Many people would rather get a root canal than dig into the fundamentals of good cybersecurity practice for their business.
I feel your pain. As a former Silicon Valley startup CEO and serial Chief Information Security Officer for companies like Microsoft, AT&T Wireless and Russell Investments, cybersecurity has been top of mind throughout my entire career.
As leaders of small and medium enterprises, it’s critical that you have information you can use to protect your business, the customer data that is entrusted to you and your company’s reputation.
How can SMBs keep up with the latest in cybersecurity?
It’s hard to do it alone, so expert guidance is the key.
The world of technology is moving faster than ever before. Any small business with an Internet connection or an online presence has to be concerned with the technology evaluation and adoption that supports their business growth. But few SMBs have the resources or time to carefully consider the potential vulnerabilities that are introduced along with new technology.
For you, the goal is likely to focus on what you do best for your business — and that is growing it — rather than wondering how to chase down information to do your due diligence for cybersecurity. Instead, we can bring you information from the best experts in the industry who understand your business needs as well as the cybersecurity exposure that could adversely affect your business.
Cybersecurity starts with your leadership
I cannot stress this enough — cybersecurity is a critical company strategy that you cannot delegate.
As the business owner, you are accountable for a sound strategy and a quality implementation of that strategy when it comes to protecting your company’s assets from loss — including via cybersecurity.
Cybersecurity luminaries like Whitfield Diffie and Bruce Schneier have described business exposure to cybercrime as an opportunistic exploitation of “low-hanging fruit.” The easiest targets are those with easily exploitable vulnerabilities — often something as straightforward as an easily cracked password.
Paying attention to basic IT hygiene like patching, good passwords, IT inventory management, IT service management and solid third-party service providers can set your SMB above the competition when it comes to cybercrime exposure.
How to get ahead of your competition: ASK
In order to know whether or not you are “set above” requires a “management by walking around” approach — engaging first-hand with your IT organization and service providers.
Unlike executives who may declare that a breach was the fault of the “unnamed IT person” who failed to implement a single patch, the cyber-savvy executive recognizes that plausible deniability is a poor substitute for knowing what is really going on.
When it comes to cybersecurity, you must ask the critical questions to learn the “state of the commonwealth.” Make it a safe place for your team to tell you what is wrong — because you cannot fix what you cannot name.
This simple fundamental principle of open communications and not shooting the messenger is at the root of good security. In major security breaches, a lack of communication is universally present.
By making it a practice to ask people what needs to be fixed and what it would take to do that, over time you will create an expectation of trust where your team can come to you. Problems can then be identified while there is still time to avert disasters — such as a major software deployment failure or a breach of thousands, if not millions, of records containing very sensitive information affecting the livelihoods of your customers.
We can learn from other’s mistakes
In my experience as CISO, I witnessed dramatic challenges when the “ASK” principle was not followed.
Communication failure was at the root of a disastrous CRM deployment during our holiday selling season at AT&T Wireless in 2003.
Trust was low and the open identification of problems was lost during a critical IT deployment that affected the very heartbeat of the enterprise. As a result, the company lost hundreds of millions of dollars of revenue in one calendar quarter.
The market reacted — and it wasn’t pretty. Angry wireless phone customers were literally throwing their recently purchased, still inactive, phones at store reps. Subsequently, the company reputation tanked.
By February of 2004, the company was auctioned to Cingular with stringent terms and conditions for IT to pass strict operational audits.
Universal principles for IT problem identification
Company culture can also be a root problem.
In this case, there had been an IT culture of dismissing associates who raised concerns about a project during development. No doubt, this created an atmosphere of fear. But it also inhibited people from speaking up and saying “wait!” when something went wrong — and this had catastrophic results.
In the months that followed the AT&T Wireless case above, the management team employed several culture-changing practices that turned around the IT troubles and created a well-defined, well-controlled infrastructure that passed stringent control audits by four major audit firms.
These principles are:
Be crystal clear on outcomes — and limit them to five.
The only bad problem is one that is secret.
Promote accountability, not crucifixion.
Follow all problem solving to the real root cause.
Fix processes before people.
Communicate and be curious
The result was indeed positive.
By over-communicating very clear outcomes with clear accountability, people knew exactly what was expected. At the same time, every day we asked what was broken — so it could be fixed.
There was no punishment or shaming as problems were identified — rather they were celebrated even as the team was held to high standards to identify the root cause and come up with a tested fix for it.
Asking your team frequently about the security health of your IT is fundamental. Be informed, then choose your strategy to address the potential risk to your company’s reputation and operations. Everything else rests on this.