This article was originally published on U.S. Chamber of Commerce on April 08, 2019.

If you could create your own fantasy Board of Directors, who would be on it? CO— connects you with thought leaders from across the business spectrum and asks them to help solve your biggest business challenges. In this edition, a CO— reader asks how to improve a business’s cybersecurity when expert help isn’t affordable.

Aviram Jenik, founder and CEO of network security company Beyond Security, answers…

The first, and arguably most important thing a small company can do is realize that improving security, no matter how small of an improvement, is a good thing.

It is a logical fallacy to think, “A determined hacker can get in anyway, so why bother with more IT security?” Security is a continuous process; so, instead, a small business should try and say, “How can I be more secure today than I was yesterday?” The goal shouldn’t be perfect security; it should be improved security.

Next, small businesses should realize that the security solutions market is large and quite competitive. There are security solutions at almost infinite quality levels and budgets; and, with some legwork, any small business should be able to find a solution that fits its budget.

You will probably want to start with things you are required to do, due to regulations or requirements by third parties:

  • Setting up perimeter defenses.
  • Performing regular security assessments or penetration tests.
  • Installing reasonable end-point protection.

All of these can be found at variable pricing points to fit almost any budget. Coupled with the first point above, it’s important to realize that if you can’t afford a product or service, your choice should not be to do nothing, but find an intermediate solution to marginally improve your security with the budget you have.

The goal shouldn’t be perfect security; it should be improved security.

Aviram Jenik, founder and CEO of Beyond Security

I’m regularly asked by businesses small and large — if they could only do one thing, what it is they should do. I invariably give the same answer I’ve been giving for over two decades as a security professional: If you aren’t already, you should be doing regular security checkups.

These go by many names: vulnerability scans, penetration tests, security assessments. But they all essentially mean the same thing: getting a clear and concise report about your network and internet-based assets, along with security issues they have and simple recommendations on how to fix them.

Getting an analysis of your security posture is probably what will get you the most bang for your buck and can help you plan the next steps. At a minimum, you’ll know which areas need improvement and which don’t, which can help you plan the next steps in the continuous security process.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

The Case for Enterprise-Grade Risk Based Vulnerability Management

Risk based vulnerability management is a must in today’s cybersecurity portfolio.  Get the guide, The Case for Enterprise-Grade, Risk-Based Vulnerability Management, and see if your company is doing enough.