I have spent a lot of time asking business owners, IT leaders, and technology service company owners and CEOs their thoughts on information security. What are they experiencing and seeing?
The most common issues? People don’t know what they don’t know, they don’t know where to start, are not interested in it, and just don’t have the time to spend on it.
For most, it really comes down to what is most important – spending time on the service or product you deliver, or spending time on securing something that may or may not ever happen. I get it! Security brings a level of complexity that is hard enough to understand let alone do something about. With security it is often easier to remain in the dark.
Now, a reality check - ignorance when it comes to security will cost you. Maybe even your business! According to the most recent Ponemon Institute 2016 State of Cybersecurity in Small and Medium-Sized Businesses* report, 55 percent of small to medium-sized businesses (SMBs) experienced a cyber attack in the last 12 months, and 50 percent experienced a data breach involving customer and employee information, costing these companies over $879,000 in damages and $955,000 due to normal business operations being disrupted. According to a 2016 Small Business Trends report 60 percent of small businesses go out of business within 6 months of a cyber attack (https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html).
I know, I know, but we just don’t have the time! According to the Ponemon report I mentioned above you are right. 67% of SMBs have insufficient personnel for a fully effective security posture. Yet, as a Board Director or Senior Exec you are still on the hook. According to J. Yo-Jud Cheng and Boris Groysberg, authors of the HBR article Why Boards Aren’t Dealing with Cyberthreats**, “These findings confirm that directors simply aren’t internalizing the extensive, long-term damage an attack could inflict on their organizations.” In short, they haven’t felt the pain.
What do you do? “First, seek to understand, then to be understood” – A great insight from Stephen R. Covey. Get help and start at the beginning – Assess the current state. Have a security assessment completed based on a well-known standard, such As ISO 27001, that goes beyond just technology. Understand where your baseline is. Keep in mind that security risks are constantly changing. If its been over a year since your last assessment it’s time for a new one.
Who can help me with this? Arcadia Services Group can help. Contact us to set up a free 30 minute consultation.
Brian Loken is a Husband, Father, Geek and Long-time I.T., Information Security and Process Improvement professional. You can connect with Brian via LinkedIn (https://www.linkedin.com/in/brianloken/) or send him an e-mail at firstname.lastname@example.org