You have most likely seen the news recently of companies having sensitive internal and consumer information stolen by hackers.
Target, Home Depot, Uber, and the unprecedented breach of Equifax, are among the higher profile companies that have been breached.
Many small business owners read these types of headlines and say to themselves: “It couldn’t happen to me. My business is too small to be targeted.”
These business owners need to reconsider the premise of their defense. It’s not that smaller businesses aren’t victims of cybercrime; it’s that smaller businesses may not necessarily make the headlines. All companies that demonstrate data security vulnerabilities are being targeted, regardless of size. One thing is certain: If there is sensitive data to be stolen, and an organization has vulnerabilities in its security posture, cybercriminals are interested.
Simply put, companies are being targeted by hackers for two main reasons:
- All companies retain highly sensitive data, including the personally identifying data of both employees and consumers.
- Some companies fail to put adequate safeguards and protections in place to help counteract the threat of a cyber event.
While some companies try to strengthen their security posture and still become victims,
I would opine that the primary culprit of poor security measures can be blamed on a pervasive attitude of: “This couldn’t happen to me. Hackers don’t want my data anyway”. When an organization possesses this mindset with respect to cybersecurity, it is likely that their response and remediation efforts will be lacking.
Mitigate risks with independent assessments and diligence
Small business owners especially may rationalize this complacency by pointing to budgetary constraints.
In a May 27, 2015 article written for PropertyCasualty360.com, author Rosalie L. Donlon points out that attacks on small to mid-sized businesses accounted for 62 percent of all cyberattacks in the U.S. In fact, cyber security professionals often state that it is not a matter of “if” a company will be targeted by hackers, but a matter of “when.”
It is understandable that a small business would be concerned with its budget, but it’s important to make the value and necessity of cyber security a priority. Simply stated, a small business cannot afford to not make cybersecurity a part of its budget. Given the catastrophic consequences of a potential breach, both reputational and financial, what should smaller businesses be doing to shore up their data protection strategies?
First, smaller companies should understand that hackers are constantly probing for weaknesses to target vulnerable databases,
regardless of the size or profile of an organization. As stated earlier, cybercriminals aren’t picky. If there is sensitive data to be stolen, and it’s easy to get to, a cybercriminal will target the source.
Upon recognizing that all organizations are in the crosshairs of hackers, the second step for smaller companies is to obtain an independent, unbiased assessment of their security posture.
A preliminary assessment serves as a basis for ongoing assessments. It should be noted that a security assessment is not a singular “set it and forget it” type of procedure. It is recommended that security assessments be conducted on a regular, quarterly basis by a third-party vendor who takes both a proactive and reactive approach to security.
Namely, the most complete security assessments are aimed at safeguarding an organization in addition to providing remediation and incident response protocols in the event of a cybercrime or breach. Both internal and external security testing is often conducted by the assessor to obtain the most accurate assessment of an organization’s security.
Third, having completed a baseline security assessment aimed at identifying vulnerabilities in an organization’s security infrastructure and protocols, smaller companies can determine whether increased security measures are necessary and to what extent.
These determinations are made in conjunction with the security assessor and often include remediating existing issues, establishing or improving upon current remediation strategies and setting guidelines for ongoing security assessments.
Cost of protecting likely less than cost of repairing
Security assessments and the associated costs for improvement are costly to small businesses. However, it must be reiterated that the cost to an organization, both financial and reputational, in the event of a data breach or cybercrime event far exceed the costs of diligence and preparation. In this age of technology, small businesses cannot bet against the likelihood of becoming a victim. Training, education, and security assessments are crucial, especially in overcoming the “this can’t happen to me” attitude.
Fourth, although smaller companies do not typically have the resources to address the consequences of a breach directly, they can consult with cyber professionals who have the experience and the knowledge to deal with these events.
It is advisable for smaller companies to familiarize themselves with a cybersecurity firm whom they trust. Having that firm on “speed dial” in the event of a data breach helps in immediately responding to and remediating an event. Immediate mitigation efforts in the wake of a data breach can often determine whether a company survives or succumbs to the event. Having an experienced and competent cybersecurity firm which has familiarity with the smaller company can help to ensure its survival in the event of a breach.
Unfortunately, there are no silver bullets when it comes to cybersecurity and data protection.
Typically, the best a company can achieve with respect to database security is to become a “hard target” when it comes to would be hackers. Hackers do not want to spend an inordinate amount of time attempting to breach a company’s cyber defenses.
A small business’ best defense is to establish a culture of security within its organization. Investing in security assessments, in addition to proactive and reactive defense measures, is critical in today’s world. Adapting to technology also means adapting to the potential risks and mitigating those risks.
Regardless of size, the inherent dangers of technology exist for everyone.
