Cyber Security has been making big news for the last decade, not only in the US, but around the world. The constant cyber-attacks directed at small and medium-sized businesses hit close to home, but do not make big headlines.
A 2018 Ponemon study found that about one third of surveyed SMB’s could not identify the root cause of their security breaches. Additionally, nearly 60% cited a negligent employee or contractor as being the root cause of a breach. Translation: we have to be concerned about threats from both outside and inside our organization.
A Southern California client of ours was recently the victim of a ransomware attack. Luckily, an off-site backup enabled Datalink Networks to re-build their systems, despite the significant cost of time and money. Datalink Networks founder, Don Wisdom, met with the company’s Sr. Management and asked them why they were so unprepared for this attack. Their response was common among most SMB’s: “We simply did not think that cyber criminals would go after a small business like ours.”
Since investing in IT security does not increase productivity, any Return on Investment (ROI) cannot be measured. As a result, how can organizations reasonably focus on protecting themselves without spending a significant amount of money on software, hardware, and systems?
The first step is to look at investments in ANY security initiative by asking the following fundamental questions:
- What information are we trying to protect?
- Why are we trying to protect it?
- Where are the threats coming from?
- How do we best protect it?
- What is our RISK if we don’t protect it?
- What are the budget estimates to this initiative?
This big picture risk conversation should be a starting point in taking steps to secure an IT environment, BEFORE advanced security systems are purchased. Sr. Management and IT officials should build a list of corporate information that needs to be protected, who controls that information, where the data resides, what security controls are native to the application, and what the consequences are of losing that information.
Too often, organizations fail to take this first step toward defining risk, and simply purchase security hardware and software. By executing this big picture approach first, both IT officials and Sr. Management will be more aligned in the understanding overall risk to the organization from a cyber-attack