Cybersecurity concerns have become top of mind for executives across geographies and vertical industries.
- Not only Fortune 500 companies are subject to cyber-attacks.
- Small and mid-sized businesses are hit by 62% of all cyber-attacks, according to research by IBM.
- The costs for small businesses can be staggering. The average price for a small business to bring their businesses back up to speed after being hacked is estimated at a whopping $690,000.
- For mid-sized businesses, the cost to recover from a cyber-attack nets out to more than $1 million, according to the Ponemon Institute.
To help familiarize small business leaders with the top cyber threats that are lurking, and many ways to better defend themselves, Bryce Austin, CEO of TCE Strategy, recently published a book, Secure Enough?: 20 Questions on Cybersecurity for Business Owners and Executives.
HMG Strategy recently caught up with Bryce to discuss his motivation for writing the book-and what his important key lessons are for small business owners and executives.
HMG: What was your impetus for writing this book?
Bryce Austin: Ever since the Target breach of 2013, headlines on cybersecurity issues have been coming at us non-stop. Cybersecurity is a complex issue, and it is hard for business leaders to make good decisions about issues they do not understand.
My goal was to write a book to explain cybersecurity concepts to business leaders that do not have a technical background. My book is a reasonable length, easy-to-read, and uses a style that empowers readers to grasp important cybersecurity concepts, and then apply them to make the best decisions around how much risk is acceptable for their organization.
What can business leaders learn from your book?
BA: The book begins with "why."
- Why do cybercriminals exist?
- Why do they target certain companies rather than others?
- Why is law enforcement at such a disadvantage to take care of these issues on behalf of society?
It then moves to non-technical questions around how companies can gauge their level of cyber risk, how to train employees on avoiding cybercriminals' tactics, and how to respond to a cybersecurity incident. With the recent Equifax breach, the need for preparation around breach response is more apparent than ever.
Business leaders will then learn fundamental frameworks of cybersecurity and the vocabulary used for different cybersecurity topics.
Finally, business leaders will learn how cybersecurity can be used as a competitive advantage to their organization, rather than the "necessary evil" that some business leaders view it as today.
Most importantly, the book can be read in about 3 hours-a book you could open when boarding a plane, and finish before landing at your destination.
After finishing the book, a business leader will be able to have a rational, lucid conversation with their cybersecurity team or outside cyber consultant on how cybersecurity impacts their company, their industry, and their competitive edge in the marketplace. Most business leaders already know how to have these types of conversations with their head of operations, sales or HR. This book will now let them do the same with their cybersecurity leader or consultant.
For business owners and executives who work for smaller companies, what are some guiding principles for cybersecurity that they and their companies should be focused on?
BA: Ransomware has put smaller companies in the crosshairs of cybercriminals.
Cybersecurity training for staff and executives is critical. Training is essential to identify phishing attempts and malicious applications, and always, choose passwords that are difficult for others to guess.
Reliable backups of critical data are imperative, and it is extremely wise not to store those backups on your network. Many cyber-attacks involve the destruction or encryption of your important data, and a good backup is great insurance against these types of attacks.
All businesses need to know where their data is, how sensitive that data is, and who is allowed to have access to it.
It's impossible to protect your data if you cannot locate it.
Some companies advertise their products based on strong cybersecurity programs. More and more organizations are understanding the benefits that cybersecurity can bring to their customers.
What are some lessons that small business owners can take away from the cyber-attacks that have impacted large enterprise companies such as Yahoo! and Target?
BA: Server/workstation software updates, known as "patches," are more important than ever. Patching your systems sounds easy, but it needs a rigorous process behind it. If Equifax had such a process, their CEO, CIO and CSO would still have jobs.
It is critical to demand that your vendors follow reasonable cybersecurity standards. If Target and Visa had demanded that of their vendors, those huge breaches wouldn't have taken place.
Keeping ahead of advanced and determined cybercriminals is next to impossible. Having systems to detect cybercriminals' activity is essential, and a written and rehearsed cybersecurity response plan is just as important.
Multi-factor authentication is the single best thing that a company can do for their cybersecurity posture. I strongly believe that the majority of breaches would have been prevented if companies had used multi-factor authentication. It's getting easier all the time to makes these systems user-friendly. The days of having a clunky device on your keychain for this purpose is a thing of the past in almost all situations.
Why should small business owners be thinking differently about cybersecurity than executives at Fortune 1000 companies?
BA: Small business owners have the advantage of having far fewer advanced cyber-attacks launched against them. Almost all cybersecurity issues impacting smaller businesses are preventable.
Outsourcing your cybersecurity to an expert or group specializing in that field is normally a good idea. Small business owners need to be knowledgeable in the product or service they sell, not in cybersecurity. For example, most small business owners hire out functions like plumbing or painting to companies that specialize in that sort of work. Cybersecurity needs a significant level of expertise to be done correctly.
What advice would you offer to business owners who want to become more proactive with cybersecurity? Where should they focus first?
BA: Start with sales. What cybersecurity practices can your salespeople use to sell more of your product or service? What cybersecurity features can you incorporate into your product or service that will give you a competitive edge?
View cybersecurity as a business opportunity, not a cost center.
Price out cybersecurity liability insurance. I'm not advocating that all companies purchase a policy, but if the price per million dollars of coverage is significantly higher or lower than a policy for, say, fire insurance or general liability insurance, that relative pricing will give a business owner strong insight into the size of the cybersecurity risk they face.
Of course, another alternative is to start by reading Secure Enough and putting to use the 20 Questions on Cybersecurity for Business Owners and Executives it contains.
My call to action is this: Good cybersecurity planning will reduce the odds of being hacked, but it will not eliminate all risk. Some companies will still get hacked. When that hack takes place, your company will be judged on 2 criteria:
- Did you take reasonable and prudent steps beforehand to defend against cybercriminals
- Did you react to the incident in a timely and organized manner?
If you can answer "yes" to both questions, your company will be in a much better position when speaking to your customers, vendors, and the media about a cyber incident. In my book, Questions 2, 8, 11, 12 and 16 are specifically written to help you prepare for a cyber event, and in many cases, to prevent the incident from ever happening. Reading those chapters will give you a great starting point.
Yes, for many company leaders, this can all seem very confusing, and they feel overwhelmed having to learn all these new things in order to protect their company. Thus, I encourage all companies to work with a strong and highly experienced cybersecurity leader to help you quickly put these ideas into practice.