Cyber security is not the first thing a small business thinks about. But all too often, it’s the last thing a small business thinks about.
Any business with any level of information technology needs cyber security. The business may not need much, but cyber security is essential as soon as a company relies on IT in such a way that an interruption to the IT has a negative revenue-generating effect on the company.
There are multiple good reasons why a business should invest in cyber security as soon as possible.
Why do Small Businesses Need Cyber Security?
Cyber security is fast becoming the differentiator between the quick and the dead. Companies (ones with IT elements anyway) with an appropriate amount of minimal security will hold off attackers longer and recover better from attacks than companies with major cyber security inadequacies, or without any security at all.
Small businesses need cyber security because the nature of business on the internet has created new requirements for prolonged success. The primary impacts IT has had on business are data processing power, transmission, and storage which is a force multiplier unlike anything in history. Cyber security controls exist to ensure the processing, transmission, and storage of the data happens unimpeded.
Cyber security is to IT what adamantium is to Wolverine’s already potent abilities.
Cyber Security Compliance
Cyber compliance does not mean cyber security; however, it does mean a reduction in liability related to annual (or regular) compliance checks and post-breach fines. So even though cyber compliance is not cyber security, per se, it does have its place in an overall approach to risk and cyber security, and that means it deserves some discussion.
If your business is in a regulated industry (ex. HIPPA or PCI) or deals with regulated data (ex. GLBA or CIPA) then you are likely already aware of the compliance business requirements regarding the protection of that information.
If you are looking into starting a business where the collection, transmission, storage, or use of data is a function of the business, it is imperative industry and data compliance regulations are understood. Not understanding, implementing, and validating these compliance requirements can lead to significant fines depending on the level of negligence the regulators deem was at play.
Payment Card Industry Data Security Standards (PCI-DSS) can impose fines ranging from $5,000 to $100,000 every month the company is out of compliance.
HIPPA violations can range from $100 per violation to a minimum of $50,000 per violation, depending on an assigned category of negligence. For example, suppose a physician’s office has an unauthorized information disclosure (say, a nurse who stores 100+ patient records in a car that is later stolen) and does not report the incident for 75 days. That is 100+ records (each a violation) multiplied by the 15-day exceedance (each day a violation) equals roughly 1500+ violations.
Again, compliance does not mean cyber security, but it does mean the company has implemented and documented certain controls to secure its data, and those controls have been validated to a degree required by the regulation.
In the end, compliance means (hopefully) the demonstration of good-faith attempts to secure that data, translating to a reduction in fines, if any fines are levied. And since, to a large degree, risk is measured in dollars, a reduction in financial liability because of compliance, should be part of any business risk mitigation approach.
But again, one last time (in this article):
Compliant does not mean secure.
Is Everyone a Target for Hackers?
Attack automation makes every person, business, and toaster a target in the modern internet-connected world. So, in short, yes, everyone is a hacker’s target in the same way every bank is a target for bank robbers.
The key phrase in the above paragraph is attack automation. The ability of hackers to automate attacks means a hacker can sit back while his code crawls the internet finding businesses (your business) that have yet to patch an exploitable vulnerability, fix a misconfiguration, change a password, or resolve any one of multiple issues.
Most companies that get breached are not attacked in the first place because they are seen as juicy targets. Instead, some hackers found an exploitable business during automated surveillance of the internet.
Once a hacker has identified and exploited some random target; they proceed to farm it for potential value:
- Money: Wire fraud, enough bank information to login and drain accounts, ransomware, etc.
- Data (to be sold in dark web markets places): passwords, credit card numbers, almost anything.
- Access: Sell access to the company network to other nefarious parties.
- Position: Use the newfound gained positioning in another attack, or as part of a botnet.
A quick review of any public breach database shows that most of these companies are small businesses. A review of the bankruptcy data shows most small businesses (60%) shudder within six months of a breach.
These breaches place various amounts of financial pressure on the breached company:
- The hack: ransomware, wire transfers, bank accounts drained, etc.
- Recovery: Long stressful hours getting the hacker out, new equipment, security controls to prevent the same attack, consulting fees, etc.
- Liability: Legal fees, fines, customer refunds, etc.
The cost of cleanup (recovery & liability) amounts to 80% – 90% of the overall breach.
Cyber security reduces the chance of a breach, in particular from the opportunistic, drive-by breach of the automated variety.
Cyber Security as (is) Risk Management
Understanding risks and mitigating risks is a part of the business. Even if it’s done without any real analytical process or thought. Good cyber security is just another part of the business risk management (read: decision analysis) process.
Not knowing the cyber risk facing the business means informed decisions are not happening. It means sloppy tolerances, wasted money, and lethargy (or paranoia, but not for someone unsure if cyber security is needed).
The largest overall risks to any business are the events most likely to force to business to close its doors. This may seem obvious, and a tautology, but often one of the largest risks to the ongoing success of a company goes unnoticed: cyber risk.
In the previous section, it was pointed out that 60% of small businesses suffering a cyber-attack are out of business in 6 months. That number should turn any entrepreneur’s blood cold. Especially when there are so many other reasons (risks) for a business to fail: can’t win enough customers, inadequate leadership, poor money management, can’t raise capital, etc.
Adding cyber-attack may seem like “piling on,” but it’s another thing that must be managed.
Competitive Advantage
There is a tendency to see cyber security as a tax, a utility, or worse, a luxury. This attitude causes businesses to put off acquiring an appropriate level of cyber security (appropriate to the data’s value, and the IT infrastructure’s complexity).
With the chance of going out of business so high, and cyber-attacks a major reason, investing almost any amount gives the business a market advantage: not going out of business because of a cyber-attack.
Good cyber security, besides keeping the business around longer than the business without it, protects revenue-generating data, helps a company gain customer confidence, reduces some liability (noted in the compliance section), and provides a valuable differentiating point from competitors who don’t spend on security (unless the advertisements are false, in which case … more liability issues).
Much like with IT investments, cyber security still has the considerations of specificity and scale. The cyber security controls should fit the particular use case – no need for a SIEM with only one website and four computers. And the number of cyber security controls should increase as the company grows.
The spending goal to acquire this competitive advantage (as with most business endeavors) is the minimum amount of money to achieve the maximum result.