More By This Author

Current Issue

Current Issue

Posted: March 20, 2013

Cyberattacks: The new normal

It’s time to elevate the importance of cybersecurity

Bud Michael

While high-profile cyberattacks against governments, large banks and businesses have made headlines in recent months, small- and medium-size businesses are now also attractive targets of thieves. The frequency and sophistication of online attacks against business continues to increase. More attacks are surgically concise and invisible, ever changing and pervasive. They're very hard to detect, and even when detected, they're hard to contain.

The Deloitte 2012 Global Financial Services Industry Security Study points out that even as cybersecurity practices mature and advance, nearly 25 percent of business respondents indicated they experienced security breaches in the past 12 months. More than 50 percent of bank respondents consider security breaches involving third-party organizations as a high threat.

Not only can an information security breach cost your company money, in many industries such as financial, healthcare and education, breaches must be made public under state and federal compliance regulations. Consequences of cyber crime include customer notification and remediation costs, increased cybersecurity protection costs, lost revenues, possible litigation, impact on shareholder value, and damage to reputation.

Businesses of all sizes are at risk, but small and medium businesses in particular are low hanging fruit for digital thieves and the attacks are growing daily. To make it even easier for cyber thieves, the SMB user community will often click on any link, access any site, or install any application that suits them in disregard or ignorance of the very real dangers.

From a network security perspective, SMBs typically lack the time, expertise and money required to properly strengthen their defenses.  In addition, a small business owner or CEO might say, “Why should I spend money on security?  Why would hackers attack me?  I’m just a small supply company with 40 PCs and one server.”

Traditionally, cybersecurity has been thought of as an IT issue and is most often included as part of operational risk management. The mistaken assumption that “the IT guys can handle the problem” leads to the dangerous situation where most employees don’t feel that they need to be responsible for the security of their own data. A corporation’s finance, human resources, sales, legal, and other departments all own critical data; and just one employee can inadvertently open a portal to attack.

Nonetheless, the tendency is to believe that the responsibility for securing data rests down the hall with the IT department.  Too often, the IT manager must try to balance the risk against the resistance he or she meets from the reception desk all the way to the corner office.

This mindset needs to change.

The potential negative consequences of cyber attacks on a business are so significant that it is time for cybersecurity and information risk management to be elevated to its own INFOSEC category reporting to the Chief Executives.

Boards of directors, general counsels, chief information security officers, and chief risk officers need to understand and monitor their organization’s level of planning and preparedness to address cyber risks.
A recent study by Corporate Board Member/FTI Consulting Inc. found that one-third of the general counsel surveyed believe that their board is not effective at managing cyber risk. Only 42 percent of directors in that study said that their company has a formal, written crisis management plan for dealing with a cyber attack, and yet 77 percent of directors and general counsel believe that their company is prepared to detect a cyber breach, statistics that reveal a “disconnect between having written plans and the perception of preparedness.” Indeed, a 2012 governance survey by Carnegie Mellon CyLab concluded that “boards are not actively addressing cyber risk management.”

Only 25 percent of the study’s respondents (drawn from Forbes Global 2000 companies) review and approve top level policies on privacy and information technology risks on a regular basis, while 41 percent rarely or never do so. These figures indicate a need for boards to be more proactive when it comes to overseeing cybersecurity risk management.
The Internet Security Alliance (ISA) recommends the establishment of a Cybersecurity Operation Center to monitor traffic and data and actively respond to attempted intrusions and breaches.  A cyber risk analysis should be an integral part of your risk management plan. If you are a smaller business who outsources security through an IT services firm, you should receive regular threat monitor reports for analysis as well as support of compliance requirements for cybersecurity.
Businesses with the lowest relative cybercrime costs tend to have a dynamic cybersecurity plan and utilize a network security system and event management tool, according to the Ponemon study. Businesses that employed security intelligence tools lowered their cybercrime costs by an average of $1.6 million per year, in part by being able to spot and respond to breaches more quickly. 
The consequences of cyber crime can ripple through every department of every business with substantial and devastating effects.  Every IT manager, regardless of business size, should be viewed as the director of cybersecurity risk management.  A cross-functional approach should involve all departments in your company and increase the awareness of and responsibility for cybersecurity by every employee from the C-suite down. 

Bud Michael is President & CEO of eSoft. Based in Broomfield, Colorado, eSoft provides cybersecurity for small and medium businesses (SMBs). The company’s Unified Threat Management proactively protects businesses from Web, email, and network threats while providing safe, secure access for employees to your network and the Web. Bud welcomes your emails at   

Enjoy this article? Sign up to get ColoradoBiz Exclusives. The opinions expressed in this article are solely that of the author and do not represent ColoradoBiz magazine. Comments on articles will be removed if they include personal attacks.

Readers Respond

As an IT director I'm frustrated by the lack of concern above me and the limited funding given me for cyber security. If we get hit, I'll be the one blamed. I'm forwarding this upstream in hope that it helps. Thanks By Jerry T on 2013 03 21
This reminded me of this article where a small business was taken for nearly 200k - these cybercriminals are too smart. By Mike Reynolds on 2013 03 20
Great article. Many people are still of the mindset that because they have anti-virus software on their computer they are protected. While it's a great start, the fact is that against todays threats anti-virus programs are minimally effective. Customers need a layered security approach that includes AV, but also gateway security, web security and more. You can't be protected enough, especially when the risks are this high. By Bob L. on 2013 03 20
With the reported cyber attacks in Korea, does prevention extend to your power or to the grid? By Karl Dakin on 2013 03 20
Thanks for this article, it's quite an eye opener. I just sent this to our company's CEO and our board members as a wake up call. We have to take a closer look at protecting ourselves. By John Merric on 2013 03 20
In this day and age no Company no matter how small or large should be without some form of gateway security employed. Informative Article!! By Mike W. on 2013 03 20
It still surprises me that companies have a train of thought of we are a small business so who would hack us? In some cases these small companies aren't even running a true firewall as their network gateway. This is mind blowing to me. Great Article! By Ben D on 2013 03 20
Very timely...and scary. Thanks for the article. By Shawn on 2013 03 20
Commenting is not available in this channel entry.

ColoradoBiz TV

Loading the player ...

Featured Video