Cyber security basics for the small to mid-size business owner
So as a small to mid-size business owner you may think cyber security breeches happen solely to the big box retailers and massive conglomerates. With the news mainly reporting on the security of customers' payment cards being compromised at chain retail stores, it can skew your perception of who is impacted by data breeches. An October 2019 CNBC article states only 14% of small businesses are prepared for a cyber security attack and 43% cyberattacks target small businesses according to Accenture, a technology firm. With over 20 years experience, our team hopes to educate and make the world of cyber security accessible for all!
What is cyber security?
Cybersecurity for businesses involves a holistic view of IT and operations with the goal of protecting the key assets, people, and data of an organization. The essence of cybersecurity is establishing processes so an organization can effectively identify, manage, and mitigate known (and unknown) security risks and threats in a predictive manner, thereby helping safeguard a company’s operations, employees, brand and company reputation. Generally, the key to establishing a workable level of protection is to safeguard the company’s proprietary data regarding employee and HR information, customer data (including contacts), contracts and orders, proprietary intellectual property (e.g., trade secrets) and, operations data such as shipping logistics and financial transactions (e.g., billing, collections, and payments). A loss of data in any of these categories can put company operations at risk, so it follows that the goal of any cybersecurity initiative is to assure ongoing availability, integrity, and confidentiality of these critical assets. At Intellikor, we support the industry’s belief that every investment put forth to protect these assets will have a direct ROI payoff, and we work with our clients to understand how best to prioritize this protection to deliver real business benefit.
I've got an IT team, I don't need cyber security services
While every company depends on multiple technologies to serve its customers, a successful cyber-attacker intends to take down your operational systems and leverage your downtime to extract value from these assets (through theft and resale or ransom payment). While your IT resources should have solid cyber-security elements in place, a breach generally impacts your operational departments the hardest, and those losses fall directly to your bottom line. While no company can completely safeguard against every possible threat, it is key to your success and ongoing viability to have your assets properly prioritized for protection, and to have your IT department install, support, test, and maintain these safeguards over time in order to match the corporate priorities. Intellikor can help you sort these forces out so you gain the biggest bang for your cybersecurity buck.
Is it really a worthwhile investment?
While it is true that companies spent over $156 billion on Cybersecurity in 2019 and with these investments growing at a rate of over 10% per year, we have found that the basics of cybersecurity meet the needs of most SMB companies. And while breakthroughs in intrusion prevention technologies or security monitoring using artificial intelligence are helping keep some companies one step ahead of the hacker community, we also have seen that just implementing your existing security tools (such as passwords, anti-virus, data backup) as well as some ongoing security reviews (e.g., vulnerability scans and penetration tests) serve to protect most SMBs from the most common security attacks. The balance here is understanding the risks, setting the priorities, and making sure you have the smallest possible attack vector, and a little money spent on prevention BEFORE an attack is much more satisfying than a lot of money spent on recovery after the fact.
The smart business executive will combine two trusted resources to create a security framework that can work for every business: Cybersecurity knowledge and business knowledge. Intellikor takes a business-first perspective when helping our clients define their overall security framework, and works closely with business leaders to define the key assets and processes that are most important to their operations (the ones that would hurt the most if they were unavailable). We arrange our analysis based on the published best practices and principles of security as it relates to the “AIC Rule” – Availability, Integrity and Confidentiality (as defined below).
Availability refers to making sure your business maintains reliable and timely access to data and resources. Availability not only safeguards your data against inside and outside threats, but also deals with data backup and recovery procedures so you don’t face huge ransom decisions or extended periods of downtime. Availability also deals with proper permissions for staff using the “least privilege” standard (everyone gets only the data they need to do their job). Availability also considers the impacts of any number of potential disruptions (fire, flood, facilities failure, natural disasters, and physical theft or attack). Making your data available if your office loses power or your staff cannot come to work are all considerations of Availability.
Integrity means keeping your data current and accurate, even in the case of a data loss, attack or systems failure. Are all your backups up to the minute or can once a day suffice? If a hacker gained access, would you know they were there? What if everyone could change their account balance to zero or authorize your company to pay them for fraudulent services rendered? Bad actors inserting a virus or a logic bomb or building undiscovered back doors into your systems are all elements of Integrity, with the goal of maintaining accurate and reliable information while preventing unauthorized data modification. And let’s not forget well-intending (or disgruntled) employees corrupting data by making mistakes, deleting needed files or simply (unwittingly) inviting in malware!
Confidentiality ensures that the necessary level of secrecy if enforced at every level of data processing and prevents unauthorized disclosure inside and outside your company. Are your employees’ salaries protected from your competitors who may want to hire away your star performers? Are your secret formulas or proprietary patents protected from attack? Attackers have lots of tools at their disposal to gain access to your prized data, (password breaking, reconnaissance attacks, vulnerability exploitation, unauthorized network monitoring, and even shoulder surfing and social engineering can be used to gain access and steal your company’s intellectual property. Confidentiality generally involves keeping data protected and out of harm’s way using network segmentation, data encryption, honey pots, and access controls, but also is fortified by some of the basics of cyber-security, including a solid security policy, enforced password management and even personnel training.
Intellikor helps our clients navigate through all these security elements and delivers peace of mind based on your company’s priorities, business goals, and budget considerations. We have also found that the money you spend to protect your data has a 10x payback when compared to the cost of recovery for lack of protection. And we also find that many of these safeguards were already considered and even implemented, but their efficacy depends on a little diligence and a solid diet of ongoing reinforcement. You supply the business priorities and operational know how, and we’ll a
rrange the technologies so your company continues to deliver on those priorities by keeping those operations running, delivering your products, serving your customers, building your brand, and paying your employees.