Small Businesses and Cyber Security

This blog provides an overview on the importance of cyber security and small businesses. It's meant to make you pounder and determine if as a Small Business owner you should be concern.

We know what you're thinking!!!! You most likely fall under one of the following scenarios:

  • We are not worry about cyber attacks.
  • We don't have sensitive data.
  • We don't do business with the government.
  • Securing our Environment Is too Expensive.

But our question to you is... are you 100% sure the above applies? What if we told you that you may be 98% wrong? That you might indeed have to comply with security? So we dare ask again ... how did you came up to the conclusion above? Have you truly looked deeper into your business to grasp the importance of protecting not only your company's information, but also that of your consumers? In this article, we will dive a little deeper on the scenarios noted above so that you may pounder.

Scenario 1: We are not worried about cyber attacks.

Cyber attacks have increased steadily in the past few years and there's no stopping ahead, so why aren't you worried about a cyber attack? Maybe, just maybe you need to look at it differently. Ask yourself...

  • Is my business susceptible to a cyber attacks? If not, why not?
  • Do I have data that can be valuable to an adversary?
  • If I was an adversary, what type of data would I want from my competitors?
  • Have any other company with similar services being hacked? If yes, how where they impacted?
  • What IF my company is hack? What's next? Can I afford the penalties? Can I afford the lawsuits from those impacted?
  • What type of data is being processed by the company? Can it be deemed sensitive? Would it have an impact on our companies mission if stolen?
  • Is there any regulations indirectly impacting my company? Would I fall under the European Privacy Act laws [GDPR]? Can they enforce such in the U.S?

This is meant to make you pounder and truly look within your organization. Maybe you should worry about a cyber attack. But if you still believe you don't have to worry, take a look at the other scenarios and their associated questions.

Scenario 2: We don't have sensitive data.

Are you 100% percent sure of this? Do you even know what is deemed sensitive data? To further determine if this is a true statement, let's review the different types of sensitive data that can be impacted by a cyber attack and that is protected by government laws regardless of sector.

  • Personally Identifiable Information (PII)- This includes, but is not limited to the following data fields: First and Last name of an individual [Current or Previously Used], Social Security Numbers, Home address [Current or Previously Lived], Drivers License Information, Passport Information, Date of Birth, Place of Birth, Unique Identifiers [Employee ID, Work ID, anything tied to an individual or client], e-mails, Vehicle Identifiers [Vin and Plate numbers], etc. In fact, PII data is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. This includes Employees and Clientele's data.
  • Sensitive Personal Data under GDPR- This includes, but is not limited to the following: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation
  • Protected Health information (PHI)- This includes, but is not limited to the following: patients PII, Patients medical records, patients medical findings, patients illnesses, biometric identifiers, Full face photographic pictures, etc. PHI is defined as "individually identifiable health information" transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component.
  • Company Intellectual Property- We know each company works hard to develop their processes, and your organization's process is no different. Intellectual property includes, trademarks, patents, internal marketing information, internal processes, client's list, and anything that makes your company rise above the rest.

Certainly, there are many other types of data deemed sensitive, but if you have any of the above, you should at the minimum look a bit further into identifying what regulations do apply to your organization and how they can impact your business as it grows. And yes, a lot of that information is freely roaming online either by direct disclosure from the individual itself and/or other companies, but that still doesn't exempt you from protecting the data even IF publicly available. Remember... the key here is that your organization must abide by the law. What individuals or other organizations do doesn't impact your organization. Each is responsible for their own, but compliance still your responsibility. Still don't believe you need to protect your business? No problem. Let's examine the next few scenarios.

Scenario 3: We don't do business with the Government.

While this might be true, are you certain that nothing your organization does its tied to the government? Even indirectly? Let's keep it real. Almost everything we do ties back to the government no matter what. It may not be a direct connection, but it is an indirect connection. So how can you tell if you have an indirect connection? Here are some questions to ask yourself:

  • Do you know if your organization relies on a direct connection to validate employment? [i.e., E-Verify]?
  • Do you know if your organization relies on 3rd Party Services that are required to follow government regulations?
  • Do you know how your organization is impacted by the 3rd Party Services providers?
  • Do you plan to offer services to organizations that are required to abide by government regulations, such as banks, doctors, IRS agents, etc.?

