By Guy Higgins
With the massive data breach created by the recent hack into the sensitive records of the Federal Government’s Office of Personnel Management (OPM), cyber risks are receiving significant media attention. The question for small- and medium sized businesses is, “Am I vulnerable?”
In a word, yes. Small- and medium-sized businesses are right in the sweet spot for malicious hackers, and perhaps even more at risk for IT system “glitches” and “employee-caused” data breaches. These are three very different categories of problems:
- Cyber attacks – these are malicious attempts by some party to compromise the computer systems of an organization for their gain. About half of all system compromises are cause by cyber attacks (hacks). About half of all breaches are caused by cyber attacks.
- Computer system glitches – these are errors or vulnerabilities in computer systems (hardware and software) that can allow easy access to an organization’s files and systems. About a quarter or all breaches are the result of these “glitches.”
- Employee-caused problems – for purposes of the record, this category does not include malicious behavior. Another quarter of data breaches are the result of employee-caused problems. These include those behaviors that can create system vulnerabilities or actual data loss:
- Poor password discipline – using simple or easily guessed passwords for either hardware or software (the most common password for smart phones is 1-2-3-4) or the reuse of passwords or the failure to use strong passwords (those are passwords that contain upper and lower case letters, numbers, and symbols).
- Loss of computers, tablets or smart phones that then provide access to the organization’s IT network.
- Undisciplined use of “Own Devices” such as comingling personal and professional data or files, downloading apps that can access and compromise organizational IT defenses, and using public WiFi services.
The problem is a major issue. In the U.S. there are about 6.4 million small- and medium-sized businesses (more than 100 but fewer than 5000 employees). These businesses are the targets of about 4,200 cyber attacks per day. If we do the arithmetic, that means that each of those businesses has a one in four chance of being attacked each year (over a four-year span, that comes to the odds of two chances out of three that you will be targeted by a cyber criminal). Obviously some businesses are more attractive targets than others, but no business or industry is immune to cyber attack. Not every attack results in a compromise to systems or data, but many do succeed in defeating the organization’s IT defenses.
For small- or medium-sized businesses, the average cost of one of those data breaches is over $36,000. According to ITBusinessEdge, 60 percent of those businesses that suffer a data breach fail within six months as a result of that breach. Averages are tricky, and, in general, the cost to larger companies is higher, but some small companies can also experience very high losses.
The cyber threat to small- and medium-sized businesses is large – and it is growing in both risk and impact every year as reported in the Ponemon Institute’s annual data breach report.
What can businesses do? They can Predict.Plan.Perform.
Predict – understand the risks for your industry and your company. There are numerous reports available for reasonable fees or, sometimes, free. Similarly, understand the impact to your company.
Plan – assess your risks and potential impacts and decide which risks you can eliminate, avoid, transfer (cyber risk insurance), or mitigate. Develop corporate policies and plans to execute the chosen approach. For example, many employee-caused problems can be eliminated by means of well-articulated policies and procedures, detailing, for example, required password processes, use of personal devices, encryption, and use of public WiFi services.
Perform – test your corporate policies and procedures, and make the necessary corrections when problems are uncovered. Train the company IT staff, leadership and management on the need for cyber defense and the ways to respond to a cyber attack and a cyber breach.
Cyber threats are dangerous, but they can be made less so. The purpose of your company’s cyber defense is not to create a perfectly impenetrable defensive ring around your company, but to make the effort to attack your company more than the cyber crook is willing to invest. That is an achievable goal.