Small businesses are an important part of our nation’s economic and cyber infrastructure. According to the Small Business Administration, there are approximately 28.2 million small businesses in the United States. These businesses produce approximately 46% of our nation’s private-sector output and create 63 % of all new jobs in the country. The Small Business Administration has the responsibility for defining small businesses; the definition varies for each industry sector. This publication uses the most recent Small Business Administration definitions. “Small business” is synonymous with Small Enterprise or Small Organization and includes for-profit, non-profit, and similar organizations.
For some small businesses, the security of their information, systems, and networks might not be their highest priority. However, an information security or cybersecurity incident can be detrimental to their business, customers, employees, business partners, and potentially their community. It is vitally important that each small business understand and manage the risk to information, systems, and networks that support their business.
Many businesses in the United States have been allocating resources including people, technology, and budgets to protect themselves from information security and cybersecurity threats. As a result, they have become a more difficult target for malicious attacks from hackers and cyber criminals. Consequently, hackers and cyber criminals are now successfully focusing more of their unwanted attention on less secure businesses.
Because small businesses typically don’t have the resources to address information security the way larger businesses can, many cyber criminals view them as soft targets. Your small business may have money or information that can be valuable to a criminal; your computer may be compromised and used to launch an attack on somebody else (i.e., a botnet), or your business may provide access to more high-profile targets through your products, services, or role in a supply chain.
It is important to note that criminals aren’t always seeking profit. Some may attack your business out of revenge (e.g. for firing them or somebody they know), or for the thrill of causing havoc. Similarly, not all events that affect the confidentiality, availability, or integrity of your information (information security events) are caused by criminals. Environmental events such as fires or floods, for example, can severely damage computer systems as well.
The overall impact of an incident could include:
- damage to information or information systems;
- regulatory fines, penalties, legal fees;
- decreased productivity;
- loss of information critical to running your business;
- an adverse reputation or loss of trust from customers;
- damage to your credit and inability to get loans from banks, or
- loss of business income.
Unfortunately, in one respect, small businesses often have more to lose than larger organizations simply because an event, whether a hacker, natural disaster, or business resource loss can be extremely costly. Small businesses are often less prepared to handle these events than larger businesses, but with less complex operational needs, there are many steps a small business may be able to take more easily. Thus, it is vitally important that you consider how to protect your business.
Small businesses often see information security as too difficult or that it requires too many resources to implement. It is true that there is no easy, one-time solution to information security, it takes time and careful consideration with all relevant stakeholders. However, when viewed as part of the business’s strategy and regular processes, information security doesn’t have to be intimidating.
A strong strategic information security program such as ISO 27001 can help your organization gain and retain customers, employees, and business partners. Customers have an expectation that their sensitive information will be protected from theft, disclosure, or misuse. Protecting your customers’ information is an example of good customer service and shows your customers that you value their business, potentially increasing your business opportunities.
Similarly, employees have an expectation that their sensitive personal information will be appropriately protected, and a comprehensive information security program can help employees feel valued and help improve their knowledge, skills, and abilities. Also, other business partners want assurance that their information, systems, and networks are not at risk when they connect-to and do business with your business; demonstrating to potential business partners that you have a method to protect their information can help strengthen and grow your business relationship. Developing or improving your information security program will also make it easier for your organization to innovate, taking advantage of new technologies that can lower costs while delivering better services to your customers. It is not possible for any business to be completely secure. Nevertheless, it is possible and reasonable to implement a program that balances security with the needs and capabilities of your business. Ezentria provides small businesses with the practices and tools needed to develop an information security program to protect your business’s information. Contact us for a complimentary initial consultation to discuss your organizations individual needs.