Surviving the pandemic for small businesses has been challenging enough without the ever present threat of ransomware and other cybersecurity breaches. Here are some takeaways based on my many discussions with leaders in these organizations:The pendulum has swung to an appetite to audit and remediate. For many years, cybersecurity vendors, insurance providers and consultants have relied on fear, uncertainty and doubt to encourage tightening defenses in small and medium business. A common response has been, "I will take it under advisement." Why such a nonchalant attitude? In my experience, the typical small business owner does not want to think about information technology and will not invest in auditing or changing their cybersecurity posture without pain. So, what changed? For many, it was a breach. Users fall for fraudulent e-mails, get phished or breached and the company is now sending spam e-mails without their knowledge. In some cases, there is a security incident due to a security appliance or firewall not being updated properly. In other cases, a company has to pay a ransom to decrypt key files. In addition, the ever present news of cybersecurity incidents has simply raised awareness.
- Deloitte reported that "47% of individuals fall for a phishing scam while working at home."
- CBS said, "For companies, the average cost of a data breach soared to $21,659 per incident during the pandemic, with most incidents ranging from as little as $800 to more than $650,000, according to a new report from Verizon."
- McAfee Enterprise and FireEye found that "81% of global organizations experienced increased cyber threats during COVID-19"
Whether it was a specific company incident, media induced angst or a peer saying, "you better watch out...", we have observed a marked increase in appetite for cybersecurity audits. This is a good thing because some of the issues we have uncovered include open ports in inadequate firewalls, out of date firmware which may lead to breaches, networks that do not segment sensitive data, more administrative accounts than recommended and a host of password and security policy problems.
Strategy is increasing in importance. There is an increased desire to work smarter, not harder, as it relates to technology foundational to small businesses. Executives are feeling the pain of a reactive IT process and recognize that a lack of planning has led to the above issue of risk as well as poor productivity. Forward looking leaders not only want their IT to be predictable, but to align with their business vision. Here are a few symptoms of a poor strategy or non-existent strategy process:
- High-value employees reacting to IT emergencies or spending time solving issues
- Having to bring ideas to the IT provider (whether internal or external) rather than the other way around
- A high number of issues (e.g. 1-2 per employee per month) impacting productivity, hence profit
- Unexpected expenses due to aging or improperly selected infrastructure
- Lack of a long-term vision (one year ought to be locked down and multiple years sketched out)
- Opinion-based versus fact-based strategy process
The supply chain really is stretched. Lead times are months to a year in certain cases for key infrastructure, like computers, docking stations for laptops, network infrastructure and servers. Having a strategy process is the foundation for mitigating this, but it also takes early placement of orders, solid forecasting (employee hires, for example), a process to streamline onboarding and stocking inventory where appropriate. There are many companies whose revenue is directly tied to the speed with which new employees become productive. In this hiring market, there may not be a long lead-time between interview and start date, so reacting to a new hire as it relates to supporting infrastructure is a recipe for disaster. Successful companies are developing a close relationship with their IT provider, sharing information freely, investing appropriately and working as a team. If the IT team is chasing their tales solving problems all day, they will not have time be this kind of partner.
- Be sure to audit cybersecurity infrastructure and remediate as needed
- Implement a fact-based, rigorous IT strategy process to prevent unexpected downtime and improve employee productivity
- Plan ahead for the ever stretched supply chain through forecasting, knowledge sharing and stocking, where appropriate