In a recent article an FBI cybercrime official was quoted saying: “there are two categories of people: those who have been hacked and those who are going to be hacked.” Essentially it’s not a matter of if, but when.
As a business owner, it’s up to you to decide how much exposure you are willing to tolerate, and what practices you will implement in your organization to be a harder target to reach.
Unfortunately, many executives tell themselves excuses to avoid a proper cybersecurity talk. Are you one of them?
1. I’m not Target or Sony. Why would my company be targeted?
It is painful to hear small business and nonprofit executives talk about the subject as something foreign that only happens to banks and big corporations. “My company is small, why would cybercriminal be interested in me?” The answer is in the same question!
By rule of nature, small organizations have less robust cybersecurity defenses than big corporations, making it much easier and less expensive to breach. Did you know 44% of US SMBs have been struck by cyberattacks and 70% of data breaches target companies with fewer than 100 employees?
Make no mistake; every business has potentially valuable information, including sensitive client or financial data, intellectual property, or simply hold the keys to a larger business such as in the Target breach.
2. We have anti-virus/malware software and firewalls, isn’t that enough?
Unfortunately this could not be farther from the truth. According to OpenDNS, anti-virus and firewalls alone stop only 30-50% of attacks, leaving the space wide open to breaches. These traditional tools are still effective, but you should see them as reactive/damage control tools rather than as your whole defense system. Their effectiveness depends exclusively on staying up-to-date on known malware definitions that are discovered.
With workers coming in and out of the office, bringing their own laptops and mobile devices to work, and using web applications and heavily browsing the Internet, attacks can come from a wider number of places, like email phishing, malicious advertising on a website, or unpatched business systems.
In order to more effectively address risk, you should have tools to focus on the whole infection process: Preventing, containing and monitoring threats.
3. It’s an IT problem, not a business matter
Cybersecurity must be reframed as a business risk and it’s an executive’s responsibility to incorporate cyber-risks within an overall risk management strategy. It might sound obvious, but when a business is forced to close its doors after a cyberattack, you can hardly call cybersecurity an IT problem.
The cost of clean-up and recovering data, lost productivity and downtime, not to mention a tarnished reputation and potential legal actions can be devastating for a business. In fact, the avg. cost per attack for SMBs is $20,700 while it is estimated that 60% of SMBs will close within 6 months of a cyberattack.
An executive should actively engage in setting the tone within the organization, and with the expertise of the company’s IT team (or third-party IT services provider), determine risks and mitigation strategies.
4. My employees are smart enough to fall for it
Trust is not a strategy. Human error and ignorance are the #1 vulnerability and no matter how robust your defenses are, crooks spend a great deal of time placing traps all over the Internet knowing that sooner or later, we’ll open the gates to the kingdom.
It doesn’t necessarily mean that employees are malicious, but they are simply not careful enough when it comes to surfing the Internet and dealing with e-mails. It’s sobering to know that users open 50% of phishing e-mails and click on links within the first hour, making it very easy to enter a network and launch an attack.
Everyone in the organization requires regular training on what these traps look like, especially upper management. Otherwise, you are as strong as the weakest link.
5. It’s too expensive. It doesn’t fit in my budget
It would be great if we could all afford the same cybersecurity tools than a Google, Amazon or American Express, but there’s good news! Small organizations can implement enterprise-level protection on a budget and you don’t have to reinvent the wheel.
There are bundles of tools already available in the market that can be installed on your systems and provide you with protection and monitoring capabilities needed. Plus, since human error is our #1 vulnerability, the strongest protection will come from setting boundaries to how they use the Internet, and on-going employee training.
Also remember that it’s key to combine these tools and training with business continuity/disaster recovery plans that allows your critical business functions to be up and running in the event of unforeseen disasters.
Remember that cybersecurity is a numbers game. We can’t be 100% protected, but the right combination of tools, processes and training can make it much harder for your business to be breached, and criminals more likely to go to the next easier target.
If you have any further questions on how to develop a modern cyber-risk strategy for your firm, please contact us.