Cybersecurity is changing fast. Small business owners can either be agents of this change, or victims of it. As a founder and active consultant in an information security consultancy, I spend most of my time helping companies understand the current condition of their information security management, or cyberdefences, and the ways in which to improve these defences.
However, too many small and medium-sized enterprises seem to believe they won’t be the target of cyber-attacks because they’re too small. The recent global phishing activity report from the Anti-Phishing Working Group reveals that hackers are looking to exploit any kind of a relationship between a consumer and an enterprise. Smaller firms can present an easy target and a base from which to launch further attacks.
Information security is changing
The field of information security is changing rapidly, and incidents affecting companies big and small are reported in the press on an almost daily basis, so it is not surprising that companies across all sectors are considering issues surrounding the security of their information. What is surprising is that, in the main, businesses are only addressing cybersecurity as a result of outside pressure and often after a data breach has occurred. This is when companies find themselves involved in expensive and difficult post-hack mitigation.
We estimate that every pound spent upfront on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants onsite for longer than would have previously have been necessary.
Consider this alongside the changing landscape within which all this takes place: an increasingly tech-savvy younger workforce posing a potential inside threat; cyber attacks increasingly dominated by organised crime (with a consequent order of magnitude increase in the level of threat); nation states appearing as actors in cyber attacks, often for economic reasons; increased systems complexity and difficulty of management. The picture is not a pretty one. So why then are small businesses not taking control of their information security risk?
Managing the risk of cyber attacks
Well, many are, just not enough and not quickly enough, and the reasons seem to fall into one or more of the following categories:
1. Lack of executive commitment – the executive team is not aware or not interested. From experience, without strong executive backing, information security projects invariably fail.
2. Perceived cost – information security is expensive, so let’s not start.
3. It won’t happen here syndrome – we are too small, or not a big enough brand, or otherwise invisible to the various parties instigating cyber-attacks. In fact, there is evidence to show that attackers will target smaller firms as they present an easy target. And the reasons for doing so may be as simple as using their resources to launch further attacks.
4. It’s an IT problem – companies see information security as an IT issue, and therefore the diagnosis and responses are technology focused.
A business problem
Information security is not an IT problem, it is a business problem. It is therefore incumbent on the CEO to take a lead in driving effective information security practices and ensuring that the organisation is protected from cyber attack.
The question is how? How do you frame information security questions in a business context, and in a way that the business can respond to? The following steps should help:
1. Instigate some effective information security governance – without an effective governance structure, little else can be achieved. It need not be large, costly or unnecessarily bureaucratic, but certain roles should be included. There should be a security officer, either full or part time, who is tasked with working with the executive to ensure effective information security management in the organisation.
2. Classify data – start with the really critical stuff, and iterate. Ensure that everyone is clear on what your critical data actually is, and where it resides. In stage 4, below, you will define what people are actually allowed to do with it. Don’t try to boil the ocean, start small and make this an ongoing task.
3. Undertake a risk assessment. Again, this need not be a massive undertaking; start with the most critical areas of the business and iterate. Ideally, it should be done to some recognised methodology, but anything that allows a shared view of risk will work.
4. Create a risk treatment plan that involves enacting controls to manage the identified risks. Note that this stage – applying controls – is where most people start, when actually it should only be done with an understanding of the risks as identified by the business. Controls will be people, process and technology based, not solely technology focused.
Effective information security is not out of the reach of small businesses. The key thing is that the business must lead this process, and it must be led from the top. If you don’t decide what you are going to do in this area, somebody else will.