Frequently Asked Questions
Here's more about how SOISA works to support small organizations, and how being a member can give your business the security boost it needs at the lowest cost possible.
Q: Why do I need to join SOISA?
A: Cyber security is quickly getting more and more difficult and complex. Attacks are on the rise, and a stream of new laws are requiring new kinds of compliance and practices from businesses large and small.
The big companies have their own dedicated IT staffs and the cash to buy enterprise security solutions, but small businesses are, at the present time, essentially left out. They are quickly becoming the most vulnerable group to cyber attacks, and yet they have the least support and few, if any, established resources.
Small organizations need cyber security expertise, recommendations, and guidance, yet most aren't able to hire expensive consultants or dedicated IT staff. SOISA uses the power of group buying to share cyber security knowledge and guidance tailored to small organizations to all of its members. The more members that join the association, the more benefits SOISA can provide to all members.
Q: But wait, I'm a small business. Why am I a target for hackers?
A: You're thinking that if you don't have a lot of money to steal, no big corporate secrets, no million-dollar R&D going on, and no databases of credit card numbers, then you shouldn't be a target for cyber attacks, right?
Unfortunately, attackers -- especially the well-funded ones from other parts of the world -- are after many things, and several of them can be accomplished with the networks and computers of the small organization. More than money, they want control over as many computer systems as possible as well as connections to other business networks. They use compromised small organization systems to attack and eavesdrop on other targets while covering their tracks. They also use them as points of trust to interface with the computer systems of your vendors, customers, government, and military. Since your computers look much less suspicious than computers in countries that are known to be doing cyber attacks, attackers like to use your computers to connect and attack other systems.
Also, your organization's computers, no matter how few or simple, do contain information that can sell on the black market: identify theft data, logins and passwords, and other data. If the system is easy to attack and quick to hack, then it is still worth their time. The idea is to make your systems and equipment secure enough that they are no longer worth the time and effort for an attacker, and they move on to the next target.
Q: What exactly does SOISA do for me and my business?
A: We translate the cyber security jargon and tech buzz into simple, business-oriented action recommendations, and send it to members on a regular, paced schedule (as well as place it in an online library). We know that many organizations don't have dedicated IT staff, so we make it easy for non-IT staff to check and implement security steps that make the biggest difference possible. We send alerts when a new threat is relevant to your network, software, or equipment. We send reminders when it is time to check things or update software. We send advice and alerts on changes in information privacy and security compliance laws, how they affect small organizations, and exactly what you should do -- and how to do it all on a shoe-string budget, if possible. We also share templates for security policies, procedures, and other documents that are required for PCI, HIPAA, and GDPR compliance.
Our approach is specifically aimed at saving you many hours while empowering you to increase the security of your computers, network, and business operations. We believe in friendly, bite-sized actions that can be accomplished quickly -- we know you have many other things to do. We want to make it easy to do a little bit every month to keep increasing your security posture while lowering your risk and liability in simple, focused steps.
Our experts analyze and track the changing cyber attack landscape, and identify the specific simple things that small organizations can do to make the biggest impact on their level of security. They also report on the pitfalls and pro tips for implementing new security and processes, like Two-Factor Authentication, from the perspective and needs of the small organization. That means you don't waste time getting stuck by gotchas with new things that might work for large companies but not small ones, and you can spend your valuable time and money on the security things that will matter the most.
Q: How does this work? How techie do I need to be?
A: We do the hard stuff: keeping on top of the world of cyber security, threats, fixes, and news. We filter it, and translate it into simple business language and step-by-step guides that fit your equipment and software. We bring your attention to the issues that are important from the perspective of a small organization, with top respect for your time.
If you can set up an office printer, connect to the Internet, and change your settings on your computer, then you can do most of the actions and maintenance we'll recommend. Every so often, there may be a few things that would be more technical, and for those you can enlist whatever technical help you use for your more complicated IT tasks in the organization. Or, you can skip them. It isn't about being perfect; it's about continuous improvement in steps that work for you.
We send guides and alerts at a pace that you select. We want to be your "virtual CISO (Chief Information Security Officer)", delivering information, tools, and recommendations that make sense for you. It's always your choice what you do. Plus, the SOISA Forums and Member Network can also help answer any niche questions, bounce around ideas, or learn about specific things like state laws.
Q: But I run anti-virus software. I'm secure enough.
A: That's what we used to think, too. That's a good thing to be doing, and it does help, to be sure, but there are many new methods that attackers are using now. Plus, if you don't have your settings correct, or there is just one computer on your network that isn't running protection or stops running protection, or you have a flawed password policy, or a dozen other simple things... then it's like locking the front door while leaving the back door open: attackers can walk right into your network.
We don't want to create additional fear about this. But we also understand that common network security issues are well past the point of being safely ignored. So we want to share the best advice, tools, practices, and information possible to make the most change happen toward security. That means making things simple and quick, straightforward and drama-free, so small business owners and staff can actually do them. We don't focus on scare-stories; we just want to make available to members the most effective antidotes, remedies, and protection against the most potent and problematic threats out there.
By raising the security levels of the most vulnerable systems, we raise the security levels of the entire nation -- including our own community, businesses, families, and property.
Q: Why was SOISA started?
A: We value small businesses and small organizations and believe they are critical to the economy and innovation of our nation. With the average cost of a cyber attack coming in at over $200,000 in cash-out-of-pocket costs and over $1 million including brand damage and lost business (2019 figures), small organizations are in a particularly vulnerable place. Enterprise security companies and tools are priced much too high for small firms to be able to afford them, making small organizations the new low-hanging fruit for attackers. This widening gap that cyber attackers are now beginning to focus on could be a major cause of business failure for small organizations in the next five years.
Making changes to processes, systems, and equipment to be compliant with PCI, HIPAA, and GDPR (among other new state laws already in effect in 2018) can be expensive and bewildering. It's a tough landscape for small organizations right now, and we want to help by making the needed expertise and recommendations available to small organizations at a price they can afford.
So, we turned to helping ourselves and helping each other. By forming a group of small organizations, we can do things together that we can't do alone. We can accomplish so much more, and share the costs and benefits of our own research, writing, and tool building -- all focused to fit our own organizations.
Q: How does SOISA keep the cost so low?
A: By sharing the costs across all members. We can buy experts time and services, develop tools, research and test equipment and software, and write guides, policies, and reports and share them with all members. We are a not-for-profit association, and our staff and board members include cybersecurity professionals, small business experts with decades of experience, and software developers who care about small organizations and the contributions they make to our national economy and local communities.
Most of the reports and recommendations from the big, enterprise security companies are geared to large corporations with IT staff and big IT budgets. SOISA focuses on the perspectives and needs of the small organization exclusively, making it possible for them to upgrade security and lower risk significantly while controlling their own systems and choices, at the lowest cost possible.