Small Business Resilience
Time for Action Or Your Business Dies
Businesses and entrepreneurs must begin to understand the financial implications of cybercrimes and how the crimes can affect their businesses over time. It has been estimated by numerous authorities that the expenses or costs associated with cybercrimes will reach a mammoth total of $6 billion by 2021. As a result, businesses have no alternative but to prepare to survive. Or, they won’t
It is high time that responsible officials do something substantial to limit cybercrime and make small business care. This is how stronger perimeters will emerge at the local level. In 2018, DHS began realigning their infrastructure protection and cyber risk component to meet these obvious challenges. Their new organization called the Cybersecurity and Infrastructure Security Agency (CISA) will better work with partners in local government and business to manage risk. However, as this action will better protect critical infrastructure by provide better risk data, the 21 million small business and individual citizens will continue ignoring the ineffective programs.
CISA may have the resources or connectivity to affect change for small business and individuals, but nobody is listening. Effective change must begin and grow at the local government level. DHS’ reorganization and the formation of CISA will not lift small businesses to a position of strength. More resilient businesses will only emerge from stronger bonds rooted in local awareness efforts.
The Small Business Administration (SBA) has launched efforts in the recent year that should assist small businesses with cyber awareness. Small businesses are the engine of this nation’s economy. The fact that 43% of cyberattacks target small business is a concern that should be taken seriously. We must wonder if awareness is “enough” considering only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
In spring 2017, there was a bill going through Congress. The legislation was called the Small Business Cybersecurity Act and required National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses that help reduce their cybersecurity risks. The bill required the NIST to include small businesses in update considerations for the cybersecurity framework. It also calls for NIST to provide resources for small business owners who decide to model new initiatives using the NIST framework. The legislation passed in fall of 2018.
Small businesses usually have smaller budgets and staff but find themselves under the same compliance requirements as a bigger business. This law is supposed to provide benefits for small businesses attempting to better protect themselves against cyber threats; only without the costs.
The Act instructed NIST to publish resources by August 14th, 2019. This is an interesting exercise. However, without a tuned-in audience, the goal will be as weighty as the paper it is written on. Security awareness is a beginning and will not fill the giant void small businesses have in protecting themselves. We must find mechanisms that bring small businesses together as a united front. NIST will need to actualize security opportunities for small business by providing dashboard. Assessment tools that are as easy as “turbo-tax” will be a key to motivating business owners. However, leadership who connect with stakeholders will enable giant security leaps in the small business community.
It has been repeatedly reported that security failures for all businesses are typically tied to humans. Sometimes the issue relates to poor analysis and at other times a failure to use best practice is the culprit. Dr. Calvin Nobles, a human factors expert, reminds us human factors remain unexplored and underappreciated in information security. He is correct in his assessment. Most successful cyberattacks, data breaches, and ransomware attacks are a result of human-enabled errors which makes his point that it needs more emphasis.
In lieu of capable, advanced, and effective systems, small businesses should outsource their IT security to their communications carrier or Internet Security Provider. There should be a concerted effort across the company, no matter the size, to understand whether their if current software is sufficient to minimize known vulnerability. If it isn’t, the software needs to be removed and replaced by updated software or a proven provider supplied system.
On the other hand, if the existing firewalls have protected the organization and their consumers, then it should not be replaced. The business should just improve their protection scheme. Additionally, there should be budget allocated to run a third-party scan across the network for known threats.