Security Experts:

Small Businesses, Big Breaches

I love the fall. Brisk morning weather. Football. And politicians tripping over themselves to say nice things about small businesses. In this age of divisive politics, it’s nice that politicians of all stripes can agree that small businesses are awesome.

I like small companies and I love startups – I’ve spent 19 of my 23-year professional career working for them – but they increasingly outpunch their weight when they are the source of a data breach. This distorted scale is illustrated by data aggregator Exactis, which had 8 employees on LinkedIn when their breach of 350 million personal records became public. Additionally, Silicon Valley startup Apollo showed 49 employees on LinkedIn a week after its loss of over 200 million personal records hit the news. Of course, large companies suffer breaches too, but they have far more resources to defend themselves.

The uneven ‘small business to big breach’ ratio is a direct reflection of how cloud computing has changed the economies of scale for small businesses. When I co-founded a company in 2010, we were able to get up and running for under $5,000. It would have easily cost 10 times that amount if we had started the same company a decade earlier. 

There are many reasons that small businesses find themselves unprepared to protect against data breaches. Today, the same technology and hustle that allows small businesses to disrupt giant competitors can also create risks to consumer privacy and even national security that these companies are not equipped to manage. Small businesses move quickly, and the pace of innovation is always faster than their ability to maintain security and compliance. Additionally, many small business operators have a risk tolerance that is off the charts, understandable since entrepreneurship is inherently risky, however, this trait can warp a business owner’s ability to grasp the seriousness of the problem. Finally, putting solutions and personnel in place to protect high value data is extremely expensive. Most small businesses do not have the capital, or the employee bandwidth to make these investments which leaves them inordinately mismatched when compared to a potential attacker.

The commercial and military industrial sectors are prime examples of the mismatch between the capabilities of the groups who attack small businesses and the small business IT staff. Take, for example, a small metal company that fabricates missile fins. The company possesses the same Top Secret information as a giant military customer. While they put policies and procedures in place for the proper handling of classified information, they cannot afford the full-time, dedicated information security staff and layers of automated technical controls that are necessary to enforce those policies and protect the information from nation-state attackers. A business with 25 employees, and only one running all of IT, cannot defend against cyber-attacks from the North Korean military with the same vigor as Lockheed Martin or Northrup Grumman. While the obvious answer to this problem is to not share classified information with businesses that aren’t equipped to handle it, that is impractical and politically dangerous. Small businesses are the job creation engine of the US economy. Sensitive and classified information must continue to flow between businesses of all sizes – with assurances that information must be safe and secure throughout its lifecycle.

Solving this problem will require a partnership among small businesses, their customers, and the cybersecurity industry. Small businesses with fresh venture capital funding must hire in-house expertise. Small businesses with constrained budgets need to be more realistic about the effort and resources it will take to defend sensitive or classified information. Their large customers and partners need to lend [free] expertise to help small business suppliers implement best practices in a practical way that doesn’t break the bank. Too often, I see large customers tell their suppliers to be compliant with HIPAA or NIST 800-171, or some other framework without providing any help or guidance.

Finally, the cybersecurity industry needs to make solutions that are easier to use and more cost-effective. Artificial intelligence and big data could revolutionize the ability to defend against zero-day attacks, but this technology is incredibly expensive and businesses of all sizes still struggle with security hygiene like data classification, encryption, access management, and patch management. 

Over a long enough period, the probability of a breach is 100%. While we can’t stop breaches from happening we can make it exponentially harder for attackers to access sensitive data. Making life more difficult for the attacker will result in less frequent breaches with less damaging consequences. Small businesses not only create jobs but they also create breakthrough technologies that change our personal and professional lives. This innovation gives them an economic advantage that also makes them a target for espionage and cybercrime. Budgets at small businesses are tight so their security and privacy efforts must be right-sized for the business while still being effective in reducing risk. Risk tolerance should not be unilaterally defined by small business operators. Board of directors, business partners, consumers, and legislators all play a role in defining how much risk is acceptable in their organizations.

view counter
Mike Fleck is VP of Identity Protection at 4IQ. He previously served as VP of Security Covata Limited (ASX: CVT), where he was responsible for managing and directing US operations and brand awareness, credibility, and thought leadership related to data security and privacy. In 2010, he co-founded CipherPoint Software and has since served as its CEO. With nearly 15 years of experience in data security and encryption, Mike holds patents for transparent encryption and automated encryption key management. His experience with complex Fortune 500 and Federal Government environments includes leadership roles at Vormetric (acquired by Thales), High Tower Software (acquired by NetForensics), Predictive Systems, and Lockheed Martin.