By Adam Stern | Business.com
There’s often a tacit sense of accomplishment when something once on the margins goes mainstream. Mobile payments, cutting the cord, home automation, that kind of thing.
Cyberattacks are an exception. It’s not that they haven’t gone mainstream; they have, and with a vengeance, but there’s zero satisfaction in their newly entrenched status. While technology providers are obviously on the hook, mainstream businesses – small businesses in particular – aren’t mere bystanders.
A handful of recent headlines underscore the point. According to a recent CNBC report, “Hacks are affecting everyday life … cyberattacks on supply chains, governments and financial institutions are bad for not only those directly affected but also customers, suppliers and residents,” the network said, citing tax delays and canceled home sales as among the “costly ripple effects” of porous cybersecurity.
In that same vein, a Kaspersky Lab report indicated that companies moving to the cloud “still ignore security concerns – 9 in 10 cloud breaches occur due to employee mistakes.” And Dror Liwer in his article for business.com pulled no punches in describing the peril of cyber complacency, suggesting cyberattacks on small and midsize businesses could trigger a “trickle-up recession.”
Recently, a major cloud-based payroll software provider suffered a crushing ransomware attack earlier this year, taking down payroll management services for hundreds of the company’s customers over a three-day period. Faced with the threat of an extended outage, provoked by a destructive strain that encrypts computer files and demands payment for a digital key needed to unscramble the data, the company paid the ransom and began restoring service. The target organization’s reach was significant, touching payroll service bureaus that cater to small businesses nationwide. Payroll customers, in turn, were beside themselves. While one key provider was battling pneumonia, everyone else caught a cold.
The fact is, in cyberspace, everyone’s ox is (potentially) gored. An estimated 60% of companies have experienced a hack of some kind. And that being the case, it behooves every business to take cloud security seriously, for the greater good. Cyber engagement is no longer an option but a requirement. Small businesses need to have each other’s backs. They need to defend themselves against things they didn’t do and that were not personally directed at them. They need to be good stewards by implementing policies and practices that acknowledge what is almost a fiduciary duty to the market at large – a tough pill to swallow given the rough-and-tumble nature of everyday competition.
Practically speaking, what does it mean for an SMB to be a good steward in this brave new cyber world?
Companies can start by becoming familiar with online threats and at least somewhat conversant with tools to arrest them – no single system can circumvent vulnerabilities that haven’t been patched. Still, there are things that businesses can and should do to maximize their safety and, indirectly, make the cloud a more secure place in which to compute.
You might think of these as steps – concentric circles, really – for SMBs on the road to good stewardship:
The human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early – before it festers and productivity suffers – think smoke detectors versus sprinkler systems.
There’s no quick fix, but there are fixes. High-profile companies need to take cloud security seriously, not just for themselves and their users, but for just about everyone. One misstep by one well-placed player can easily overlap and affect others. Everyone needs to treat user data with respect or risk ripples with untold consequences.
Corporate responsibility – what companies owe their stakeholders, whoever they may be – is the embodiment of enlightened self-interest. By holding itself to a higher standard than just getting by, an organization generates goodwill, cements customer relationships and, to an extent, inoculates itself against trouble down the road. “Cybersecurity activism,” for lack of a better term, isn’t a marketing strategy but, instead, is central to this “good stewardship” mindset. Case in point: Every organization needs to have some kind of business continuity plan, whether that plan is simple or complex – a plan that provides a course of action when the worst of the worst happens.
Cybersecurity is but one bullet point in that plan. Disaster recovery shouldn’t be treated as a siloed task, a matter of too little encryption, porous firewalls or some other technology-driven glitch that, once fixed, doesn’t actually move the business any closer to seamless operations. “Business continuity” is all-encompassing, full stop. Every organization should be in the business of mitigating risk.
Because cybersecurity is of the moment, its value lies in part in raising awareness among companies that haven’t fully thought about the big picture, of which cybersecurity is simply an element.
So what does your plan look like? In the event of a quake or a hurricane, do you have a way to restore your business processes, not just your data? How do users function? How do you serve customers? Can you answer the phone? Can you continue to sell your services, even after the event? If your employees can’t work, where’s the continuity?
The astute way to frame this discussion is to think of the gestalt of the cloud, not of the roles of the various actors (innocent, complacent, negligent, etc.). Any platform or environment succeeds only to the extent that users/stakeholders trust it. Responsibility for fostering trust isn’t “out there,” with the IT or tech support; it rests with rank-and-file users.
That’s why every company doing business in the cloud (that is, off-premises, remotely) needs to understand that failing to arrest breaches harms the business community as a whole. The fiduciary mindset is the right response to hacks and ransomware and cyberattacks, because it affirms that everyone has skin in the game. Indeed, users are central to the security model. Users, not techies, deserve an informed, even sophisticated, approach to the seemingly mundane practice of opening (or not opening) emails and attachments.
The strangely good news is that technology won’t save us. What will, however, are changes in attitude and awareness. Both are more powerful than policies and procedures. Responsible cybersecurity means small businesses are in this together. This is top-down, bottom-up and side to side – enough to shake us all awake.
Read in Business.com