Many business leaders, when preparing for certifications, attestations, authorizations or audits, ask themselves the question, “Isn’t this too much security?” More specifically, they often ask, “Isn’t this too much for a business our size? Will hackers really try all these measures to infiltrate our company?” To these business leaders, my response is invariable: “There is no such thing as too much security.” Sure, there are appropriate amounts, but no amount is ever “too much.”
I ask them to think of it this way.
When we put our babies in their car seats, turned backwards, double strapped in, or put mittens on their sharp little nails or hats or helmets on their tiny heads, we rarely think, “…oh this could be too much.” Why is this? Because we have all read the statistics about the consequences of bad things happening, like crashes and scratches. We want our children to be safe, and we do not want to be the ones responsible for any unsafe moments.
Likewise, I would not want to be the one who decided that something was too much for security purposes, and then experience a breach or hack.
This is the mindset small business leaders should have with regard to security. Start with understanding exactly what it is you are protecting. Is it a system, a network, a product, data? Or is it the entire business, including a building and its people? Consider also what could happen to your business if your security fails to stop attackers. You do not have to dig much to turn up technical war chests of stories or the battle scars of audits and fees that businesses have been subjected to in the wake of a major breach. Once you understand the stakes, the next thing to ask yourself is: “What do I want to or need to do to protect it?” Acquaint yourself with modern thought on cybersecurity, understanding your responsibility as a leader to keep the machines, devices, clouds, data and people — in short, everything that make up your business — safe on your watch.
How do you know how much security is enough? This is the time for analysis. Your own subjective feelings have little role here; what you want are objective metrics measured against tested rubrics. Thankfully, there are numerous researchers and foundations, such as the National Institute of Standards and Technology (NIST) and the Internal Organization for Standardization (ISO), that are devoted to researching the levels and parameters that should be applied to different types or sizes of business. Even the Payment Card Industry (PCI) outlines different measures for various levels of transactions. It is essential that business and IT leaders take the time to research and understand the ways in which these standards not only help protect the business’s machines, devices, clouds, data and people, but also to what degree they protect it, and who should be responsible for what. Understanding the cost is important, but even more important is understanding what the cost of not doing it is.
Also consider your business’s broader context. Typically, when it comes to security, it is not only your own interest you need to consider, but also your clients’ and your prospects’ looking to buy. Customers are increasingly interested in the care taken by businesses to ensure their data is secure and will stay secure. Many businesses heavily weight their procurement decisions towards certifications, attestations and authorizations. If a third-party auditor has assessed and approved a company or product, the risk of a breach or attack compromising their data has, theoretically, been reduced. Certifications build trust in your customers that security is at the expected level.
To conclude, too little security is always more of a concern than too much — unless of course you consider it a negative that proper cybersecurity controls prevent you or your employees from engaging in one of their favorite risky activities:
- Emailing your home computer some confidential product
- Doing something illegal on your work laptop
- Uninstalling anti-virus or malware to speed up your machine
- Storing your client files on a USB drive
- Tweeting at 3 a.m. about classified information
Sarah A. Lynn is a partner in the Advisory practice at BPM, a U.S. West Coast-based accounting and consulting firm that ranks among the top 50 of its kind in the country, where she leads the firm’s IT Security Advisory group. She has more than 30 years of experience advising companies of various sizes and industries and brings her targeted expertise within the IT security field to help solve clients’ problems.