I’m the queen of analogies. When discussing technology in the workplace, I have to use analogies for my own mind, if nothing more. As a 19-year-plus veteran in the I.T. industry, I know not everyone wants to hear their business’s technology explained from an engineering point of view. You know, the ol’ “bits, bytes, and blinking lights” terminology.
Maybe you can relate: I’m a mother, a wife, a friend, a volunteer. I pay the bills at home, I make sure the house is clean. I take care of three dogs and nine chickens (yes, I said chickens—in Little Rock, Ark., city limits, no less). I shop, I decorate, I do all sorts of things, and oh—by the way—I help business leaders with their advanced technology strategies.
So, simplification by the use of analogies is just one strategy I use, and I have found it also helps my clients picture what it is they need to know. Even the more technically inclined clients.
As I write this blog, I am just returning from a Cyber Security / Cyber Crime luncheon my company, NetGain Technologies, sponsored along with BAE Systems at a yummy restaurant called Samantha’s Tap Room in Little Rock.
Little Rock, Ark. (population 197,000), by many standards is a “small town.” (I’ll admit, though, I always consider Little Rock a “big city,” as its metropolitan area has 730,000 residents.)
I have many clients who operate in other lovely areas of our state: Hot Springs (population 35,000), Russellville (population 29,000), Searcy (population 24,000), and Stuttgart (population 9,000). Now—there are some small towns for you. Everyone knows everyone, families have lived there for years and years, and there is a lot of trust among the respective citizens.
Cyber crime has arrived in “small town” America—SMBs beware!
Here’s where I’m going with this. While much of the charm still exists within small towns—Friday night football games, church potlucks, county fairs—they are no longer immune to a newer form of crime that has reared its ugly head: Cyber crime. Cyber criminals don’t discriminate and, in fact, we the technology professionals are seeing more and more instances of crime targeted at the “small town” manufacturer, bank, health care facility, (or insert any other small to medium business here).
Why do cyber criminals target “small town” businesses?
Well, frankly, small towns don’t invest in some other security features the larger cities do. You don’t typically see homes in small towns with bars on their windows. In fact, you may even see them with windows raised and doors open so a nice breeze will flow through. The same analogy is true for small town businesses compared to, well, insert your favorite “Fortune 500” company here. Folks, the times are a-changing.
According to the Small Business at a Glance review on Entrepreneur.com, small-to-medium sized businesses (SMBs) are those employing 1,000 or fewer staff. The SMB group represents more than 99% of all employers—meaning there are 99 SMBs to every one “enterprise” company in America. If we’re playing the odds here, the chances of a “small town” business getting compromised is a pretty solid bet. As “they” say, it’s not a matter of if, it’s a matter of when.
So, what do you do?
First—make sure you DO SOMETHING! Don’t think, “it won’t happen to me”. That’s a bad move. Just as “anything worth doing is worth doing right” (my beloved Daddy gets the credit for this), securing your information is no different. And oh, by the way, it’s not just your information. Many businesses hold vital, sensitive information of other individuals. Talk about feeling bad—it’s one thing if you are okay taking risk a risk with your resources. It’s not cool to “gamble with other people’s money” (another analogy—yep).
In plumbing and in data, leaks are never good
Where to begin? You have options. You could opt to “do your own plumbing,” but wait, you’re not a “plumber.” And even if you are a “plumber,” are you prepared to sit around and “watch for leaks” to happen? Or will you just wait on a “leak” to occur, then pull out the “mop and bucket,” or, worse, “redo the entire sheet rock in your house”? NO! My suggestion would be to “hire a professional” to help you with this endeavor.
But wait, professionals are expensive, aren’t they?
Expense is relative to exposure. How much exposure can you afford? Hmmm… there are probably some guidelines to work with here. Let’s put on our statistics hats.
Going back to the “small town”/”house” analogy, a typical rule of thumb when buying a house is to spend 3 to 4 times your annual income. Let’s go with the low end since those from a small town” may be a bit more frugal than some of the “big city” spenders. This means, if you make $50K a year, you shouldn’t buy a house costing more than $150K.
Okay—that’s that, my “buying a house” demonstration. Let’s now put this into the I.T. (information technology) rule of thumb.
On average, small businesses spend approximately 6.9% of their annual revenue on I.T. The associated article in Tech Target Search CIO states, “[Small] companies that invest the most in I.T. aren’t always the best performers.” We’re a little more sensitive, so let’s cut this percentage in half (3.45%). By example – if your organization has $15 million in revenue annually, you (on the frugal side) should be spending ~$518K annually on I.T. Of that annual I.T. budget, CIO.com says you should be spending 11 to 15% on defending your data environment against breaches. This is roughly $67K annually to protect yourself against the bad guys.
The stranger sleeping in your house
Where does a CEO begin in his or her company’s defense strategy? Chances are, there may already be a “stranger sleeping in your house” unbeknownst to you. On average, a breach into your environment goes undetected for 146 days. Just think, you’ve had a “house guest” you didn’t know about for 21 weeks. That’s where all the toilet paper went—because you attempted to do your own “plumbing”!
- Step #1, talk to a professional, someone who knows about data security. (NetGain Technologies has an outstanding team 100% devoted to this very topic. Check out our Security Alerts, or learn about the enhanced security upgrade available to our managed I.T. services clients.)
- Step #2, get a security assessment. You need to know where you are before you can determine where you need to go.
- Step #3, review the risk associated with all the various findings of the assessment. You may be willing to assume some risks. “Rome wasn’t built in a day” is the old saying, and data security is all about layers. It takes many layers to ward off the enemy—as with a house, you have your doors, locks, screen doors, windows, screens, brick or wood exterior, dogs, fences, and other layers of protection. Prioritize the most critical gaps and plan for addressing the others in a phased approach if needed.
- Step #4, remediate the priorities now.
- Step #5, mind the “house,” meaning, if your budget allows, get someone to guard your intellectual information. Service Organization Controls (SOC) within a network operations center (NOC) are designed to have 24X7 live monitoring of your “house.” Make sure you know the service level agreement (SLA) associated with your provider’s contract—at NetGain Technologies, it’s a 10 minute response time. It’s empowering to know someone “has your back.” It will give you peace of mind to go and do what you do best—not “plumbing.”
- Step #6, “wash/rinse/repeat.” Security is not something you can “fix” and have it remain good for 20 years like a “shingled house.” At minimum, you should assess your network infrastructure annually (and industry best practices are leaning more toward every quarter).
Know this: There are no guarantees when it comes to cyber security. If someone wants in your “house” badly enough, they will get in. The key is to make it harder for them. I am going to leave you with six words.
LAYER, LAYER LAYER, REVISIT, REVISIT, REVISIT!