Why Small Business Find it Hard to Implement Cyber Security (Part 1)
Small businesses are confronted by the prospect of implementing cyber security as much as large businesses.
But what is holding small businesses back from being more cyber safe?
Five key areas are stopping small business from putting in place the protection needed to keep their data safe from cyber criminal activity.
1. The know how
Have you ever overheard IT people in a conversation? It sounds like they are from another planet. Phrases like Git, Java, Firewall, Distributed Cloud and AES flow around like the wash on a tropical beach. To the uninitiated it is just confusing and sounds hazardous.
This gulf, or what appears to be a gulf between technical and non-technical keeps many people in the dark. It can take some guts and effort to punch through to understand the techie mumbo jumbo.
Cyber security has a particular set of jargon and technical implementations. When talking to cyber security experts a lot of what needs to be adopted to be safe on the internet sounds prohibitive.
It is because small business owners are generally not IT professionals that creating a cyber secure environment for the business data is too daunting.
2. Too busy with everything else
Wearing multiple hats is not a new feeling to small business owners and their staff. “Clamp a broom between my legs and I will sweep the floor as well” is often how staff feel. Not only is there lots of work, but work in multiple disciplines needs to be learned and completed.
The thought of adding a complex discipline like cyber security to the already overloaded work schedule can seem overwhelming.
The trauma of a possible cyber incident just does not seem to justify the cost of spending the extra time in trying to understand what needs to be done to be cyber safe.
3. The cost of implementing is more than the data is believed to be worth
The value of data is not well understood by small businesses. Data is something that is used. The real value is calculated in whatever field the business operates in e.g. plumbers think about value in terms of pipes, electricians in terms of cables (simplistic)
Data like the value of the client contact list is not something that is really understood or valued. Therefore the question, Is it worth allocating resources to protect something that has no identified value?
4. Have no real experience of an attack
The hype around cyber security is everywhere. Money is being spent in fistfuls by governments on the cyber security industry. News reports of attacks include, million dollar ransom demands, theft of personal information and Russian cyber criminals.
For all that news life goes on as a small business. It seems that these reports really only pertain to a large business.
At times, it is hard to justify since organizations do not envision the risk right. So ROI is of course an issue, but also in general, if nothing bad happens, what is the motivation (this is psychological). Then if there is an incident and a service is cut for sometimes, or reputation is lost, the damage can be assessed and suddenly one sees increase in spending. In short, organizations do not do risk analysis right so they have to learn the hard way. Even if they do they try to save since until an attack the organization does not grasp its problems. - Moti Yung - Google Inc
Cyber attacks on small businesses do happen, but most have not been the victim of a cyber attack. Each day online transactions happen and it feels like banks and other big institutions with the IT resources are doing what should be done to protect the data that is important to a small business.
5. The shifting sands of cyber security
Cyber security is an ever changing field. The changes come because criminals are consistently looking to exploit holes, system problems and human errors. This consistent shifting means that being cyber safe is not a set and forget activity. Being Cyber safe is an ongoing commitment.
Implementing an initial cyber security initiative is something that small businesses can achieve.
Once started the ongoing demand of attention to the cyber safe program will often see small business cyber safety status slip.
The final question
Is the next Cyber Security step really going to make a difference? This question is constantly asked each time the decision comes up as to how to improve or implement cyber security.
Cyber security is often an unwanted expense and activity and although not repulsive it is inconvenient. The solution is to create a program that allows a small business to keep cyber safe without a huge commitment to extra work or cost.