This paper is written with no grant or other financial support. It reflects the opinions of the author only.
Small business and non-profits often overlook the dangers of cyber-attacks to their organization but small business is just as likely to be hacked as big business, and the fallout of a breach could be more damaging.
In recent years hacking attacks on small businesses have increased exponentially and are now just as likely as an attack on a big business. In 2011 Alex Wright reports that “[in 2010] the U.S. Secret Service and Verizon responded to a combined total of 761 data breaches, with 63% of them involving small businesses. In 2009, they responded to 141 data breaches, of which only 27% involved small businesses.”[i] Said increase in attacks on small business is more than elevenfold and shows that the global security threat grows. In the United Kingdom, “poor cybersecurity practices cost a business an average of up to 4,000 [pounds sterling] a year (about $6,650).”[ii] However, not one single factor is to blame, instead there are a variety that make small businesses a primary target for hacking. Some of it is ignorance about the importance of cyber-security. Small, non-profit business owners often assume that cyber-criminals have no interest in attacking their organization. As such, small to medium businesses (SMB) are reportedly bad at investing in digital security, “the level of security investment of SMB is only 55% of large companies in terms of security products and services.”[iii] Small business spends less on cyber security than big business, but this is not only due to the ignorance toward the emerging threat. Small businesses generally “implement extremely distributed systems with a large number of contracted services making defining a perimeter for security challenging.” Furthermore, many small businesses, especially non-profits, “are more likely to have linked their personal and professional roles in their digital footprints, potentially making both the individual and the organisation vulnerable.”[iv] In addition, to protect from threats to small business, risk-holding supply chain partners are increasingly concerned with the security to mitigate their own risk[v]. Business ventures could become increasingly difficult if supplier security is not guaranteed.
Most small businesses consider it “overly expensive […] to implement a program that prevents, detects, mitigates, and helps a business recover from cyber incidents."[vi] However, this is exactly what a small business, such as a non-profit, needs. Non-profits are not as valuable as big corporations and the ways that they could be attacked are more limited than those of a big corporation. It is however just as important to evaluate the attack surface, the weaknesses and to classify our data with the mindset of an attacker. The leadership should appoint a dedicated security person. Preferably this person is technologically savvy and would report directly to the CFO, but they do not have to dedicate 100% of their time to this position. Then a security policy should be written that is appropriate to the organizational structure. It should cover all avenues and classify existing data, such as PII, credit card information from donations, and payroll management. Small businesses have a statistically high problem with simple security such as password policy. According to a 2016 Ponemon Institute study, “nearly six in 10 respondents said they did not have visibility into employees' password practices, indicating the possibility of weak password protections. Of small businesses that have developed a password policy, 65% do not strictly enforce it.”[vii] The security appointee should look at existing password policy and rewrite it if necessary. This is just one example of a variety of points to consider. Additionally, the security person, together with leadership, should create an incident response plan.
Incident response plan
The incident response plan acts as a guide to minimize damage to the organization, restore normal operation, manage fallout such as public perception and litigations, educate the organization and enhance future security. Preparation for an attack is important, as this includes steps to detect an incident. In addition to detection, it is also important to analyze and learn from an incident so that the same vector cannot be used twice. Unfortunately, “37% of SMB suffered from industrial technology leakage more than twice,”[viii] which shows that many companies are not learning from mistakes and get breached multiple times. One breach could diminish public trust significantly while a second breach would likely signify the end of public trust for a non-profit organization and force it to shut down. Incident response is important to prevent this. The organization should have a plan in place that positively identifies an incident from a variety of sources. These sources can include monitoring software or hardware alerts, employee or customer reports or otherwise unusual events. After, the incident should be contained quickly, and its scope determined. The appointed security person should act as a figure of authority to prevent a disorganized response. Facts seeking should be endorsed whereas jumping to conclusions should be discouraged. Most importantly, the disruption to business operation should be as short as possible.
Cyber security is vital for a non-profit organization. While a small business might not have the best resources to secure their environment, they are responsible, and able, to do so regardless. Security is important to the continuing survival of the organization, and should not only signify an important task, but should stand as an organizational value.
[i] Wright, A. (2011). Small Companies Targeted. Association for Computing Machinery. Communications of the ACM, 54(9), 15-15.
[ii] Thompson, Richard. (2014). The small business cybersecurity blindspot.(Forefront). Risk Management, 61(5), 8-9.
[iii] Lee, C. (2014). The Strategic Measures for the Industrial Security of Small and Medium Business. The Scientific World Journal, 2014, 4.
[iv] Osborn, & Simpson. (2017). On small-scale IT users' system architectures and cyber security: A UK case study. Computers & Security, 70, 27-50.
[v] Osborn, & Simpson. (2017). On small-scale IT users' system architectures and cyber security: A UK case study. Computers & Security, 70, 27-50.
[vi] Banham, R. (2017). Cybersecurity threats proliferating for midsize and smaller businesses. Journal of Accountancy, 224(1), 75,77,79,81,83.
[vii] Banham, R. (2017). Cybersecurity threats proliferating for midsize and smaller businesses. Journal of Accountancy, 224(1), 75,77,79,81,83.
[viii] Lee, C. (2014). The Strategic Measures for the Industrial Security of Small and Medium Business. The Scientific World Journal, 2014, 4.