Cyber Security is among the most misunderstood and under-appreciated risks to smaller businesses today. Leaders think, “Why would they attack us when Sony and Target are so ripe for the plucking!” But did you know that in 2013, the US government notified 3,000 companies of all sizes that they had been hacked – and Verizon found that when hacked companies are notified, about 70% aren’t even aware they have an intruder. That’s pretty scary stuff. Fortune Magazine recently found that cyber security is the second largest challenge facing Fortune 500 CEOs (behind only the rapid pace of technological change) and Symantec reported that targeted attacks against large companies grew by 40% last year alone.
The tools to gain access to your digital world are becoming ever more sophisticated and the cost to acquire these tools is dropping fast. The criminals are dumb but their tools are smart and the prices that security experts charge to protect your business are often prohibitive, so many small businesses don’t use them.
Running a small business, it is easy to be dismissive of these issues (what do we have that they’d want) until you realize that access to larger corporations can be facilitated through their suppliers, partners, and customers. In 2014, a major oil company’s systems were hacked when the attacker inserted malware into the online menu of a Chinese restaurant the employees frequented. The Target credit card breach was through its HVAC system. The Internet of Things (where items like your refrigerator and air conditioner are linked to the internet) and BYOD (Bring Your Own Device where staff can bring their own laptop, tablet, or smart phone) are conspiring to further weaken your company’s cyber security.
Most IT security systems are based on stopping the attackers at the door (called a firewall). They work under the allow/deny assumption that they can prevent all from getting in. But let one attacker sneak by and they have very little fortification on the inside. In fact, in the US sample, once an attacker was in it took an average of 8 months for them to be found. Yikes! A hacker can easily get your banking information, your client lists, your contracts and more in that amount of time.
As the President of your company, your role is not necessarily to be an expert in cyber security. Instead, your role is to ask insightful questions that will identify what risks are in play and develop an action plan to mitigate them. Some questions to consider for your next management meeting:
- Have we trained our staff in the basics of cyber security?
- Do we have an incident response plan in place, and have we tested it?
- Are we conducting periodic cyber security reviews?
- Does our insurance adequately cover data breach risk?
70% of attacks involve Phishing, which is a fraudulent attempt to steal information. When the criminal sends an email that looks like it is from a credible source and has a series of instructions to be followed or links to be clicked, that’s Phishing. We’re wise (for the most part) to the Nigerian Prince scam, but what would happen if one of your staff received an email from your email address that asked them to click on a link. It wouldn’t be a stretch to expect that at least one of your managers would click on that link, allowing the criminal to install a tiny piece of malware on that manager’s system. Which is linked to all of your other systems…and maybe even your clients.
The first line of defense is to offer basic cyber-crime education to your staff. In the same way you have a response plan when it comes to health and safety incidents, workplace bullying, theft, and natural disaster recovery, you need a response plan for cyber security. For more information on this topic, the National Association of Corporate Directors (NACD) has published a free guide with excellent information on managing risk. Click if you dare….