Data Security in Small Businesses
SME organisations are the new ‘soft target’ for cyber security attacks. Larger organisations have a bigger budget for their cyber programs, and even with the many thousands, and sometimes millions of dollars they invest, they are still breached.But whereas the Sonys, Linked-Ins and Yahoos of the world can weather a large scale cyber-attack and come out more or less unscathed on the other side, SME organisations are seldom as fortunate. The loss of operational capacity and reputational damage caused by a breach will often trigger a total business collapse.
No matter the size of the organisation, cyber security and data protection must be treated as a key priority, especially so in the Healthcare and NFP sectors where so much personal information is housed and accessed. The organisation that believes that it won’t happen to them, either because they’re too small, or nobody would be interested in them, is using 20th century thinking in a 21st century world. What we often hear, particularly from smaller organisations, is ‘It won’t happen to me’, because ‘Nobody would be interested in our data’ or ‘We’re too small’ or ‘We’re not a high profile target’. For SME organisations, nothing could be further from the truth. A 2019 study by Verizon showed that 43% of recorded cyber attacks had targeted SME businesses.
When we look at the Healthcare and NFP space, it’s important to note that an individual personal details record is worth more dollars to a cyber criminal than a record containing credit card information. Why? Because if credit card information is lost or stolen, it’s very easy for a financial institution to detect that, stop the transactions, replace the card and life goes on.
But, when an individual’s health record, and an individual’s personal information is stolen and falls into the wrong hands, you end up in a situation where people can take over the identity of a particular person or a group of people. Then you end up with a really major problem. The consequences of cyber attacks can be very severe, whether it’s being fined for failure to comply with regulatory requirements, to organisations physically collapsing in the wake of an attack.
All those things can be avoided, but what’s really important to understand here is that it’s not about investing a sum of money in order to be 100% protected, because there’s no such thing. We see very large enterprises investing millions, sometimes even billions of dollars in security and we still hear about their breaches in the media. It’s about demonstrating that you have taken the right level of responsibility and made the right level of investment commensurate with the size of your operation, with your economic reality, and with your capacity to be able to invest in protecting yourself.
We need to look at aspects that include not just the protection of your perimeter or the ‘walls’ of your computer network, but also protecting yourself from people coming from the outside and things that are happening from the inside, because the reality is that a large majority of breaches and data loss actually occur as a result of something that is inward focused rather than a problem that happens from the outside. And quite often it’s because people simply lack the education to understand what it is they should and shouldn’t do, and how they should behave responsibly in the world that we live in today.
So what’s really important to understand here is that it’s not just about the investment in technology to help protect against cyber related issues. It’s just as much about people understanding how to behave inside their organisation to protect what is probably one of the most valuable assets that the organisation has, which is that the organisation’s information.
What is your organisations biggest cyber vulnerability? The network? Viruses? The configuration of your firewall? These are all common answers. They’re also all incorrect. Your organisation’s biggest cyber vulnerability is its people. The majority of successful cyber breaches occur because a poorly trained employee inadvertently clicks a link, engages with a website, provides information over the phone, or a combination of all of those behaviours, leading to a successful network breach. As cryptographer Bruce Schneier once put it “Amateurs hack systems, professionals hack people”.
The Forbes article titled ‘How to Protect Your Small Business From Cyberattacks (And Their Financial Fallout)’, provides a perspective on the different requirements SMEs have over larger businesses when it comes to protecting their business from cyber attacks. The article challenges the widely held belief that small businesses are safer from cyber attacks than larger businesses and emphasises the importance of prevention no longer being an option, but an imperative.