Why should small businesses care about Information Security?
Of course, every business is different. Each one will have their own unique set of business drivers. These are the top four that Focivity sees regularly. The intent of this article is not to be exhausted or to scare you. Rather, it is to illustrate that an Information Security program doesn't exist for its own sake. It exists to support the business and help the business to manage risk and achieve its objectives.
According to the SBA, there are over thirty-two million small businesses in the United States. The vast majority of them employ twenty or fewer people. Owning and operating a small business takes a special kind of person – they must believe in themself and their mission. This entrepreneurial optimism is part of the magic that makes them successful. Their appetite for risk helps them to press on when most would retreat to their comfort zone.
What does any of this have to do with business drivers for security? I'm glad you asked!
Small business owners have to hustle, and they have to be decisive about where to invest their resources. Those decisions that they make are influenced by their appetite for risk. Cybersecurity related risks can seem very abstract in terms of probability, impact, and mitigation. As a result, the perceived risk is low. There are always more pressing concerns. The entrepreneur's focus on getting things done today is what drives their business forward. It is easy to fall into the trap of thinking that the company is too small or uninteresting to be a target. Those abstract risks have never been a problem before. We know we should, but we will get to it later. We need to move fast now.
As a consultant, I see this often. And you know what? They are right! It isn't a problem. Until it is. It is at that moment that the organization realizes a legitimate business driver for cybersecurity. Thankfully, it isn't always an emergency when it happens.
There are four primary business drivers that small businesses tend to acknowledge as the reason that they are ready to begin building an Information Security Program.
Security Incident or Loss
Regulatory or legal compliance provides one of the clearest drivers for security in a small business. Prescriptive requirements dictated to the organization by governmental agencies are not optional. The organization must comply or face penalties. There is rarely anything abstract about the risks of non-compliance.
Sales pressure occurs when the lack of an Information Security program begins to affect sales activities. This is most common with business-to-business sales. Business customers are becoming more sophisticated when it comes to managing their risks. When an organization's customers start asking questions about the security of customer information, the sales cycle can become unreasonably long. Even worse, sales may be lost if those customers are asking for specific documentation or third-party security assessment reports, such as AICPA SOC-II, that the organization cannot produce.
The cost of cyber insurance is another business driver for security in small businesses. Insurance companies are looking much more closely at cyber risks today than they were just a year or two ago. The application questionnaires have become much more thorough and complex. Insurance costs are increasing, coverage is decreasing. New limits and exclusions are being written into policies. Furthermore, an organization that states, either erroneously or intentionally, that security safeguards are in place when they are not run a real risk of having claims rejected when an incident occurs.
Lastly, a cybersecurity incident or other information related loss provides a strong and very unfortunate business driver to build an Information Security program in a small business. When something bad happens, such as a ransomware attack or a system failure resulting in business interruption, it gets attention. The cost of responding to and recovering from an incident can include the costs of business interruption, legal counsel, forensics investigation, data recovery, rebuilding computer systems, crisis communications, and monetary fines or penalties, just to name a few. These costs typically amount to several hundred thousand dollars at a minimum and can climb quickly from there. When this happens, the risks are no longer abstract. They are very real. Following an incident, there is typically a commitment to invest as necessary to ensure that the organization is protected from a future incident.
Of course, every business is different. Each one will have their own unique set of business drivers. These are the top four that Focivity sees regularly. The intent of this article is not to be exhaustive. Rather, it is to illustrate that an Information Security program doesn't exist for its own sake. It exists to support the business and help the business to manage risk and achieve its objectives.
We will discuss two more business drivers – efficiency and organizational scale – in other articles later this year.
Click the links at the top of the page to follow Focivity on Twitter, LinkedIn, and Facebook and let us know what you think!