Ask an executive at most small businesses about cybersecurity, and the rest of the conversation is predictable. The first question they’ll ask is, “Should we worry about being a target?” The answer is a resounding YES—but it’s really not the question business leaders need to be asking.
The more appropriate question is, “What is our risk?”
Cybersecurity threats don’t target businesses the way you probably think they do
You’ve seen today’s headlines. Cybersecurity threats have become a global issue. The types of attacks are expanding. But victims aren’t being targeted in the way most business executives think. Hackers deploy broad-based scans for inadequately prepared organizations. Most strikes are crimes of convenience, the prey chosen not for who they are but instead how easy their systems can be penetrated.
Leaving a purse in the front seat of an unlocked car in the parking lot might not attract a seasoned bank robber. That doesn’t mean it’s not a tempting target for opportunistic individuals passing by.
Malware takes several paths to your network—many of them seemingly innocent
In today’s connected world, your network can be scanned frequently for vulnerabilities that have been publicized, but not remediated.
Your employees can unknowingly visit websites that have been hijacked and download malware and spyware to their computers, which then spread the malicious software throughout your network.
An email from a business partner can include attachments or embedded links that, when opened, will also download malware. This can be ransomware that encrypts your data and makes you pay someone to unlock it for you. Or it can be hostile or intrusive programming used to take over one or more computers on your network to use as a “bot” or “zombie,” which the hacker can use to send out spam email, attack other computers, and conduct other automated tasks without your knowing it.
According to Homeland Security, businesses will face a host of cybersecurity threats, some with severe impacts that will require security measures that go beyond compliance. A 2011 Ponemon Institute study found the average cost of a data compromise in the U.S. was $194 per record. The study estimated the loss of customer business due to a cyber breach at $3 million.
5 steps to take when you recognize the cybersecurity threats to your business
- Assess Your Risk
Some organizations have a higher risk profile than others, but every organization benefits by regularly assessing its risk management position. A Risk Assessment is one of the key components of an annual security risk management plan. In other words, you want to know what risks are identified and what security measures are missing.
- Implement Risk Management Process
Because risk management is ongoing, you should assess risks and vulnerabilities periodically within your environments. Establish appropriate policies and procedures, as well as appropriate security controls to address those risks and vulnerabilities in order to provide an effective risk management process.
- Integrate Risk Management within the Management Process
Cybersecurity is NOT simply implementing a checklist of IT requirements; rather it is a process of managing cyber risks to an acceptable level. Managing cybersecurity risk is part of effective risk management and business continuity frameworks.
- Monitor and Evaluate
Risk management is a lifecycle that requires ongoing monitoring and periodic reassessment. Your process must include updating security policies and controls as needed to maintain acceptable risk levels.
- Consider Outsourced Security Management Services
Given the challenges associated with evolving cybersecurity threats, most leaders of successful small businesses find that outsourcing at least some portion of the required process to professional IT security firms is worth consideration.