The Softest Target
Cybersecurity and the role of employees managing cyber risk is a hot topic.
A sigh of relief for a small business managing cyber risk – that’s true whether you have a couple employees in a 1,000 Sq. Ft. office, a few hundred employees, or you’re a seasoned security professional in the Fortune 500.
Whether you have a few hundred employees, or you’re a small business managing cyber risk, this is probably new to you. A few years ago a typical response to any cyber risk question for your business was, “What risk? We’re too small to be hacked.”
Since, the threat landscape has changed. The bad guys aren’t necessarily targeting the big companies with large, well funded Information Security departments and credentialed CIOs/CISOs.
Today the softer target is you. Not you specifically, but you and a few thousand other smaller businesses targeted by an automated attack. No one cares how small or large you are, what services you offer, what information you keep on hand – they care that you have minimal security procedures. If the bad guy can attack a few thousand companies with minimal effort and abstract even some value from a few, their ROI can be significant.
The quickest way into your most valuable information or your customers accounts is through your employees. That’s why so many organizations are thinking about employees managing cyber risk.
Small and medium sized business owners and IT leaders are providing cyber awareness training for their employees to minimize the risk – either directed from their own goals to protect their business and customer information, or directives from their customers during third party risk assessments, industry standards, or government requirements like GDPR, NY regulations, and others. Learn how to develop an annual cyber awareness training for employees.
Value of an Attack
I picked up a book last week that I turned around in about two days.
That makes me sound more proficient than I really am – in reality it was efficiently written and extremely valuable so it allowed me to read through and start putting the messages into practice on Monday.
The book had a great relation that is timely at this point in the year. The author, Rob Arnold, talks about how it would be challenging to monetize a W-2 form 10 years ago – its value would be near the value of the paper it’s printed on. Today, the going price for a W-2 is between $4 – $20. If an attacker operates from a country where $20 is a full day’s wage, it makes sense to steal even just a couple.
Think about that – the bad guys can automate an attack with relative ease to hundreds or thousands of businesses from anywhere in the world. If they land a small percentage of those and abstract some valuable information from the companies it can be monetized for a significant return.
Make sure that your employees know how to recognize potential threats with Employee Cybersecurity Awareness Training. That’s how employees play a role in employees managing cyber risk.
Employees Managing Cyber Risk
Circle back to the daunting part of all this – if you don’t have an expert CISO and huge security budget – where does a small business managing cyber risk even start? I am not affiliated with this book in anyway, but I’m eager to share it as it’s a perfect place to start. The book describes the processes a leader should go through to manage cyber risk whether you have thousands of employees or a solo entrepreneur. It provides actionable steps that a small business can (and should) follow. As a small business there was an impactful recurring theme of providing actionable advice for leaders of any sized organization, and actually breaking out in further detail to explain how a step might work differently if you’re a small business or even a solo business owner. Here’s an example.
However, in very small companies those advisory roles are typically mentors or vendors. For instance, a small company will tap its insurance agent as a team member to represent that field.
Cybersecurity: A Business Solution provides an executive perspective on managing cyber risk. It won’t weigh you down in technical detail, and it’s written efficiently so you can learn what you need and take actionable steps. Highly recommend.
Employees Role in Risk Management
Small business managing cyber risk is a balance between prevention and preparedness – Rob Arnold recommends bringing in stakeholders from IT, legal, accounting, insurance, and your vendors to make the best plan for managing risk. This helps you to manage risk from more than just a point of prevention, but also making sure that you’re protected and ready to respond if/when a breach occurs.
Employees can sometimes be overlooked as an important piece of the risk management puzzle, even though they play a significant role in cybersecurity. Most threats target employees as an entry point into your business, or an entry point into your biggest customers business. That means they are your first line of defense. It’s also important to understand that even the best IT infrastructure won’t prevent a well meaning employee from clicking a malicious link, or providing their password over the phone to someone claiming to be from IT. Thus, the new to train employees on cyber awareness, simulate phishing attacks to prepare employees, and place importance employees managing cyber risk
As a leader there are three goals when it comes to your employees and cybersecurity.
- Build a vision for your company that includes cybersecurity so employees understand the value to your business.
- Empowering your employees to identify and mitigate risks to the company.
- Developing an ongoing campaign to ensure security is a part of your culture.
Making employees aware of risks, and making them active participants in cybersecurity is key to a strong cybersecurity program.
Before you go
Wuvavi provides the world’s only cyber awareness platform developed for small and medium sized businesses that you can buy, enroll employees, and deploy in under 3 minutes. Learn more and sign up for a free trial. Wuvavi helps small and medium business employees managing cyber risk.