Tuesday, November 26, 2013

Small/Medium Business and Security/Privacy exploration

In this blog entry I want to explore the effects and the threats surrounding the small business realm and how it is effected by concerns of security and of course indirectly privacy.

But first some numbers.

1) Targeted attacks destined for Small  Business (1 to 250 (employees) accounted for 31 percent of all attacks, compared with 18 percent in 2011, an increase of 13 percent [1]

2) According to the National Federation of Independent Businesses, as many as 30% of an average company's employees do steal, and another 60% will steal if given a motive and opportunity.[2]

3) Almost three-quarters (72%) of data breaches investigated by Verizon Communications’ forensic analysis unit were focused on companies with less than 100 employees.[3]

And the list goes on. But I hope you get the idea.

In fact, depending on the source of data, there is no difference between the security issues of large organizations and small & medium business (SMB) (under 1000 employees).

Both types of businesses rely on computerize ‘everything’, to support their ongoing commercial and not for profit endeavors, never mind using social media for commercial marketing etc.. Both (large and SMB), for the most part, have web sites, use email, store information within databases containing commercial/proprietary information, financial positions (bookkeeping) etc. The employees also have access to various types of data (including those mentioned above), and can carry around that information on smartphones (bring your own device (BYOD)), etc.  Yet, except for some superficial attempt to secure the endeavor’s information, most SMB are vulnerable to threats like those that are mentioned above. The reason is because not enough is done to protect that sensitive information.

Let’s just investigate some best practices for organizations today.

All organizations, whether big or small, should have a Disaster Recovery (DR)/Business Continuity Plan (BCP) to enable them to still function and continue to be in business if an issue presents itself. How many small businesses do have a fully tested, functional BCP? Yet a disaster does not care if the company in question has 100 employees or 5,000.

All organizations should have and enforce internet/email usage policies. This should reduce any blatant misuse and potentially harmful activities of employees (or at least enable employers to take action if need be).

And the list of items that need addressing goes on and on. Many large organizations have specialist(s) whose entire responsibilities are just to ensure the day-to-day operation of the business.

While all organizations have to address critical issues, SMB have a number of strong disadvantages. The obvious one that comes to mind is their lack of resources. Namely most small business cannot afford a full time security/privacy professional. If money is not the issue (ever heard of a company where it wasn’t?) then a lack of expertise would be another major factor (and handicap). It takes time and experience to protect and recover from security concerns. And the basic human thought, ‘it will never happen to us, is something all personnel have to deal with.

So let’s take look at an realistic example of what can  happen to a $5,000,000 dollar a year SMB business.

11)    They have a major system failure and their systems were completely down for 4 days, and only partially in order for another six days. Total loss approx. $175,000
22) Cost to hire professionals to bring their system back on line $12,000
33)  Lost of a number important documents (payroll information, orders, A/R etc) that would be difficult to recreate. Cost unknown.

Total cost $187,000 +

Now lets take a look on the cost of setting up a relatively simple BCP/DR Etc

11)   Set up a working and tested DR/backup plan as part of a BCP $10,000
22)   Set up a commercial firewall, configured to help enforce the companies policies $10,000
33) Set up endpoint security (Anti-malware, Data Loss Prevention etc.) $5,000
44) Administration, training $5,000

Total cost $30,000

For a savings of  about $157,000 and with a big reduction of risk to the organization it then becomes obvious which of the two is the better option.

You can see by the numbers, the company in question would agree, it was a costly oversight not to do the due diligence, to say the least.

So we have all these organizations that are liable to have security/compliance/privacy etc issues, yet money is a huge concern. So what can be done?

There are a number of independent consultants whose specialty is to work with SMB. These consultants can plan and implement the best practices that are needed for an organization. They bring expertise, certifications, etc. that a small organization could ill afford to develop in-house due to the costs involved. For most SMB, once a comprehensive plan is developed and deployed, only a small additional cost would be needed moving forward to make sure everything is tested/working (maintenance/review changes etc) on an ongoing bases .

However, I would be remiss if I did not highlight the importance of finding a competent resource. There are a lot of consultants that have hung their shingle out to find business. So due diligence is in order. Ask for references, preferably with companies of a similar nature. Ask for any professional certifications that are concerned with this domain/realm. Ask for an estimate for the work needed. Get a Statement of Work (SOW) which should also include an established procedure for cost escalation and/or additional work requests. In other words try to make sure you are getting value for your money.

At then end it comes down to that, in our electronic world we work/live in, cutting corners will end up biting you on your bottom line. Ignoring the issues does not make it go away. But there is a reasonable way of mitigating those very real risks.

As the saying goes, ‘an ounce of prevention is worth a pound of cure’, and the sooner the better.

[1] http://www.symantec.com/about/news/release/article.jsp?prid=20130415_01
[2] www.nfib.com/business-resources/business-resources-item?cmsid=29624
[3] http://www.verizonenterprise.com/DBIR/2013/

No comments:

Post a Comment