nesa-by-makers-IgUR1iX0mqM-unsplash

Cyber Security for Small Business

If you’re paying attention to cyber security in the news, most articles paint a grim picture of what can happen if a company is not prepared to defend against cyber threats.  The world faces a cyber security crisis with many organizations and people ill prepared to combat.  Cyber security for small business is more important than ever.

Honestly…for once the media is not sensationalizing a topic.  Cyber-crime is on the rise, and it seems there is no end in sight. 

Cyber security professionals are not alarmists. Conversely, the amount of threats facing organizations grows by the literal second.  Even the ways in which we protect ourselves change so often, it’s hard for any company to stay ahead of the hacker. 

Large corporations invest billions of dollars to protect their organizations from cyber intrusions. Not to mention these companies have the budgets and resources to make it increasingly difficult for a cyber-criminal to penetrate their organizations.  Or in the event of an incident they have cyber insurance or emergency funds, mitigating effects of a data breach. 

These investments are working to some degree; however, the amount of money lost each year to cyber-crime is still increasing.   

This is an issue worrying many cyber security experts.  Large corporations are making it more difficult for cyber-criminals to compromise their organizations. However, the target is shifting. 

The low hanging fruit is no longer the guy with the biggest sack of cash. Instead, it is the organization with the least amount of protection. Cyber criminals know cyber security for small business is usually weak. They exploit this situation, and can cause irreversible harm to these unprepared companies.

What businesses are being affected by cyber-crime? 

Every business. 

However, the effects of a cyber security incident on small to medium sized businesses (SMBs) can be catastrophic. 

Small businesses account for 42% of targeted cyber security attacks.  Each year more SMBs are finding themselves in dangerous situations. Furthermore, the fate of the company’s future might rely on paying a ransom to decrypt their systems.  Possibly, having to shut down operations completely and revert to backups due to malware. 

Small to medium sized businesses must begin budgeting and preparing for the growing possibility of a cyber-attack.  Furthermore, the idea that a company is too small or doesn’t have anything worth protecting is a myth. To start reversing the cyber security crisis we must begin thinking differently. 

How does a small business defend against getting hacked? 

Cyber security for small business is at its core a practice of prevention.  For SMBs (and any business for that matter) prevention starts with the people.  In fact, the experts agree. 

“Cyber-vigilant employees are your best protection against information security threats.” 

-Traci Spencer, NIST 

The reality is that in business, most cyber security compromises begin with an employee. Unintentionally (or intentionally) they do something which causes adverse effects on themselves or their organization, usually both.  Failure to prevent an information security compromise is often the result of employees lacking cyber security knowledge, skills and attitudes. 

The most effective way to defend your organization from cyber-criminal activity is creating good cyber security habits for your employees.  Specifically, by communicating the importance of a cyber vigilant workforce and providing resources for cyber security awareness and training, small businesses can prevent severe cyber security incidents. 

Yet cyber awareness and training is the most underfunded preventive defense activity. 

The solution is right under our nose. But why are companies struggling to effectively train their employees and increase cyber awareness throughout their organization? And why is cyber security for small business not prioritized?

Why do cyber security implementations fail? 

We can’t pin it all on one thing, but research indicates if cyber security objectives and strategy are not supported by top leadership, the strategy will fail.  Is this different from any other organization wide strategy implementation?  Yes and no. 

Let’s take for example a common strategy: streamline operations. 

We would hope that a cost saving strategy like streamlining operations would gain support or be led by leadership. It effects the bottom line, and makes them look good.  However, say for example poor planning or technology issues cause the strategy to not be executed effectively. And let’s say the strategy implementation fails. 

In this scenario we lose time and potentially increase expenses in additional consulting fees and implementation costs. However, at the end of the day our business can still operate… it just might not be super efficient.

If a cyber security awareness strategy fails, we have a more severe scenario. Let’s say 60% of the organization adopts this new preventive mindset. Great! But that company is 40% exposed to cyber threats relating to employee negligence… or stubbornness. 

If 40% of employees do not take cyber security seriously, the outcome could be catastrophic. In this case, we are more likely to be exposed to data breaches or interruption of business. In bad situations, ransomware or crypto lockers resulting in hefty expenses and potential for permanent loss of data. 

Let’s throw some regulatory fines on top of this and we’re looking at a figure which effects our bottom line. The likelihood of continuing business in a normal capacity after an incident like this is low. Indeed, the effects of a breach can be catastrophic to an organization’s bottom line and reputation.

A difference of severity.

The difference between not fully succeeding in a financially motivated or technology centric strategic initiative versus a cyber security awareness and training initiative comes down to the severity of the outcome. 

If we fail while executing a strategic initiative to ‘become agile’, the result is not favorable.

If ‘streamlining operations’ or a project to ‘optimize reporting’ fails, we go back to the drawing board and develop a new plan.

Conversely, if we fail in executing a cyber security awareness strategy, then we leave ourselves exposed to severe consequences of cyber-crime. We threaten the confidentiality, integrity, or accessibility of company assets. And potentially, damage the reputation of our organization to the point of no repair. 

Top leadership is the key in successfully convincing their organization that cyber security is a top priority. No consulting firm or information security professional can do it on their own. Successfully implementing sustainable cyber security strategies requires total support and commitment from top leadership.

How can LastLine Cyber help implement successful cyber security awareness? 

There are a few answers to this question. First, we help companies implement cyber security awareness strategies by forming close partnerships with top management. Guiding organization through careful planning and communication of their cyber security strategy, we find success. 

Next, we help build customized cyber security awareness programs which effectively engage every employee without causing “Security Fatigue”. 

Finally, approach emphasizes the importance of continuous improvement and learning versus an ‘everything at once’ push.  Our bite sized lessons and quizzes are specifically designed to not interrupt workflows, but instead provide consistent growth. 

The way we see things, complexity kills. Additionally, complex implementations will fail unless addressed by research, resources and guidance.  We focus on relating cyber security strategies directly to the mission and business objectives of our clients. We help executives give every person in their organization the knowledge, skills and attitudes required to defend against cyber security threats. 

Share this post

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.