Cybersecurity – It’s Not Just for Big Companies Anymore

Mike Buher, Director of Assurance & Advisory

Mike Buher

Director of Assurance & Advisory

Cybersecurity – It’s Not Just for Big Companies Anymore

Cyber is hot – maybe too hot for some business owners.  While you are spending countless hours growing and building your company, the last thing you want to think about is something as seemingly mundane as your computer network or data.  You have seen the stories of big companies being hacked, but may think you’re too small to be a potential target.  You should re-think that.

Everyone, including you, is a target.

There are a number of reasons why this demands your attention, but these reasons are top of mind:

Risk of data loss – While physical loss – such as laptops and phones – is and always will be a very real threat to data security, much of the data loss that has posed the greatest combination of financial and reputational risk in recent years has come from actions taken outside an organization. Often, these breaches have occurred through the relationship with companies outside the organization at risk.

While security measures for preventing physical loss (laptop locks, access restrictions) are relatively finite, and are restricted to the number of computer assets in your company, the electronic attacks can continue 24/7/365.  No matter how big or small you are, if you are on line, you are a target.  Without accurate data, you can’t invoice your customers, pay your bills, make decisions, and run your business effectively.

Risk of financial loss –This risk comes in many forms, including outright theft.  With the security inherent in most banking relationships today, this is becoming less common but still occurs.  In the past, the most common financial losses occurred with the lack of your ability to run your business due to missing, inaccurate, or incomplete information. This still happens; however, losses associated with breach investigations, notifications to customers and business partners, as well as lawsuits and loss of investor confidence, have had a significant financial impact on business over the last few years.

Reputation risk – While the actual data or financial loss (let alone the time loss) may not be substantial, your reputation is inevitably harmed when your information is compromised.  Despite your immediate financial position not being severely harmed, if your customers’ and vendors’ information is compromised you could lose their business immediately.  Recovering from a blow to your reputation is difficult, and may take years of hard work to overcome.

Given the peril lurking around every electronic corner, what should you do?  Your internal controls and safeguards generally fall into one of two categories: preventive (keep it from happening) and detective (find it and fix it quickly once it does happen).  A solid internal control structure includes several layers of both of these, but in the cyber world the traditional model is reversed.  Typically, a company’s internal controls are more preventive in nature, but with the ever-increasing sophistication of criminals, not to mention their tireless efforts, you can only prevent an attack for so long.  That’s why you can’t rely on your firewall alone.  Detective controls (those that identify and fix breaches quickly) are your best area of focus.  When an attack happens, responding in a timely and effective manner is crucial.

Financial statement auditors, lenders, investors, and board members are increasingly focused on cybersecurity.  They, like you, know that the impact of such a disruption is costly not only in terms of dollars, but in time that must be re-deployed away from growing the business.  Investing precious dollars early in the lifecycle of your company may not be exciting.  However, the payoff in peace of mind cannot be overstated.  Having a cybersecurity strategy, and hiring the right expert to execute it, is a truly wise investment.

More From Mike

More in Assurance & Advisory