When everything is connected, you are always vulnerable to your weakest link,” he said, as quoted by the Center for Connected Medicine. “What we need is an approach that doesn’t just elevate the posture of the people with the wherewithal (to spend on cybersecurity), but we need an approach that’s going to elevate the posture of everybody.”

With that said, below are some ways that we can eliminate the Security Poverty Line for all.

Take Advantage of Community Groups That Share Ideas and Information

Smaller organizations don’t always have the expertise or resources to stay on top of the latest security threats. By joining a community group, SMBs can communicate with other organizations both within and outside of their sector to learn about new digital threats and emerging security technologies and approaches. They can then use what they’ve learned to tailor their security programs accordingly.

These types of groups come in many forms. Take the Texas Association of Governmental Information Technology Managers (TAGITM) as an example. According to its website, TAGITM is a not-for-profit that enables information systems professionals to share ideas, problems, and solutions. Not only do their members share information with each other, they treat their security vendors like partners, and give the vendors a seat at the table. Yes, there’s competition, but within TAGITM, it feels more like everyone is working on the same team. We should know – we’re privileged to count many TAGITM members as our customers.

It’s also important to highlight the Information Sharing and Analysis Centers (ISACs) that help critical infrastructure owners and operators defend against digital and physical threats. It does this by collecting threat intelligence and sharing it with its members, thus keeping them in the know. To join an ISAC in your sector, check out the National Council of ISACs.

Encourage SMBs To Use Industry Standards To Help Prioritize Security Measures

SMBs and other smaller organizations might not know where to start their cybersecurity program, so they might look to implement certain guidelines without taking care of fundamental security controls first. They also might elect to not implement anything out of the belief that they can’t secure themselves unless they take an all-or-nothing approach with a relevant framework.

Hence the need for security frameworks that help SMBs prioritize their security measures. Fortunately, there are guides that already do this. The Center for Internet Security’s Critical Security Controls (CIS Controls) use Implementation Groups (IGs) to help organizations prioritize how they approach those security measures. That scheme begins with the first implementation group, IG1, which consists of basic digital hygiene principles that all organizations can use to harden their security posture. We’ve written extensively about CIS Controls here.

Outsourcing Can Improve Security and Save Money

This might sound like a sales pitch, but it’s true. Managed security services provide security expertise, protection, and visibility for a fraction of the cost of an internal team, and make a lot of sense for cash-strapped SMBs. Outsourcing allows IT teams to spend their time driving revenue and adding efficiencies to their employer, instead of chasing a backlog of security events and false positives.

Learn how outsourcing to Sentinel can eliminate your organization’s Security Poverty Line.

Put Us In Your Corner.

We back you up with managed threat protection, visibility, and support, 24/7.