Last updated on January 17th, 2021 at 12:09 am
No target is too small.
This post is also available without ads as an eBook at the
Cyber Security is one of the most important issues for any company that has computers or information systems. Unfortunately, it’s one that also gets incredibly overlooked, particularly by small businesses. Although cybersecurity lapses in large businesses such as The Home Depot, Yahoo, & Gmail are well documented and covered by the media, small businesses can be just as at risk for attack. Some small business owners tend to think that simply because they’re not a huge company, they can fly under the radar; cyber thieves won’t find them. Nothing could be further from the truth.
No Target is Too Small
I recently set up my company’s customer support website. The site only gets a few visitors each day and I don’t advertise the address. All of my websites have an application firewall that automatically blocks known malicious IPs and rate limits login attempts to protect the site’s registered users from brute force attacks. The site is also configured to discourage indexing by search engines. So you’d think, this is the perfect type of situation where an entity could fly under the radar right? Wrong. Within 2 days of making the site live, I was seeing failed login attempts from IPs out of China, Russia, Ukraine, India, & many other countries. Bots sweep the Internet just trying to stumble onto a site that they can log into using common usernames & passwords. The truth is that no matter how small you are, you’re already a target and should take cyber security seriously.
If you’re reading this article, the odds are that I don’t have to convince you. You’re probably already working in the tech industry. You’re likely dealing with a client or employer who doesn’t understand why their processes should be slowed down because you think it would be better cyber security. They don’t even know what cyber security really is. It’s a difficult situation, especially if the decision to take such measures is left to non-technical managers & owners.
The Cyber Security Black Hole
Whether you’re a consultant or an employee in a company’s IT department, few things are more frustrating than to have your security recommendations pushed aside by those who don’t understand them. Sometimes the implementation cost is too high. Other times, the slowdown to production is unacceptable to management. Even more infuriating is when those same managers, CEOs, & owners who shoot down your recommendations point the finger at you (or the IT department) when something gets exploited – especially if that exploit wouldn’t have happened had they listened in the first place. Unfortunately, these types of scenarios are frequently our own fault.
Cyber security professionals and other technical people are really good at knowing their jobs. Unfortunately, we also have a reputation for expecting everyone else to be more technical than their job requires. Getting through to these clients & managers requires 3 things:
- Learning how to illustrate risk
- Knowing the business you support
- Building relationships with the company leaders
Learning How to Illustrate Risk – Know the Business You Support
CEOs, CFOs, owners, and other managers really only understand one thing: money. Their jobs are to make sure that the company makes money either for stockholders or internal stakeholders. To get through to them, it’s important for a consultant or cyber security expert to understand how the company works from a global perspective. Whether you like it or not, a good IT person actually has to learn more about their company than just the technology part. How’s the money made? What’s the effect if a system becomes unavailable? Who makes the decisions in different departments?
Knowing how the company works is critical to being able to adequately define the risk of not practicing good cyber security procedures. What parts of the operation rely on each system? Perhaps there are written procedures that don’t provide an alternative way to do a critical task in the absence of a working system. For many of us, this means stepping out of our comfort zones and exploring the work of our company or clients outside of just their IT environment.
The IT guys are some of the only folks in a company who can suddenly find themselves in the office of a CEO without an appointment. Nobody turns away the IT support. Learn to take advantage of these times by asking real questions about the company. Ask managers & other leaders in the company questions like:
- What are the challenges you’re facing lately?
- How are company sales looking this year?
- What area of production is your current bottleneck?
- Where are you losing the most money?
Although some managers won’t be forthright with this type of information, anything you get can be a tool down the road. It gives you information that you can use to more adequately determine what really happens to the company if a certain function is lost. Sometimes this information isn’t even clear to managers until a cybersecurity specialist points them out.
It also lets the company leaders know that the person who pushes cyber security is actually interested in how the business works. That goes a long way to developing trust. Ultimately, that’s your goal: get company leaders to trust you enough that they’ll take your word for it when it comes to cybersecurity.
Putting it Together to Communicate to Non-Technical Leaders
Take a look at these two examples of the same proposition to a CEO to see the difference:
We need to institute a segregated network for all of our legacy systems to protect them from attacks from the Internet. We’ll need approximately 5 new layer 3 switches & configuration time to set them up. The total cost in additional labor and hardware is going to be about $22,000.
The above statement would likely not be received very well by a company CEO. All he hears is, “I wanna spend money on tech stuff.” From his perspective, everything is working right now. Why fix what isn’t broke?
We have 7 systems right now that are so old, they can easily be attacked from the Internet. There’s no way to patch them because the software manufacturer stopped supporting it years ago. Two of those systems are critical to production of the company’s main product. If those systems go down, it would cost $40,000 in lost production in the first day alone plus whatever customer confidence is lost in our delivery schedule as the company would fall behind to fill orders. We can protect them with a segregated network but the extra hardware and labor is going cost about $22,000 to accomplish it correctly. There might be some ways to cut the cost a little, but with the amount of money at stake, it’s best that we just do it right from the start.
Now this statement (and I’ve used something very similar before) is more likely to get someone’s attention. But you can’t do it without knowing the business you support. Learning what goals are important to the decision makers & communicating with them how cybersecurity will help them achieve those goals is the key to getting them on board with your plans.
Understanding a Rejection
Finally, there may also be times where a manager or CEO still decides to just not take your recommendations into account even after you’ve done everything you can do to convince them. One of the things I’ve learned over the years is that once you know the business you support, sometimes it will actually make sense. Perhaps the cost of the solution is much higher than the loss that would result from an exploit or perhaps the company is planning a change that would make a vulnerable system obsolete anyway. If you do a good job of building those relationships, the leaders who reject your idea will give you good reasons for doing so and you’ll be able to sleep at night knowing you did your part.