For owners, executives, and boardroom

Briefing

Business risk landscape has radically evolved over the last 24 months.

The changes in the business landscape over the last two or three years have been unusual, to say the least. One of the biggest impacts has been the increase in cyber attacks, which have increased overall (all types) by 600% from pre-pandemic levels. Additionally, a recent study revealed that about 60% of small and medium business that suffer a serious cyber attack close their doors within six months. The attacks have gotten both more numerous and more costly, with the average damages from a cyber attack now topping over a million dollars.

Those factors, however, are not the true danger. The real danger is that most cyber attacks, cyber updates, and information security practices are invisible to many small and medium business owners. C-Suites and boardrooms remain blissfully unaware of the dangers and risks they are facing.

Appoint someone in your company now to stay up to date on cyber, and have them regularly report what they are seeing and recommending.

Executive Briefings

To support these efforts, here is a collection of articles and resources aimed at owners, executives, and board-level stakeholders that will help you survey the current landscape and risks.
 

What can I do that I already know how to do?

Taking effective action against immediate cybersecurity threats is a complex and specialized activity. You'll need professional cybersecurity skills either as staff or as hired services.

However, there are things you can do now and over time to respond to the geometric increase in risk. You can reduce your risks and lower your costs of cybersecurity efforts right now, doing things that you as a business professional already know how to do.

SOISA recommend the following actions and shifts in overall business direction and strategies.

  1. Appoint the role of Information Security Officer to someone in your organization right now.
    Their duties should include identifying sources of cybersecurity news that they will review weekly, drafting a list of actions to take each quarter to lower risk and improve the security posture of the business, research and recommend cybersecurity insurance for the organization, and identify a cybersecurity frameworks and standard that is appropriate for the needs and requirements of the organization (they might need to consult with professionals on this, but your insurance company may have some recommendations as well.) They can also take point on the next two recommended actions.


  2. Simplify your systems, now and as an ongoing strategy.
    Part of the overwhelm that is happening is that there are simply too many accounts, too many tools, and too many systems to track, manage, and secure. Close service accounts you aren't using. Remove applications on computers that aren't required for your business. Don't sign up for new accounts unless needed. Delete trial accounts within 72 hours of evaluation. Simplify your network: remove old network components and as you purchase new equipment make it all from the same vendor or family of vendors and suppliers. Do not connect older, unverified or unpatched gear to your network.


  3. Create an inventory of accounts, components, and data.
    This will help with the simplification strategy given above, but it is also the first thing any cybersecurity professional will do, because you can't protect and defend what you don't know you have. Save money and get a jump start: make a list of every login account on your own systems as well as third-party and services. Don't record passwords in the inventory. Record the account name and application or service, account level (admin, billing, master, user, etc.), the date established, the date last reviewed, and the user(s) of the account. Create a list of every component of your data network, including cloud servers and storage. Finally, map out all your business-critical data and record where it lives, how it is backed up, and how it enters and exits the business.