Recently we had a client of ours get upset with our answer to a simple question. While the question was simple, the answer was not so simple. The client wanted to let a potential new vendor get access to their server to be able to analyze their current data in preparation for what they would like to propose to them. The problem with this was that this particular client is in the medical field and therefore bound to protect patient health data by HIPAA requirements. As part of this requirement, the vendor needed to complete a Business Associate Agreement to fully comply. This was a simple step that had not yet been completed but the significance was huge. Since allowing a third party access to essentially the patient health data, this opened up the business to liability in the event any of that data was access, moved, copied or compromised as a result. While ultimately we were able to get the client and the vendor the information they needed it did bring up a great question that I have pondered since then and that is - Why do so many business owners and managers disregard security as a high priority for their organization?
So Why Do So Many Business Owners Bury Their Head In The Sand When It Comes To Security?
- First and foremost, most small business owners completely discount the real security threat their businesses face on a daily basis. In fact a recent survey by Manta found that a whopping 83% of small business owners don't believe that their business faces any real cybersecurity risks. Read that again.... 83% don't believe they face any real risks! This despite the fact that over 50% of small businesses have in fact experienced a cybersecurity attack in the last 12 months. Think about that for a minute, 8 out of 10 business owners don't believe they have any risk at all, and of those same 10 business owners, 5 of them have had an attack in the last year.
- Most small business owners even if they are willing to admit that they are vulnerable, are afraid to assess what needs to be done to address it because they are afraid of what it might cost. Never mind how much the liability is to their livelihood, they are willing to roll the dice and hope they are in the winning 50% that have not experienced an attack yet.
- Most small business owners don't understand technology and particularly the associated security around it so they pretend there isn't a risk. It's simply easier to ignore the risk. Part of this is probably related to not fully understanding the risks and liability, but also because its just easier to let that vendor get in to the system and trust they will do what they are supposed to do.
So what is the answer - how do business owners appropriately deal with the rising security risks to their organization?
- The first step is to fully analyze where you are at. You can't fix what you don't know about. While it may seem easier to just ignore it, you are much better off to understand where you are at and the risks and then formulate the plan to correct any deficiencies. If you don't have IT personnel on staff or don't have an IT vendor that provides ongoing support for you - find one that fits and engage them. DaZZee has a white-paper to help you with how to choose an IT provider.
- After a plan is established, this needs to be reviewed REGULARLY. That means at a minimum of at least quarterly. DaZZee does this review monthly for our clients and there are always items that need to be updated.
- Your staff needs to be trained on the real and constant security threats that they are already being exposed to. This should happen at a minimum on a quarterly basis. DaZZee conducts this monthly for our clients.
- Finally and probably most importantly you need to build a culture in your organization that thrives on and is aware of security. If everyone from the top down believes in the importance and relevance of security, your chances of successfully keeping risks at bay are exponentially better.
If you need help analyzing where you are at with your security - DaZZee would love to help and will even offer a free security analysis for businesses that qualify. Just fill out the form below and we will schedule an analysis so you can at least know where your risks and liabilities are