“Hackers aren’t interested in my little business.” If that’s the standard line you use when a security consultant pitches you on their services, you’re making a mistake. Sharon Smith, a cybersecurity strategy consultant and author of “The Corporate Detox” and the host of the “C‑Suite Success Radio” Podcast on the C‑Suite Network, educated us recently on this topic during a Manage Smarter podcast.
What Hackers Really Want
We tend to think that hackers are after our customers’ data like credit card numbers, birth dates or social security numbers. And, if we’re running a B2B business, we start to believe that hackers won’t find anything of value in our systems. The truth is more complicated. “It’s not about your data, but your network may lead to another network that has the data,” says Smith.
It’s up to us to decide how far we’re willing to go to protect our systems. We can start by knowing the difference between compliance and security. Businesses in some industries, like health care, deal with heavy regulation to protect personal information. If you meet the bare minimum for these requirements, you’re complying.
That’s not enough. Often, compliance only involves certain aspects of your organization. In our uber-digital era, Smith encourages us to go to the next level and reach for security. When we have a secure organization, every individual and department does their part to keep data and systems safe.
As managers and company leaders, we must take the initiative to protect our organizations’ systems and data. One way to accomplish this goal is to take the position that a secure system is one of our top ongoing initiatives. This means regularly requiring employee training as new systems are introduced. We shouldn’t fool ourselves thinking we can earn employee commitment by issuing an occasional email on this topic. We can go a step further and embed the requirement of data protection into our culture. When we encourage employees to be part of the solution, they’ll be more engaged in a common goal.
We also need to understand the source of threats. Many times, an employee is the biggest threat. If they give out their user name and password to an outside vendor to get access, they’ve opened our systems to more risk.
These days, one of the biggest embarrassments is to be held hostage by a criminal who locks us out of our systems until we pay a ransom. According to Smith, businesses pay over $1 billion to such criminals on an annual basis.
We might be tempted to put cybersecurity into the hands of our IT departments. They’re likely the experts in the field, so that a good first step. But senior leadership should understand the types of threats that exist, how they’re evolving, how much it costs to protect systems, and how much it will cost if we have a breach.