Dispelling The Myths Around Cybersecurity For Small Businesses
Reposted from Forbes
Data and technology have become central to business in most companies, particularly since the Covid-19 pandemic, which has forced many toward an accelerated digital transformation or a complete reinvention. But with the rise of digital, cyberthreats have also become even more active, with firms—large and small—falling victim to indiscriminate cyberattacks on a continuous basis. This is increasingly being seen as a matter of "WHEN, not IF" for most industry sectors. In addition, regulations have been tightening worldwide around personal data (GDPR, CCPA and many others), fines are growing and regulators have been targeting all firms irrespective of size.
All this is changing the context by which small businesses need to approach cybersecurity. However, in small- and mid-size businesses, a primary roadblock is often a lack of understanding of what needs to be done around security and privacy to ensure sufficient protection and of how priorities must be set in the current climate in support of digital, remote and cloud-based enterprises. At best, this lack of understanding leads to putting in place isolated and disjointed protective measures. At worst, senior stakeholders simply don’t know where to start, and some technical illiteracy gives way to misconceptions, which—in turn—deprioritize action around security in spite of legitimate and growing concerns.
To help provide more understanding and move small businesses forward, let's start by dispelling a few of the biggest myths around cyber threats and cybersecurity.
Five Common Myths Around Cybersecurity
1. Security measures are an annoyance; they create friction and turn customers away.
I believe this is less and less the case as people get hacked and learn the hard way that there is a need for stronger security. Ruthless data monetization, personalization and aggressive data surveillance, on the other hand, are increasingly sources of ethical concerns with customers and staff, in particular amongst younger generations.
2. We have other priorities; it will divert resources away from essential activities.
In fact, security issues are more likely to turn customers away in the current climate. Maintaining good security levels is an essential activity and may generate sales if you turn it into a competitive advantage and weave it into your USP.
3. It's too expensive, we can't afford it.
Basic measures don’t have to be very complicated or expensive and will go a long way to provide a degree of protection.
Incidents, on the other hand, are expensive to deal with, and retrofitting security and privacy measures under duress after something has happened can be painful. And cyber insurance can't be entirely relied on to cover those costs due to the accumulation of exclusions in policies over recent years.
4. It won’t happen to us because we are too small.
This is now practically baseless. Cyberattacks and data breaches are more virulent than ever, and evidence abounds to show that they target all firms irrespective of size. In fact, according to a 2021 report, small businesses may be even more likely to be targeted.
5. It’s not really our problem because we are “in the cloud.”
Businesses remain responsible for the security of their data and are liable to their clients in case of a data breach, so it is important that you take measures to protect this data, even if it is in the cloud. In addition, make sure you have read the “small print” of any contract with a cloud provider; there is always a risk that the contract may be very one-sided in their favor.
Ways To Implement Basic Cybersecurity In Your Business
The first step for small businesses, their owners and their leaders is to move away from those common excuses and own the topic as an integral part of the environment in which they trade, not something alien to it. We all need to accept this is real and can happen to us.
Building your cybersecurity is the next step. It often makes sense to start looking internally first. It is not uncommon to find IT analysts who have been there for years, love cybersecurity almost as a hobby and would just need to be developed and empowered to be able to manage the company's cybersecurity efforts. Best of all, they should already fit into the attitude and culture of your organization. These last points are often essential in small firms where everyone knows each other because trust is important to success when taking on new challenges like this.
If the requisite cyber skills aren't currently present within your organization, consider appointing a "virtual" chief information security officer (CISO). However, this should be a measure to build cyber maturity, not a way of outsourcing a problem you simply don't understand. Ultimately, the cyber security of the firm cannot be seen as the responsibility of any CISO—it has to be the responsibility of all stakeholders. The role and profile of the CISO (virtual or in-house) need to be calibrated and positioned to address the necessary improvements in cyber maturity to reach and maintain regulatory compliance and to ensure staff, customers and their data remain protected.
There is no silver bullet where initial maturity levels are low; progress will always involve working jointly at the People level (e.g., awareness and training), the Process level (e.g., timely vulnerability scans and patch deployment) and the Technology level (e.g., email filtering and end-point protection).
Owners and leaders in small firms must remember that, beyond loss avoidance and business stability, good security and privacy practices build digital trust. They support valuations, reduce risk and reduce regulatory or legal friction. And when treated as a reflection of good business ethics, they can be turned into a competitive advantage to attract talent, retain customers and become a key ingredient to your mid- to long-term business plan.
Written by: JC Gaillard, Forbes Councils Member
Founder & CEO, Corix Partners | Author of "The Cybersecurity Leadership Handbook for the CISO and the CEO" | Cybersecurity Thought Leader
Forbes Business Council COUNCIL POST| Membership (Fee-Based)
