SMBs Must Understand These 9 Notorious Cybersecurity Risks

Why SMBs?

Most SMBs have poor security strategies and are vulnerable to phishing and other attacks that expose them to ransomware and other data breaches.

Don't miss learning about risk factors from world-renowned IT security expert, Ken Barnhart. Here's a sneak peek into what Ken will be sharing with all of you in this blog.

Q: Quickly define Cybersecurity in the context of an SMB.

KB: For thousands of years’ security has been simple to define and hard to do. At its most basic level, security is about the protection and preservation of assets. Cybersecurity is the extension of the reality into the digital world that we all live in on a day-to-day basis.

Q: What harm can a data breach do to an SMB?

KB: Data is the most valuable asset that isn’t on most organization’s balance sheets.

In the SMB a major data loss is all too often a business-ending event.

Statistics indicate that 60% of companies who suffer a major data loss go out of business within 6 months and 80% will fail with 18 months.

Let me give you a quick example. Most companies have a CRM system of some kind to track their sales data. The Ponemon Institute research shows that the average loss value of claims paid is around $102 per record lost. So if for example you have 1,000 CRM records lost that could be quantified as at least a $102K loss. Yet when I ask CEOs around the country to estimate the economic impact of having their best sales rep steal their CRM database and take it to their biggest competitor, the answer always starts in the millions.

Q: Beyond an over reliance on technology to fix the problem and ignoring the problem, what's the dumbest things SMBs do security-wise? 

KB: Actually the dumbest thing that any business can do when it comes to cybersecurity is define it as a technical problem and “delegate” it to the IT function. Kiss of Death. 80% of the issues related to cybersecurity within an organization are beyond the organizational authority of the IT function. 

As proof, when is the last time the IT function was given the authority to amend or re-write the HR policy manual? Yet employee represent the greatest single risk factor in any cybersecurity posture. 

Research shows that 68% of employees who plan to quit steal company data before their last day of work. Over 90% of employees surveyed admit that they share passwords to company systems in violation of HR policy. When is the last time you heard of an IT function having the authority to do anything about either of these issues?

In the publicly-traded enterprise space the CEO and the board of director are being held legally and financially liable for the efficacy of their cyber program. In the SMB the CEO is typically entrusting this to someone who is totally unqualified and probably doesn’t even want the job.

Q: What is one of the notorious 9 risk factors? 

KB: One very common risk factor is what we call, “money in motion”
One comment I hear quite often from SMB leaders is, “I don’t have anything that hackers would want.” My response is to ask with a show of hand how many businesses in the room have cash in a bank account? 
Payroll transfers, ACH, ETF, & Wire Transfers are all examples of money in motion

The CEO Email Scam is one of the more notorious examples of this risk factor.

Q: SMBs are scared they can't afford security. How much does it cost (say for an “average” 30 person office) to secure a company's network and information? 

KB: This is a common question that is essentially impossible to answer in an intelligent way. Anyone who claims they can provide an accurate average or rule of thumb without knowing the nature of the business is not worth listening to. “Prognosis without Diagnosis” is by definition malpractice.

Let me give you an analogy. What if I asked you what the cost of an average SUV would be without asking you where you were going to drive it and what you needed it to do?

If you need a grocery getter for the suburbs that gets good gas mileage, a $25K Ford Escape would be a reasonable choice. If you need an SUV to haul golf clubs to the Beverly Hills Country Club, a $150K Range Rover is probably going to be the SUV of choice. If you are transporting VIP’s outside the Green Zone in Iraq down a highway with IEDs, the Cougar 4X4 Anti-Mine vehicle that costs about $800K is going to be your best bet. If you have a 50/50 chance of having to endure an IED explosion the gas mileage or prestige of the badge don’t really mean much to you.

If you run a title company that does 100 wire transfers a week for your customer’s escrow accounts, your cyber program will look totally different than a medical device or software engineering shop that can have the entire company’s future leave the facility on a high capacity USB. 

The Notorious Nine: Stop Guessing and Start Quantifying

News of another major breach or cyber incident at a big company seem to hit the headlines on a daily basis. The New York Times alone devoted over 700 articles to “breaches” last year. Most executives have reached “alert fatigue” and have simply tuned out.  Yet, according to FBI statistics, 97% of the actual financial losses related to cybercrime are occurring in small and mid-market organizations. The “CEO Email” cyber scam alone cost US companies over $1.3 billion dollars and incidents are up 270% over last year. These losses can have business ending impacts. Statistics indicate that 60% of companies that have a major cyber incident will go out of business in 6 months. That number rises to 80% failure rate 18 months after the incident. Why?

This forces the question, how do you accurately quantify your organization’s cyber risk? How much should you budget? Where should you spend?  For those not conversant in the nomenclature of the information security professional, quantifying your organization’s overall cybersecurity posture can be a frustrating exercise.

In this session Ken will outline the “Notorious Nine” risk factors using common business & financial metrics. More specifically, from the perspective of customer segments, revenue streams, the balance sheet and the importance of your company’s brand. If you have ever struggled to determine how much and where you should be spending on your cyber security program, this session is for you.

Why Listen to Ken?

He know's what he's talking about! Ken Barnhart has amassed over 25 years of experience as a CEO and IT Executive. He served as a CIO by age 35, and in his over 20,000 hours of consulting, Ken has helped companies of all sizes design, host, and defend private, public, and hybrid cloud environments. His clients include 3M, Boeing, Bristol Myers Squibb, Cargill, Department of Defense, Microsoft, Texaco Chevron, and many others. Mr. Barnhart’s business philosophy is distinguished by a passion for excellence and his approach to technology is governed by an unrelenting drive to simplicity, value, and mission success.