The statistics are dismal: small and medium businesses still have trouble keeping up with cyber security trends and remain among the most common and lucrative targets. Attacking an unsecured business network is low effort and low risk, and thieves know that they can just make up for the smaller gains by pursuing a greater quantity of victims. The situation will continue to get worse before it gets better.
If you’re a network administrator for a lax-security small business, you may have encountered difficulties getting management to acknowledge and address the risk. Security experts and businesspeople tend to speak in different terms, but have similar goals: this quick guide will help you bridge that communication gap.
1. Ask About the Circumstances
Business owners and executives always have reasons for doing the things they do, and those objections are not always just about the money. Get some background. Maybe some computers are still running an unsupported operating system because a crucial but proprietary piece of software requires it. Maybe there were compatibility problems with new solutions worth considering.
You’ll have a better chance of convincing the management if you can speak in terms of problems that are familiar to them, and the cost benefits of correcting those known annoyances. Make sure to catch their attention by addressing these well-known issues first. You can use what you learn in your later proposals.
2. Describe Real and Potential Financial Losses
Any proposal should prominently feature a look at the real and potential costs of inadequate security infrastructure. Compare these costs to the relatively small investment of a basic firewall, antivirus, network monitoring, and WSUS tool – those small and scaleable steps that filter out the most common security threats.
Real costs can include things like extra tech staff time spent bringing software and operating systems up-to-date, loss of productivity as employees struggle with poorly implemented security features, tech staff time spent cleaning up any malware or poorly managed files, and other general security inefficiencies.
Potential losses include the cost of lawsuits, fines, and bad publicity that come with personal data breaches. The investigation and disclosure costs alone can put many businesses under. Even if the data breach doesn’t result in serious direct losses, the system downtime associated with even the simplest cyber attack or virus could bring business operations to a halt.
3. Describe the Diverse Sources of Risk
Convincing management to reassess their risk is one of the more difficult parts of selling them on the idea of an updated security strategy. They often don’t realize just how exposed they are: “We don’t have any information worth stealing!” or “We’re too small to become a target!” are common objections. Management might even want to know why they should put that money into cyber security instead of securing the physical premises. These objects all stem from a basic misunderstanding of cybercrime.
The sheer number and variety of potential threats is what makes information security so different. Intentional attackers may include competitors, data thieves, disgruntled customers or employees, thrill-seekers, extortionists, abusive contractors, people who peddle bulk contact information and credit card numbers on the web’s black market, etc.
Unintentional sources of risk can include anything from an employee clicking the wrong button and exposing sensitive company information (there are security solutions that can prevent this), to broken software with the potential to corrupt valuable data, and the chance of employees/contractors/visitors stumbling across one of the many multitude of malicious automatic scripts that populate the web.
4. Create a Sample Demonstration
Many information security organizations release risk detection utilities to help small businesses identify their security weak spots. Some of these kits even include exploits – you can run the utility to find any potential vulnerability, release the related exploit on a test workstation, and watch in real time to see whether your existing security measures are enough to catch it.
You can find these tools through most major security vendors and penetration testing groups. Sometimes all you have to do is show the management a video of somebody else deploying a penetration testing exploit pack on a similar set of business computers. It’s hard to keep up a false sense of security when you see the relative ease with which an exploit can commandeer an unprotected business network.
Keep Seeking Solutions!
Even if management decides to swallow the risk for now, you might still be able to come up with workable solutions in the future. Don’t give up the good fight! The effort is worthwhile: after all, your important data and personal information is stored on those company servers, too!