If you answered yes to any of the above or you don't really know the answer, then you might want to reconsider your statement. But if you still do not feel the need to comply or know that you should, but still apprehensive, let's keep going to the next scenario.

Securing Our Environment is too Expensive.

Agree. The cost of securing your environment can indeed be extremely expensive, especially if you select the wrong security company who's main goal is to make money out of your organization and feed their greed based on your lack of knowledge on how to secure the environment. But luckily for you, not everyone out there is out to get you or make a fool out of you for your lack of knowledge. Most importantly.... the cost of it truly lies down on how you approach the process for applying security.

Before we explain to you how the process is key to streamline cost, answer this... What is more expensive to you? The process of applying security across your environment and/or the company's image and financial stability?

You see... most companies impacted by a cyber attack have much to loose. Not only do they loose clients, but in many cases the financial impact can lead to bankruptcy and dissolution of such company. Starting a business in itself is hard, but failing at it by ignoring key areas won't help either.

Today, the cost of security is high, but that is because....

  • Cybersecurity is in such a high demand, that many who don't have the knowledge are sweet talking their way into companies that lack knowledge.
  • Many of the so-called experts in the field aren't technical and those focus mainly on tools vs. engineering existing technologies.
  • A high number of companies providing services are not familiar with the full process. Instead, they focus on areas that are meant to be addressed last.

We know what you're thinking... that's rude. And we'll say... no, that's being brutally honest. Certainly.. that's not true of every company out there, but there's a higher number who are. Those of us who are truly passionate are hardly ever heard because we are brutally honest. Those who love to sweat talk always succeed, but they have no regard for anyone outside of themselves. Those the price is skyrocketed to the point organization's can't afford it and if they manage to get the funds, the funds get depleted in the process because the organization hired did the minimum, if we can even call it minimum, to make the clients believe they are now in good shape to protect against cyber attacks.

We also want you to know that a list of Degrees and Certifications do not really denote knowledge. Memorization of facts can never equate to hands-on knowledge gained by experience or curiosity. We have encountered many with a long list of certifications who simply do not fully grasp the process. Not trying to minimize the importance, but truly, there's much more that formal education cannot provide that is required to successfully secure an environment. Let's keep this in mind.... the majority of hackers have zero formal education. And most successful and intelligent individuals hardly ever do. History never lies.

Is it cheap? No. There's still is a high cost to the process. But the key is understanding the correct process to limit the cost across the organization to what matters by prioritizing the approach as it was originally intended to be applied. This will ensure that the organization saves millions as it grows and complies with all standards, U.S. or International, those leading to a more strategic goal.

How can CyberAdeptness help?

Our experts have over twenty years of combined experience in two fields: Hands-on Technical and Compliance, with an emphasis on Auditing and Assessing Environments to meet compliance. Because we are passionate about what we do, we focus on ensuring organizations, regardless of size and sector, understand the importance of establishing an Enterprise Risk Management Framework and/or improving an Existing framework to ensure risk are limited to what matters... mission critical systems and privilege users.

We help identify the deficiencies on existing processes and delineate a plan of action that is tied to each organization's mission and business objectives, which is unique, those requiring a unique approach. Once that takes place, we will provide a breakdown of what would be the best approach based on the outcome and delineate a list of roles required to apply the changes and ensure your budget limitations are addressed. Certainly staying within budget isn't always guaranteed, but we will definitely do our best to stay within or below budget.

We work closely to help the organization fill the position and/or identify the right individuals, some which we are willing to train in the process at a small fee, to ensure the plan of action is followed accordingly and budget is on target. The outcome... the organization saves money by targeting the areas that are deemed essential first, then streamlining the other areas as the need arise by having control on the resources leveraged.

Interested on learning more? Contact US via our site form at 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Friday, November 9 2018 13:53

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL :

This post's comments feed