On February 12th 2013, President Obama signed an Executive Order, “Improving Critical Infrastructure Cyber security.” Under the order, government agencies are expected to draft standards and share information regarding unclassified cyber threats. In theory, the government and private industry will collaborate on this critical priority and develop voluntary standards, i.e. “Best Practices.”
So what is the incentive for private industry to share? Historically companies have no desire to share information regarding breaches unless they are required. If a company is successful at avoiding a threat, they have a competitive advantage over their competitors who may not be as prepared. However, if the company is unsuccessful at avoiding a breach, disclosure risks damage to their brand when customers lose trust in them.
But cyber threats are very real and growing. According to the Symantec Internet Security Threat Report (ISTR) 2013, “Last year’s data made it clear that any business, no matter its size, was a potential target for attackers. This was not a fluke. In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.”
It makes sense that cyber threats will migrate to smaller companies that most likely do not have security protocols as extensive as the Fortune 100 companies that spend millions on security.
So what can a small business do to protect itself and mitigate cyber risk?
–Understand the current security expectations of management and key stakeholders of your firm. This step is required not only to uncover concerns you may not be aware of, but to also develop buy-in. The end result of this process will be more control and internal policies, which may cause frustration, i.e. restricted access to data, segregation of duties, system change management. Early buy-in is highly recommended.
–Analyze the firm’s current situation to identify security gaps. The first part of this activity looks at system access internally and how remote employees access your system externally. The second part of this task is to understand what employees need to access vs. what they should not need to access. Private client information should not be readily accessible to all employees of the firm.
–Develop strategies to close the gaps and prioritize the work required. After the first two activities, you will quickly develop a list of process and policy changes that should be implemented. The ability to implement all changes quickly will be constrained by time and money. As such, your first priority should be items that if are not done will expose you to financial loss, regulatory action, brand damage, and/or client loss.
–Test the effectiveness of your strategies. There will be unforeseen consequences to your cyber risk mitigation strategies. It is recommended to test the effects, prior to widespread implementation, to avoid business disruptions.
–Educate staff on their cyber security responsibilities. This activity introduces the policies and procedures to your staff; while underscoring the importance of any changes they will need to adopt.
–Continually test the effectiveness of your strategies; and modify them as risks change.
It is better to prepare for a threat that may never touch your firm, than be in a reactive mode when a situation occurs.