Consider these possible data targets.

SMB Security Simplified 

  1. Many SMBs don’t invest in protecting their data because they undervalue it.
  2. A self-assessment of the data used in business activities might confirm whether one’s cyber security investment assumptions are correct.
  3. Three categories of data are business intelligence, personal and private data, and trade secrets and intellectual property.
  4. Steps to protect network and data assets may prevent other negative consequences of a breach.

This series on plight of the SMB cyber defender discussed an underlying belief held by many SMBs, which is that their company didn’t hold any data that any attackers would be interested in. This series has tried to show that they would be mistaken in that belief. This post goes full circle to look at the types of data SMBs should actually protect.

Celebrating National Small Business Week

This series has probably shown that cyber criminals are very appreciative of SMBs, because they make for easy targets. They’re low hanging fruit and they may serve as an easy conduit to larger partners. At a panel discussion earlier last month in Washington, D.C., hosted by the Small Business Administration (SBA) to mark the start of National Small Business Week. Security experts from various companies and government convened and said “that it is incumbent on small business owners and employees to educate themselves about cybersecurity and what they can do to protect their businesses.” 

The article, “SBA, NIST Offer Small Businesses Advice: Take Cybersecurity Seriouslycovered the event and reported,

SBA Deputy Administrator Douglas Kramer, who moderated the panel, noted that while many small business owners often do not have the time nor money to focus on cybersecurity, they face vulnerabilities that could fatally harm their businesses.

“The threat of cyber intrusion and theft is very real,” he said. “Small businesses measure assets and inventory in different ways, but they sit on a treasure trove of information.” That includes intellectual property, personal information about customers and employees, and credit card information.

Kramer said the SBA has found that almost half of small businesses have been the victim of a cybercrime at some point, with the average cost of an attack at$21,000.

I’ve read that the damage figure may be even higher, an average of $31,000. No matter, to a small business, either figure could represent a very damaging hit.

Consider your treasure trove of data

This series has shown that SMBs are being increasingly attacked. It was also discussed that cyber criminals may use you datatargets_revisedto target others, and that there is potential long-term damage to your company if that happens. The bad news is, it’s not “either -or”; they can do both. While they use you to target someone else, they can still hover in your network to search out and grab any data that they think may be of value.

The article “How small businesses approach risk mitigation and response“, gives these survey results:

“53% of small businesses reported that they do not store valuable data, yet 68% of respondents store email addresses, 65% store phone numbers, 54% store billing addresses, and 49% store home addresses. This indicates a lack of awareness around the value of the information they are storing.

It doesn’t matter who you are really, almost everyone holds some kind of data asset, that might be of interest to someone else. It’s likely a mistake to assume that your data wouldn’t possibly be of any interest to attackers. The risk will increase the more data you collect, hold or process, whether it’s your own, or someone else’s. The more data you deal with, the bigger the bulls-eye on your back likely is.

Are you more worried about the threat to your organization’s reputation, or the potential impact of a breach on your brand, than the actual data loss? If so, it might be time to start worrying about losing other people’s data that you may be holding. If there is a loss of trust between a company and customers and partners, a contributing factor will be the loss of their data, by you! 

Your reputation as a trustworthy custodian of the data entrusted to you will likely be seen increasingly by those who do business with you as a reflection of your trust relationship with them that you’ve built over time. Isn’t it better for one’s reputation to be deserving of the trust given to protect it as well as competent and reliable in taking adequate steps to do so? Properly safeguarding your customer, client and staff, personal and private data could bring you competitive advantage.  

Perhaps taking the time to do a small self-assessment is the place to start to help you decide whether it could be a target.


Data Target Categories

A self-assessment with a data checklist will help you decide whether it could be a target.I divide the potential data targets into these three general categories:

  • Business Intelligence
  • Personal private data
  • Trade secrets and intellectual property (IP)

Take a look at some of the example items listed in each category in the infographic. Can you think of other similar items in each grouping specific to your industry or business? If so, jot them down. Use this exercise to help you confirm, or check your assumptions about whether you may be doing enough to protect your data efforts.

The “what-if” questions

images-2Try asking yourself certain questions regarding anything residing in your network. That question is, “What is the worse thing that could happen if I lost this information, if it fell into the wrong hands, or if my access to it, was simply cut off? “ Ask, “Who would benefit from getting my data, or by trying to harm me in this way?” Is someone trying to get to a supply chain partner? Just don’t be like this guy, in denial. Sticking your head in the sand and ignoring the reality of today’s threat environment may not end well for you, or others.

If you can really mentally check NO for everything, you are in a very small minority. As pointed out, you can no longer ignore security as long as you have customers or partners.

Data Tampering

Although this may apply in only a few cases, consider also, that certain data attacks may not be leaks at all, but attacks on data integrity. Any kind of unauthorized tampering with data, that isn’t for personal gain, for example some formula, or technical specs, or records of note, is sabotage that could lead to a variety of business or legal problems for you, or a partner in your supply chain. Something that comes to mind is the Internet of Things where all kinds of data that feeds into the business decision making process could be placed at risk if devices or collectors were tampered with.

The need for cyber protection is now essential

This  kind of data assessment is simply an honest self-assessment to determine whether you hold data assets that need cyber security protection. So, if you look inward to do even a quick data self-assessment, will you find data-in-house that needs to be protected? Do you use or hold any of the types of data suggested in the graphic?

There are reasons good reasons to do this exercise. A smaller businesses may not be able to withstand a hit. You want to avoid being that business that doesn’t survive. That small business could also be an associate, customer or partner as well. How many customers and partners can you afford to lose? Another reason is that there’s probably a pretty good chance that going forward, cyber security posture will increasingly be seen as a sign of general business responsibility, reliability and competence. Will ability to trust become part of one’s brand?

Remember too, that thanks to ransomware, the game has changed. Cyber criminals don’t have to fence your data any more. They’ve found someone who your data is important to, and that’s you! Our Ransomware Ascending series here.

If  business owners believed that they did indeed hold data of value, and invested in better cyber security defences, many issues that were discussed in this SMB series might be avoided. However, we would probably be reminded again that many SMBs are overwhelmed, under-resourced, and under-supported by the security industry. Investment in cyber security will probably become an expected cost of being in business. The question to a business is going to be then, how to find comprehensive protection that’s affordable.

That’s why we believe that TUX AI will be a boon to SMBs with limited resources that need to protect their business operations and data from cyber criminals. You can check out a short tour of the comprehensive, bundle of cyber security protections that TUX AI will be able to deliver to SMBs, on our start page here.


The next post will wrap up this series and reflect on the gap between where SMBs are and where they have to get to, to prevent hacks.




Previous post in series

< ——- SMBs breach fallout makes recovery harder

SMB cyber security: series wrap-up ——– >

SMB Cyber Security Post Index ——– >



Related Reading

SBA, NIST Offer Small Businesses Advice: Take Cybersecurity Seriously