Small Business Cyber Security: The Ostrich Effect

The following blog first appeared on the Secure ERP blog. It is reprinted here with permission.

Some small business owners will realize I’m describing them after they read this blog, but then those same c-level guys won’t see it and even if they do, they won’t read it, because they don’t want to know.  Actually, that’s not really fair.  These business managers don’t understand technology and don’t have time to understand it.  Frustrated by the whole situation, too many CEOs assume they’re completely invulnerable or, as my title implies, they develop The Ostrich Effect.  Let’s look at why either stance is a disaster waiting to happen.

Invulnerable Until It Happens

It reminds me of teenagers not wearing seat belts.  They’ll be careful; they won’t get in an accident.  Honestly, I was never worried about how my kids drove, but more so the other crazy drivers out there.  Cyber Security is similar in that you can do everything right.  However, if you haven’t trained your employees, they may unintentionally expose your business to cyber criminals.  The company owner may also think, “Hey, I let my IT guy worry about it.” Is that your attitude to your entire business? If you’ve hired an accountant, you never check the bank account or review the books?  Now do I expect you to ask to review your firewall rules? Of course not. But I expect you to ask your IT guy what layers he’s using to secure your business. Also ensure they carry Errors & Omissions Insurance to cover YOU in case they commit some form of negligence.

Ignored Until It Hits The Fan

Trust me, I get it.  I sometimes feel like that life insurance agent saying “It’s not a matter of IF, but WHEN.”  Occasionally, I’m treated that way too.  Because there are about 15 different layers of security a business can implement, selecting the most cost effective layers truly is a daunting task.  This may be why 85% of IT firms don’t bother with a cyber security service at all.

Insecure:  In a July 2017 study, 85% of MSPs don’t offer clients any form of cyber security services – “State of North America Managed Services” prepared for Barracuda MSP by the 2112 Group
Here are the top 3 layers I ensure are implemented properly first. And just saying you have them doesn’t make it pass muster. The Titanic was unsinkable.

1. Business Continuity (previously called Backup/Disaster Recovery) Backing up to USB hard drives doesn’t cut it anymore. Ask me and I’ll lay out the business reasons why.
2. Employee Training – Statistically, your employees are your weakest link without training.
3. Advanced Endpoint Protection (you call it “Anti-Virus”) If what you have installed isn’t Behavior-based and covered by a 24/7 Security Operations Center, you aren’t covering this base anymore. The attacks have surpassed the capabilities of legacy, signature-based anti-virus. It’s better than nothing, but not much more than that. Here’s the best protection I’ve found so far.

Obviously, I’d like your business to have a few additional layers and if you hire me I’ll recommend what I think will BEST keep you safe.  Turn them down and I’ll ask you to acknowledge you were warned.  I have to protect myself from the Ostrich too.