Cybersecurity Activism: A Wake-Up Call for Every Small Business Owner

By Adam Stern |

There’s often a tacit sense of accomplishment when something once on the margins goes mainstream. Mobile payments, cutting the cord, home automation, that kind of thing. 

Cyberattacks are increasing and their effect is widespread

Cyberattacks are an exception. It’s not that they haven’t gone mainstream; they have, and with a vengeance, but there’s zero satisfaction in their newly entrenched status. While technology providers are obviously on the hook, mainstream businesses – small businesses in particular – aren’t mere bystanders.

A handful of recent headlines underscore the point. According to a recent CNBC report, “Hacks are affecting everyday life … cyberattacks on supply chains, governments and financial institutions are bad for not only those directly affected but also customers, suppliers and residents,” the network said, citing tax delays and canceled home sales as among the “costly ripple effects” of porous cybersecurity.

In that same vein, a Kaspersky Lab report indicated that companies moving to the cloud “still ignore security concerns – 9 in 10 cloud breaches occur due to employee mistakes.” And Dror Liwer in his article for pulled no punches in describing the peril of cyber complacency, suggesting cyberattacks on small and midsize businesses could trigger a “trickle-up recession.”

Recently, a major cloud-based payroll software provider suffered a crushing ransomware attack earlier this year, taking down payroll management services for hundreds of the company’s customers over a three-day period. Faced with the threat of an extended outage, provoked by a destructive strain that encrypts computer files and demands payment for a digital key needed to unscramble the data, the company paid the ransom and began restoring service. The target organization’s reach was significant, touching payroll service bureaus that cater to small businesses nationwide. Payroll customers, in turn, were beside themselves. While one key provider was battling pneumonia, everyone else caught a cold.

Business owners, small and large, need to be vigilant and united against online threats

The fact is, in cyberspace, everyone’s ox is (potentially) gored. An estimated 60% of companies have experienced a hack of some kind. And that being the case, it behooves every business to take cloud security seriously, for the greater good. Cyber engagement is no longer an option but a requirement. Small businesses need to have each other’s backs. They need to defend themselves against things they didn’t do and that were not personally directed at them. They need to be good stewards by implementing policies and practices that acknowledge what is almost a fiduciary duty to the market at large – a tough pill to swallow given the rough-and-tumble nature of everyday competition.

Practically speaking, what does it mean for an SMB to be a good steward in this brave new cyber world?

Companies can start by becoming familiar with online threats and at least somewhat conversant with tools to arrest them – no single system can circumvent vulnerabilities that haven’t been patched. Still, there are things that businesses can and should do to maximize their safety and, indirectly, make the cloud a more secure place in which to compute.

You might think of these as steps – concentric circles, really – for SMBs on the road to good stewardship: 

  • The first line of defense – The first line should consist of perimeter technologies – a firewall supported by intrusion detection and prevention software; antivirus and antimalware software, which is limited to blocking items downloaded over unencrypted protocols; and anti DDoS (distributed denial of service) software.
  • The second line of defense – The second line is comprised of patch management and locally installed antivirus and antimalware software, working together to effectively block attacks. Proper implementation of second-line defense methods means fewer bugs and optimized performance. 
  • The third line of defense – The third line centers around the trained, educated user – someone sufficiently cognizant of threats to think before executing a link or downloading an attachment – a user, in other words, attuned to the real and present danger inherent in viruses and malware, and who acts accordingly. 
  • The fourth line of defense – Obvious as it may seem, the fourth line involves a good backup strategy. As part of that strategy, it’s essential to install application-consistent snapshot technology, a rollback process that takes just minutes and restores the server to its exact state prior to the attack.

The human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early – before it festers and productivity suffers – think smoke detectors versus sprinkler systems.

There’s no quick fix, but there are fixes. High-profile companies need to take cloud security seriously, not just for themselves and their users, but for just about everyone. One misstep by one well-placed player can easily overlap and affect others. Everyone needs to treat user data with respect or risk ripples with untold consequences.

Corporate responsibility – what companies owe their stakeholders, whoever they may be – is the embodiment of enlightened self-interest. By holding itself to a higher standard than just getting by, an organization generates goodwill, cements customer relationships and, to an extent, inoculates itself against trouble down the road. “Cybersecurity activism,” for lack of a better term, isn’t a marketing strategy but, instead, is central to this “good stewardship” mindset. Case in point: Every organization needs to have some kind of business continuity plan, whether that plan is simple or complex – a plan that provides a course of action when the worst of the worst happens.

Business continuity needs to be part of every SMB’s cybersecurity plan

Cybersecurity is but one bullet point in that plan. Disaster recovery shouldn’t be treated as a siloed task, a matter of too little encryption, porous firewalls or some other technology-driven glitch that, once fixed, doesn’t actually move the business any closer to seamless operations. “Business continuity” is all-encompassing, full stop. Every organization should be in the business of mitigating risk. 

Because cybersecurity is of the moment, its value lies in part in raising awareness among companies that haven’t fully thought about the big picture, of which cybersecurity is simply an element.

So what does your plan look like?  In the event of a quake or a hurricane, do you have a way to restore your business processes, not just your data? How do users function? How do you serve customers? Can you answer the phone? Can you continue to sell your services, even after the event? If your employees can’t work, where’s the continuity? 

The astute way to frame this discussion is to think of the gestalt of the cloud, not of the roles of the various actors (innocent, complacent, negligent, etc.). Any platform or environment succeeds only to the extent that users/stakeholders trust it. Responsibility for fostering trust isn’t “out there,” with the IT or tech support; it rests with rank-and-file users.

That’s why every company doing business in the cloud (that is, off-premises, remotely) needs to understand that failing to arrest breaches harms the business community as a whole. The fiduciary mindset is the right response to hacks and ransomware and cyberattacks, because it affirms that everyone has skin in the game. Indeed, users are central to the security model. Users, not techies, deserve an informed, even sophisticated, approach to the seemingly mundane practice of opening (or not opening) emails and attachments. 

The bottom line

The strangely good news is that technology won’t save us. What will, however, are changes in attitude and awareness. Both are more powerful than policies and procedures. Responsible cybersecurity means small businesses are in this together. This is top-down, bottom-up and side to side – enough to shake us all awake.

Read in