There are two professionals every business needs to avoid preventable risks: an attorney and an accountant. For businesses and nonprofits alike, add cybersecurity consultant to this crucial advisory group.
Ken McCreedy, director of Cybersecurity and Aerospace Business at the Maryland Department of Commerce, says companies need to manage and mitigate cybersecurity risk the same way they look at any other risk.
“It involves bringing in expertise you don’t have and doing a baseline assessment of where you stand… to help you prioritize what you can do over time.”
The very real risks of “cyber roulette”
Business owners and executives that gamble on beating the odds of a breach actually increase their risk, because they do nothing to manage it.
“There’s still an unwillingness to take on (cyber) risks the same way they would manage other risks to their businesses. They buy burglar alarms, fire alarms…cyber risk is in that same category,” said McCreedy.
When it comes to cybersecurity decisions, studies show that many small businesses share the same perceptions and constraints:
- Limited time and resources
- Limited understanding of how hackers work
- The erroneous impression that their business is too insignificant to be worth a hacker’s time
If your organization has data, you are worth a hacker’s time
Hackers don’t have to work very hard to find their small business prey. Cyber criminals use bots—automated programs that perform simple and repetitive tasks—to scout for networks, devices and websites with vulnerabilities, such as older systems and applications that have not been updated and patched. Even new information technologies are vulnerable. From the day a new operating system is released, cyber criminals are working on every possible way to break in.
A big break for MD small businesses
Cybersecurity is not a subject taught in business school nor is it part of most curricula. It has rules and a language all its own—and it’s an expense on the balance sheet. These factors can deter a small business from understanding the risk to their businesses.
“Small businesses don’t realize the cost could be hundreds of thousands of dollars,” said McCreedy.
To encourage small businesses to protect their interests, the MD legislature passed a bill last year creating a cybersecurity tax credit of up to 50% for companies with fewer than 50 employees. Spend $10,000 in qualified cybersecurity products and services, and receive up to $5,000 in tax credits. Spend $25,000 on eligible safeguards, and the tax credit increases to $12,500 accordingly. Applications are approved on a first-come, first serve basis, until the $4 million the state allocated is gone.
The tax credit is also designed to support small cybersecurity companies in Maryland by keeping business in the state. For small businesses, the requirement to buy from a Qualified Cybersecurity Seller is added assurance the provider truly is qualified and the majority of its business are cybersecurity products and services.
An up-close look at the cyber carnage
Summit Business Technologies is a Qualified Cybersecurity Sellers with first-hand experience seeing the impact attacks have had on small businesses. Our cybersecurity practice has grown, as an increasing number of small businesses, associations and nonprofits have experienced an intrusion. Six-figure losses from fraudulent emails, ransomware that locked out users, malware so embedded in systems that one business chose to buy all new laptops as the most expedient solution.
“If hackers cut off your ability to communicate to customers, post obscenities on your website, erase your customer data or sell it on the black market, you have a very real risk of losing business,” said CEO Mike Cohn. You also have the downtime and cost to remediate the breach, a damaged reputation and the potential loss of your clients’ trust.”
What is a cost-effective first step to thwart hackers?
Most attacks start by an employee clicking on a link, downloading a document or opening an attachment infected with malware.
“Security training is critical,” said McCreedy. “The average person doesn’t know much about security awareness. Even if they do, it is so very important for businesses to adopt some type of training program and not once a year.”
“Teaching employees how to identify and avoid manipulation by cyber criminals is probably the single most cost-effective step a small organization can take to reduce cyber risks,” said Cohn. This process builds resilience over time if it’s an ongoing program that makes awareness second nature.”
Manage cyber to better manage risk
Ken McCreedy sees his role as a modern-day Paul Revere, carrying the message that small businesses are least prepared, and thus most likely to be targeted by hackers.
“It comes down to making sound business decisions, what’s the best thing to do at the best cost, says McCreedy. Like any other risk, you recognize you can’t eliminate it, so how do you mitigate it?”
Look to the three advisors every business needs to avoid preventable risks: your attorney, accountant and cybersecurity consultant.