This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.
The cyber threat to small businesses has never been at a higher level than it is right now in the post-COVID era. Small business owners are in a uniquely exposed situation because of the close link between their financial livelihood and the fortunes of their business. Both could be severely impacted by a cyber-attack.
You may be the owner of a small business, struggling to make sense of this complex environment and concerned that you may not be doing enough to prepare your business and your people for a cyber incident.
You may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.
As the owner of a small business, I understand the small company perspective. Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In these short articles, I hope to show you how.
The global cyber incidents of 2017, the massive data breaches of 2018, and the continuing cyber-attacks every year since then have raised everyone’s awareness of the threat posed by cyber risk. Recently, there was a further and dramatic increase in risk from the remote working environment brought on suddenly by the COVID-19 pandemic.
These developments have taken place in a relatively short period, and there has been a rush to find technology solutions. Most people probably think of their IT Department or IT Service Provider when cybersecurity is mentioned, and you’d be forgiven for thinking that cyber risk is purely an IT problem.
It is undeniable that companies are increasingly dependent on digital technology, which exposes them to more cyber risks and threats than ever before. However, while our networks, devices and software need to be secure at all times, it’s not just the technology that we have to consider.
Cybersecurity is a complex business-critical risk, not just an IT
problem. It involves the entire company. To properly assess the risk, a business
should consider its technology risk, human risk and governance risk.
It is not surprising that the traditional approach to information security has focused on seeking technology solutions to risk. The IT budget of most companies is a meaningful component of total expenses, and IT professionals, whether internal or external resources, will advise on how the budget is spent. But where is the best area for this spending for small businesses with limited budgets?
Cyber Essentials, the UK Government-backed scheme, designed to help all companies protect themselves from commonplace internet-based threats, sets out 5 technology areas where companies need to focus. These are:
- Secure your internet connection
- Secure your devices and software
- Control access to your data and services
- Protect against viruses and other malware
- Keep your devices and software up to date
This is the starting point for businesses that wish to protect themselves and move towards becoming cyber resilient. A further UK Government initiative is the “10 Steps to Cyber Security”, which considers technology risk in more detail and adds the human risk dimension.
As we all know, technology never stands still. Due to the increase in popularity of mobile devices, tablets and the huge growth in cloud computing and the Internet of Things (IoT) enabled devices, and the expansion of your network through remote working, an increasing number of entry points exist to your network that cannot easily be secured using a traditional network perimeter firewall.
The COVID-19 pandemic brought enforced remote working to many businesses and greatly increased their cyber risk profile. Each of the five controls of Cyber Essentials can play a major role in keeping small businesses safe. All small businesses should review their current business operating model and check to see if the Cyber Essentials controls are in place.
Cyber hackers are using more sophisticated tools, such as artificial intelligence, and some now have much more sophisticated agendas. Espionage, disinformation, market manipulation and disruption of infrastructure are a reality now, alongside the list of commonplace cyber threats, such as data theft and extortion. There will clearly be an ongoing need for IT solutions to counter the increasing technology risks.
In recent years, there has been a growing awareness of the cyber risk arising from human behaviour. The “10 Steps to Cyber Security” includes the human aspect of cybersecurity by referring to User Education and Awareness Training, the need for an Information Management Regime and for Incident Management planning. In fact, some estimates now attribute 90% of all cyber risk to the human aspect.
According to CybSafe, a specialist provider of human training and awareness software, the traditional definition of the human aspect of cybersecurity is as follows:
“To some – maybe even most – the human aspect of cybersecurity refers to the risks posed to an organisation when people, affiliated with that organisation, interact with technology. Most of the time, the people in question will be employees – but they could also be suppliers or any other third party with legitimate access to an organisation’s network.
The definition conjures up images of malicious actors, but the human aspect of cybersecurity, of course, refers to both malicious actors and the well-meaning people who could unintentionally cause issues.”
When malicious actors target the human aspect of cybersecurity, it is often referred to as “social engineering”. Essentially, it amounts to getting well-meaning people to do things that they should not do, and would not ordinarily do, by using human psychology against them.
A $100 million scam
A good example of human risk is the case of Evaldas Rimasauskas. Rimasauskas reportedly stole more than $100 million from companies including Google and Facebook. According to reports, he stole the money, not through malicious software or by conspiring with insiders, but through an elaborate scam that eventually convinced well-meaning people into sending the funds his way.
CybSafe address the human aspect through video-based training and awareness software modules that are designed to change people’s cyber awareness and behaviour and also the culture of the organisation. This training is intended for everybody, from the Board of Directors down to the newest employee. Changes in awareness, behaviour and culture are measured over time to give an accurate picture of progress made.
Through an approach like this, people can become cyber aware and represent the first line of defence for the business against the hackers: an asset and not a weakness or a threat. These people can prevent attacks by ignoring phishing emails, locking their computer screens before leaving their desks, using multi-factor authentication, avoiding websites with security warnings and updating software to patch vulnerabilities, to mention just a few actions that reduce risk.
The final aspect of cyber risk that we consider in this article is governance. Having good cyber governance is not as daunting as it sounds. Governance is all about how the company is run. This starts at the top with good levels of engagement from the Board of Directors, who should set the tone for the entire company.
Following simple guidelines, processes and procedures can go a long way to ensuring that a business implements good governance. Companies should ensure that they have clear processes and procedures in place for all staff to access. A key policy document and procedure that’s often missing is a cyber incident response plan.
Ensuring that all your staff are educated, and cyber-aware is a big part of your defences. It is essential to have robust policies, procedures and guidelines in place that are understood by all and continually updated, in line with any new threats or risks that appear.
The entire organisation needs to think about what these threats mean for the business as a whole, its employees and its customers. Long gone are the days when we could pass the cybersecurity problems to the IT department or IT Service Provider. This is a complex business risk requiring an approach that prioritises cyber resilience in all aspects of the business. A shift of mindset is required throughout the organisation to question “when, and not if,” the business will suffer a cyber incident.
Peace of mind from Cyber risk
Small businesses are "big business" for Cybercriminals. If you lead a small business, you may struggle to make sense of this complex environment. You could be concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.
If this is your situation, I hope that this article has been useful in introducing you to the topic of cyber risk for small businesses. I also hope it has convinced you that cyber risk is a business-critical risk that can be, and needs to be, managed like any other business risk.
In the next article in this short series, I provide a checklist that could help a small business owner put some basic protections in place.
Don’t forget to have a look at the series videos on the on the Surviving Cyber YouTube Channel and download the eBook that accompanies the video series at: https://pages.survivingcyber.com/ebook