In this blog entry I want to explore the effects and the threats surrounding the small business realm and how it is effected by concerns of security and of course indirectly privacy.
But first some numbers.
1) Targeted attacks destined for Small Business (1 to 250 (employees) accounted for
31 percent of all attacks, compared with 18 percent in 2011, an increase of 13
percent [1]
2)
According to the National Federation of Independent Businesses, as many as
30% of an average company's employees do steal, and another 60% will steal if
given a motive and opportunity.[2]
3)
Almost three-quarters (72%) of data breaches investigated by Verizon
Communications’ forensic analysis unit were focused on companies with less than
100 employees.[3]
And the list goes on. But I hope you get the idea.
In fact, depending on the source of data, there is no
difference between the security issues of large organizations and small &
medium business (SMB) (under 1000 employees).
Both types of businesses rely on computerize ‘everything’,
to support their ongoing commercial and not for profit endeavors, never mind
using social media for commercial marketing etc.. Both (large and SMB), for the
most part, have web sites, use email, store information within databases
containing commercial/proprietary information, financial positions (bookkeeping)
etc. The employees also have access to various types of data (including those
mentioned above), and can carry around that information on smartphones (bring
your own device (BYOD)), etc. Yet,
except for some superficial attempt to secure the endeavor’s information, most
SMB are vulnerable to threats like those that are mentioned above. The reason
is because not enough is done to protect that sensitive information.
Let’s just investigate some best practices for organizations
today.
All organizations, whether big or small, should have a
Disaster Recovery (DR)/Business Continuity Plan (BCP) to enable them to still
function and continue to be in business if an issue presents itself. How many
small businesses do have a fully tested, functional BCP? Yet a disaster does
not care if the company in question has 100 employees or 5,000.
All organizations should have and enforce internet/email
usage policies. This should reduce any blatant misuse and potentially harmful
activities of employees (or at least enable employers to take action if need
be).
And the list of items that need addressing goes on and on.
Many large organizations have specialist(s) whose entire responsibilities are
just to ensure the day-to-day operation of the business.
While all organizations have to address critical issues, SMB
have a number of strong disadvantages. The obvious one that comes to mind is
their lack of resources. Namely most small business cannot afford a full time
security/privacy professional. If money is not the issue (ever heard of a
company where it wasn’t?) then a lack of expertise would be another major
factor (and handicap). It takes time and experience to protect and recover from
security concerns. And the basic human thought, ‘it will never happen to us, is
something all personnel have to deal with.
So let’s take look at an realistic example of what can happen to a $5,000,000 dollar a year SMB business.
11) They
have a major system failure and their systems were completely down for 4 days,
and only partially in order for another six days. Total loss approx. $175,000
22) Cost
to hire professionals to bring their system back on line $12,000
33) Lost
of a number important documents (payroll information, orders, A/R etc) that
would be difficult to recreate. Cost unknown.
Total cost $187,000 +
Now lets take a look on the cost of setting up a relatively
simple BCP/DR Etc
11) Set
up a working and tested DR/backup plan as part of a BCP $10,000
22) Set
up a commercial firewall, configured to help enforce the companies policies $10,000
33) Set
up endpoint security (Anti-malware, Data Loss Prevention etc.) $5,000
44) Administration,
training $5,000
Total cost $30,000
For a savings of about $157,000 and with a big reduction of
risk to the organization it then becomes obvious which of the two is the better
option.
You can see by the numbers, the company in question would
agree, it was a costly oversight not to do the due diligence, to say the least.
So we have all these organizations that are liable to have
security/compliance/privacy etc issues, yet money is a huge concern. So what
can be done?
There are a number of independent consultants whose
specialty is to work with SMB. These consultants can plan and implement the
best practices that are needed for an organization. They bring expertise,
certifications, etc. that a small organization could ill afford to develop
in-house due to the costs involved. For most SMB, once a comprehensive plan is developed
and deployed, only a small additional cost would be needed moving forward to
make sure everything is tested/working (maintenance/review changes etc) on an
ongoing bases .
However, I would be remiss if I did not highlight the
importance of finding a competent resource. There are a lot of consultants that
have hung their shingle out to find business. So due diligence is in order. Ask
for references, preferably with companies of a similar nature. Ask for any
professional certifications that are concerned with this domain/realm. Ask for
an estimate for the work needed. Get a Statement of Work (SOW) which should
also include an established procedure for cost escalation and/or additional
work requests. In other words try to make sure you are getting value for your
money.
At then end it comes down to that, in our electronic world
we work/live in, cutting corners will end up biting you on your bottom line.
Ignoring the issues does not make it go away. But there is a reasonable way of
mitigating those very real risks.
As the saying goes, ‘an ounce of prevention is worth a pound
of cure’, and the sooner the better.
