Small and medium businesses face tough decisions every day to advance their business goals and succeed at their mission. Daily they are faced with the challenges presented by capital requirements, cash flow, accounts receivable and accounts payable, meeting payroll, marketing and advertising, sales, collections, employee management, and growing the business, as well as many others.
Another area that has complicated and compromised small businesses and their ability to succeed is the threat against information security and privacy risks.
Many SMB’s don’t know the risks that they are facing everyday concerning information security and privacy or that they are even the primary target from forces within and without of their companies that could result in the total loss of their business.
Exposing the myths that surround information security and privacy and the risks that affect it for the Small/Medium Business (SMB’s) is the starting point to acting responsibly in the areas of information security and privacy. Presently, due to these myths SMB’s are disproportionately disadvantaged in dealing with these issues.
The Truth About Information Privacy and Security for Small Businesses
Myth 1: This is a problem that affects big companies, not me.
This is perhaps the biggest risk that SMB’s face; inaction due to not understanding the risks that they face everyday and understanding why and how they are targeted.
Nearly 2/3rds of negative and hostile cyber activity is directed at the SMB. Add to this the fact that 90% of all data losses or breaches are traced back to human error and the problem for SMB’s is compounded dramatically.
And these incidents are costly for business owners. The risk of a data loss incident costs the SMB an average of $188,000 per incident. Very few SMB’s puts aside a contingency this large to combat the legal and PR issues that so many times accompany a breach or information loss.
Recovery is also an issue SMB’s face. After a reported privacy or security incident there is the potential of the loss of client trust. This inability to recover client revenue combined with the legal and PR costs that result from the incident means that 60% of these companies are out of business within six months of occurrence, and 90% are out of business within 24.
Myth 2: No one would want my information because I have nothing of real value.
Regardless of your company’s size, the fact is that the small/medium businesses have information that is of interest of bad actors. All client or company information is desirable by the forces who don’t care about the SMB and only have their eyes set on leveraging the information for economic gain.
The attacks against small businesses are highly invasive and come from outside and inside the organization.
From outside there is clear evidence that bad actors are now focusing on the SMB and at ever-increasing rates. They are exploiting the lack of preparation and safeguards created by employee errors and behavior that SMB’s often don’t address properly or effectively through current approaches.
From within, 90% of all data loss and breaches can be traced back to employee error. This is not necessarily related to malicious employee activity but a lack of education and understanding of the proper handling of information daily (digital and nondigital alike). This might come from what they say on a call, leaving passwords in plain sight, not following protocols, or opening malicious emails and acting on information before thinking of the risks associated with doing so.
Myth 3: Even if I wanted to address the problem, it takes too long and costs too much.
There is an economical and time conscious approach that can be implemented to address your cyber safety and security issues. This solution will result in huge dividend’s to your business including improved information security and privacy habits, as well as increased efficiency. An approach that addresses employee behavior through specific education and mapping it to updated policies and procedure positively effecting information security and efficiency gains.
Myth 4: My Information Technology Person/ Managed Service Provider takes care of this area for me.
While having the proper Information Technology and Managed Service Provider (IT/MSP) support is very important, this will not by itself result in averting the number one cause of cyber intrusion and theft; EMPLOYEE ERROR!
As previously mentioned, over 90% of cyber theft, breaches, and data theft is the direct result of employee error. It is not enough to just relegate this important area to a vendor. It is vital that employees understand that their behavior is critical to the protection of theirs and their client’s information, again; both digital and nondigital alike. It’s imperative for owners and managers to make their employees assets in this area at protecting theirs as well as their client’s information, just as they are expected to be assets in every other part of their job function versus relegating this to their IT/MSP support person or group.
The IT industry is currently spending over $100 billion annually to combat the technology dangers created by bad actors. In the face of this historic spending to prevent intrusion by cyber bad actors; the number of incidents grew over 412% in 2018 over 2017. In 2017 it was estimated that there were over 4000 daily incidents of cyber intrusion. It can be easily seen that spending hundreds of billions of dollars on technology solutions for the ever-increasing cyber risk is not addressing the number one cause adversely and disproportionally affecting SMB’s :HUMAN ERROR.
When owners and managers of SMB’s are made aware of the employee error problems and that the IT/MSP industry cannot successfully alone address human behavior, they want to make the improvements necessary to change the outcome.
The Solution:
Every SMB must ensure that all measures are implemented to educate and train their employees in the appropriate behavior when it comes to properly handling information, both digital and nondigital alike. It is important that employees know why their individual roles and activity are important to the safety and health of their company and clients. When they understand the ‘Why” of their behavior they will not just sit by and wait for the “IT person take care of it”.
All programs to accomplish behavioral change must be simple, affordable and effective. It should be the right education and balance of training that results in reduction of employee errors as to reduce the risk that they face every day. The program should map all education and training for the industry they are in and serve to the appropriate and up to date policy and procedures. This is critical to be able to show that the company has acted responsibly based on their size scope and complexity of their individual business.
Working together we can reduce the number of incidents resulting in employee error and keep more SMB’s succeeding and do what they love and enjoy; building their business successfully and serving their client’s needs knowing that they have done all that they can do to protect their information and the health and success of their company. Putting Information Security & Privacy back into the background where it belongs, while bringing Business Efficiency to the Forefront and a true understanding that they have acted responsibly based on the size, scope, and complexity of their company.
Warren Robold has been a Frederick County resident for 30 years. He is currently EVP of Truvincio. His passion for the SMB is focused on helping improve business efficiency and quality leading to an improved bottom line; His dedication and commitment to this is best demonstrated by his work with the Truvincio Solution, which is the first of its kind — a SaaS based service expressly developed to ensure the SMB is effective, affordable and simple to implement.
He has over 30 years of experience in direct and distribution sales and management as well as selling both tangible and intangible products and services in the US, UK, Mexico, Italy, and India. Mr. Robold has worked with many clients across a broad range of projects and industries including startup companies in multiple industries; as well as several SaaS entities.
Frederick Chamber Insights is a news outlet of the Frederick County Chamber of Commerce. For more information about membership, programs and initiatives, please visit our website.