May 20, 2019
Why small business should be concerned about cybersecurity:
The daily attacks and what to do about them can be overwhelming. Fight, flight, or freeze. Often times, due to the lack of resources and the basic need to just run the business, small businesses freeze. After all cybersecurity falls into a cost center and is a distraction to the business. Focusing on and investing in the business’s profit centers is perceived as more strategic and more appealing. Business owners may also perceive that committing resources to the core business will simply outpace any unknown costs of guarding against and responding to cybersecurity attacks. Therefore, man just pay the price, get past it, and get back to work.
The current state and the real costs of cyber attacks:
Studies and surveys are presenting trends that cybersecurity attacks and data breaches on small and medium businesses are continuing to increase. These attacks are also becoming more powerful and more difficult to prevent. The Ponemon Institute’s report on the 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) revealed that 61% of SMB companies experienced a cyber-attack, up from 51% in 2016. A 2018 study from Cisco shows that 53% of mid -market companies have experienced a data breach. Of those who experienced a breach, 29% said those breaches cost upwards of $100,000, while 20% reported costs between $1,000,000 and $2,499,000.
This whitepaper is intended to bring some clarity on the landscape while offering approaches that small businesses can take to improve their security posture and their readiness in the event of an attack.
The Ponemon Institute’s 2018 Study on Global Megatrends in Cybersecurity gives us a view into what the next three years will bring. This study was commissioned to focus on larger organizations, but what we have seen in the realm of cybersecurity at the enterprise level, we will soon see for small and medium businesses.
These are the results from that study:
- 82% predict data breaches through unsecured IoT devices. 80% predict that it could catastrophic.
- 67% expect cyber extortion, such as ransomware, and data breaches will continue to increase.
- 22% say cyber warfare from nation states against government and industry will be a high risk.
- Only 36% stated that cybersecurity is considered a strategic priority by senior leadership, with 68% reporting that their boards of directors are not being briefed on what is being done to prevent or mitigate.
- 53% state that the lack of suitable technologies and inability to hire and retain security staff will be the cause of the decline in improving the security posture in the next three years.
With the continuing advance of disruptive technologies such as the Internet of Things (IoT) and Cloud Computing, it’s reasonable to correlate what enterprise organizations have been implementing over the last few years, as a bellwether for what we are seeing small and medium businesses adopt in growing numbers today.
What large companies have:
The obvious difference between small and large business is amount of pure resources. Yet, in spite of these differences both large and small businesses are facing challenges that often equal in magnitude. The clear advantage in this case goes to the larger organization with the ability to buffer the blow and weather the storm. The disparities in resources between enterprise organizations and SMB can shed some light on what it will take to build a better framework and plan. It should also be understood that this lack of resources within SMB companies is the very the reasons that SMBs have become a more appealing target for cyber-attacks.
So, let’s examine what large companies have and what small businesses lack:
Security Staff and Chief Information Security Officers (CISO) – Enterprise organizations are able to hire IT security experts who dedicate their careers and their time to closely monitor the digital and electronic assets while preparing for the greater frequency of threats and what’s coming next with more sophisticated threats. In addition to implementing state of the art technology, one of the greatest values a security staff brings is accelerated response and resolution time, helping to prevent an incident from becoming a costly breach.
Legal staff – Dedicated to protecting the organization, corporate attorneys can effectively counsel the organization on preparedness, negotiate more effective cyber insurance policies, and position the organization to respond in the event of an incident.
Quality and compliance officer – Maintaining policies and procedures whether or not the organization is required to comply within the requirements of a regulated industry, provides standards that produce audited practices for systems and personnel to reduce risks.
Communications professionals – In the event of an incident or a breach, the communications personnel is able to guide the organization to contain the event within the public eye. Although studies and surveys are able to identify financial loss due to extortion, the financial loss due to lost business and reputation is difficult to calculate, and quite simply, can be more devastating. A 2017 Better Business Bureau report said that only 35% of small businesses could remain profitable for more than three months after a data breach.
Size – The size of the enterprise typically indicates multiple locations with a diverse network, including fail-over and recovery systems to contain the incident and restore enterprise operations with less damage and less down time.
Money – Due to having access to greater reserves and credit limits, enterprise organizations are simply better positioned to weather the storm and sustain a loss.
What Small and Medium Business organizations have:
How can we leverage what small businesses have that many large companies may not. Two of small business’s greatest qualities are the ability to be nimble to adapt to changing conditions and the ability to operate with rather lean resources in order to grow profits. Keeping resources lean internally dictates the need to outsource resources with the expertise and experience to effectively serve the business.
The good news is that overall as an industry, we’re becoming more organized with standards and guidelines that small businesses can use to better prepare. One of these guidelines comes from the National Institute of Standards and Technology (NIST). On August 14, 2018, the federal government enacted the S.770 NIST Small Business Cybersecurity Act. In addition to requiring all federal agencies to implement this framework, it also sets up a standardized model and methodology that any organization can voluntarily adopt to be bettered prepared and more resilient in the event of an attack.
Built and improved over the last several years, this framework at the core breaks down into five sets of functions that an organization can use as their own framework.
Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
The full set of standards, guidelines, and best practices to manage cybersecurity-related risks with its functions, categories, subcategories, and informative references can be found at https://www.nist.gov/cyberframework
What Small and Medium Business organizations should do:
As is the case with most successful businesses, it goes back to having a solid team with a solid strategic plan. Our businesses operate and grow best from some form of a strategic plan. It should be approached no differently with cybersecurity.
Now comes the task of building the team:
Ironic as it may seem, the IT profession does not fall under any requirement for industry certification or government regulation. CPAs care for our financial assets and well-being. JDs care for our legal assets and well-being. PHRs care for your human assets and well being. CPIAs care for your insuring our business and staff. Data is the new currency: customer records, supplier records, accounting records, product data, and production data. Those who are responsible for the care, well-being, and security of these assets - this new currency - would certainly need the same level of fiduciary duty. Getting started means starting with an assessment. Conducting an internal assessment is the best beginning. Next go to those trusted relationships you have with your attorneys, your accounting firm, your insurance provider, and your IT firm. This is your team. Certainly, even large organizations outsource to supplement, complement, and audit their internal departments and processes. This internal assessment will provide your team the essentials to address and develop a more comprehensive plan. This may also give you the insight as to whether your go-to team is the right team with proper capabilities and skill sets to match up to your needs for cybersecurity.
The numbers and trends speak for themselves. Cybercrime is real, it’s growing, and our resources to counter it are not keeping up. The best we can do is assess where we are today, and in accordance, plan and prepare in ways that we can properly identify risks, protect our companies and assets with safeguards, detect when events occur, respond promptly and appropriately, and in the end recover to restore our businesses back to normal.