How to Avoid Going Overboard with Tech Security

As originally published in the American City Business Journals.
It’s a word that’s thrown around every day on every news outlet. When there’s not a new security breach to report, there’s a new security vulnerability or security tool that your organization must look into immediately or else!
Are we blowing this topic out of proportion? Are all of these articles just scare tactics to get us to shell out more money on solutions and safeguards we don’t actually need? Could implementing them actually have adverse effects on our business?
In some cases, the answer is “yes.”

The risks of going overboard with your security

There’s an inverse relationship between safety and usability; the more controls you have in place to keep your data contained, the harder it’s going to be for your team to access that data efficiently.
Take two-factor authentication, for example — a security feature that many service providers are pushing hard these days. Here, your team will first enter a (complex) password to log into a given platform. This will generate a code that is sent to their cell phone. They wait to receive this code. Once the code comes through, they enter that code as their second set of credentials. Then they can enter the platform and begin working.
These couple extra steps may seem insignificant in a vacuum, but if you consider the compound effect of every security measure you implement, you’re looking at a good chunk of time lost to navigating these hurdles.
And if these measures are so disruptive that your team feels too stymied, you then face (1) issues of high frustration and low morale, and (2) an increased risk of employees finding workarounds that in fact make your systems more vulnerable.

Putting it into perspective

On the other hand, we have to weigh the costs of not properly investing in your company’s security. Here are a few:

  • One in five small businesses falls victim to cybercrime, and 60 percent of those fold entirely within six months of the incident
  • Cyberattacks are estimated to have cost businesses $400 billion a year globally in direct losses and disruption to operations
  • U.S. businesses have lost a total of $750 million between October 2013 and August 2015 to email spoofing alone. After a cyberattack, businesses lose on average 29 percent of market mindshare, 21 percent of potential revenue and 19 percent of direct revenue
  • For every $5.62 companies spend after a breach, they could have spent $1 beforehand to prevent it

If you are comfortable with assuming these risks (as some businesses very much are), then it probably isn’t worth it for you to make any special investment in your company’s security.
But if those numbers made you even the slightest bit nervous, then I encourage you to approach security as its own initiative within your organization, and to put some serious thought into what steps you need to take to minimize your exposure.

What’s the baseline when it comes to security?

How are you to find the balance between enough and too much? Best practice dictates that your business addresses at least the following to stay well-protected:

  • Basic network controls including a current firewall, patched operating systems, anti-spam, and anti-virus
  • Data backup that provides your desired recovery point and time
  • Secure remote access
  • Enforced password policy, equipment use policy and employee separation policy
  • Staff education regarding threats and appropriate responses to incidents

Since many of these solutions are on the back end, your team won’t even know they’re in place. And for many businesses, these will in fact be enough.
But to truly determine what makes sense for your organization (with your data, your staff, your compliance regulations, your workflow), you need to work with a trusted, business-oriented information technology resource to identify your needs and match those to the appropriate solutions.
Because I would wager that most — if not all — victims of cyberattack were operating under the assumption that they had it covered or that it wouldn’t happen to them.
Until, of course, it did.

New Call-to-action