The Softest Target

Managing cyber risk can be daunting.

A sigh of relief for smaller business leaders – that’s true whether you have a couple employees in a 1,000 Sq. Ft. office, a few hundred employees, or you’re a seasoned security professional in the Fortune 500.

If you have a few, or few hundred employees, managing cyber risk is probably new to you. A few years ago a typical response to any cyber risk question for your business was, “What risk? We’re too small to be hacked.”

Since, the threat landscape has changed. The bad guys aren’t necessarily targeting the big companies with large, well funded Information Security departments and credentialed CIOs/CISOs.

Today the softer target is you. Not you specifically, but you and a few thousand other smaller businesses targeted by an automated attack. No one cares how small or large you are, what services you offer, what information you keep on hand – they care that you have minimal security procedures. If the bad guy can attack a few thousand companies with minimal effort and abstract even some value from a few, their ROI can be significant.

Value of an Attack

I picked up a book last week that I turned around in about two days.

That makes me sound more proficient than I really am – in reality it was efficiently written and extremely valuable so it allowed me to read through and start putting the messages into practice on Monday.

The book had a great relation that is timely at this point in the year. The author, Rob Arnold, talks about how it would be challenging to monetize a W-2 form 10 years ago – its value would be near the value of the paper it’s printed on. Today, the going price for a W-2 is between $4 – $20. If an attacker operates from a country where $20 is a full day’s wage, it makes sense to steal even just a couple.

Think about that – the bad guys can automate an attack with relative ease to hundreds or thousands of businesses from anywhere in the world. If they land a small percentage of those and abstract some valuable information from the companies it can be monetized for a significant return.

Managing Cyber Risk

Circle back to the daunting part of all this – if you don’t have an expert CISO and huge security budget – where do you even start? I am not affiliated with this book in anyway, but I’m eager to share it as it’s a perfect place to start. The book describes the processes a leader should go through to manage cyber risk whether you have thousands of employees or a solo entrepreneur. It provides actionable steps that a small business can (and should) follow. As a small business there was an impactful recurring theme of providing actionable advice for leaders of any sized organization, and actually breaking out in further detail to explain how a step might work differently if you’re a small business or even a solo business owner. Here’s an example.

However, in very small companies those advisory roles are typically mentors or vendors. For instance, a small company will tap its insurance agent as a team member to represent that field.

Cybersecurity: A Business Solution provides an executive perspective on managing cyber risk. It won’t weigh you down in technical detail, and it’s written efficiently so you can learn what you need and take actionable steps. Highly recommend.

Employees Role in Risk Management

Managing risk is a balance between prevention and preparedness – Rob Arnold recommends bringing in stakeholders from IT, legal, accounting, insurance, and your vendors to make the best plan for managing risk. This helps you to manage risk from more than just a point of prevention, but also making sure that you’re protected and ready to respond if/when a breach occurs.

Employees can sometimes be overlooked as an important piece of the risk management puzzle, even though they play a significant role in cybersecurity. Most threats target employees as an entry point into your business, or an entry point into your biggest customers business. That means they are your first line of defense. It’s also important to understand that even the best IT infrastructure won’t prevent a well meaning employee from clicking a malicious link, or providing their password over the phone to someone claiming to be from IT.

As a leader there are three goals when it comes to your employees and cybersecurity.

  1. Building a vision for your company that includes cybersecurity so employees understand the value to your business.
  2. Empowering your employees to identify and mitigate risks to the company.
  3. Developing an ongoing campaign to ensure security is a part of your culture.

Making employees aware of #risks, and making them active participants in cybersecurity is key to a strong cybersecurity program.

Before you go

Wuvavi is an employee awareness platform that makes every employee in your organization an active participant in cybersecurity through training, phishing, and analytics. If you pick up Rob’s book to develop your own risk management strategy we’d be ecstatic to play the role of adviser of employee risks on your risk management team.