This is something that each small-medium business needs to decide for themselves, but understanding what your potential value is to an attacker is useful in understanding how you approach cybersecurity. You exist somewhere on a scale, and you may exist in different locations depending on circumstance.
Determine Your Value
Are you a small business that doesn’t maintain a list of personal customer information? The potential downside from a breach is much smaller on a relative scale – but that doesn’t mean it’s something you ignore, just act accordingly. Why not just ignore it? Well, if you ignore it and become an easy target, it may be rather simple for a ransomware organization to encrypt all your data and demand $50K in ransom. At the very least, you are staring down a headache of large proportions, in the worse case scenario you need to shut down. But, outside of some standard IT best practices, there may not be much with which you need to concern yourself.
Alternatively, are you a financial institution, critical infrastructure, or other high profile entity? Being breached, whether publicized or not, may result in a domino effect that could include public relations, reporting regulations, firings, leaked personal data, ransom, as well as others (ie: Colonial Pipeline breach of 2021). If your organization exists at this end of the spectrum, how you handle protection needs to be managed accordingly.
Physical Security as an Example
The expression “cybersecurity isn’t a one size fits all solution” isn’t novel. But there seems to be a baseline level of complexity that isn’t needed. Or if the solution isn’t complex, it’s not sufficient. Cybersecurity should be viewed a lot like physical security. A Fortune 50 company likely has a security presence in their lobby. A small business may just have a lock on their door. Are you a small business with a lot of heavy (ie: expensive) equipment? Having security cameras overlooking the equipment makes sense, and a lock on the gate to your yard. Anyone that is determined to steal your equipment may very well be successful, but what are the odds that a team of people are going to show up at your yard and pull out a couple tons of equipment? Possible, yes. Probable? Doubtful. You also need to account for your risk tolerance and insurance policy.
Physical Security vs Cybersecurity
There are a few important difference in these scenarios.
- Location: For a physical security breach, someone needs to be at the location, which is not the case with hackers.
- Getting caught: This comes in a variety of forms, that is shown in increasing difficulty:
- Identifying an attack has or is occurring
- Linking an attack to an digital persona (ie: Online names – They are recognizable in the digital world, but not the real world)
- Real world attribution
- Punishment: Assuming a cyber criminal does get caught (see the above bullet), that does mean that they will face any sort of real world consequence to dissuade them from attempting their actions.
These differences are real, and they dictate an organizations aggression. The likelihood of ending up in jail is low, so criminal organizations can act accordingly.
Take Away
Cybersecurity is expensive, and it is difficult to truly see its value, particularly if you don’t have a team of analyst that are able to provide reports, which increases costs. Therefore, everyone, but particular small and medium businesses need to have a practical and effective approach to cybersecurity. There isn’t much upside in investing heavily in cybersecurity, but the downside and can sizeable. It’s key to find a solution that reduces risk and is cost effective.
If you found this article interesting, check out some other posts:
- Understand Your Value Like an Attacker
- 5 Unique Cybersecurity Threats You Need to Know to Protect Your SMB
Or head over to the Contact Us page if you have a particular question that you would like answered.