[BreachExchange] Agency report: Most businesses couldn't withstand cyberattack

Destry Winant destry at riskbasedsecurity.com
Thu Oct 19 00:49:36 EDT 2017


https://www.theet.com/news/free/agency-report-most-businesses-couldn-t-withstand-cyberattack/article_d1e81455-f3f3-5c94-b5a5-93efbe683dce.html

Half of small businesses report they could remain profitable for only
one month if they lost essential data, according to a new report
released by the Better Business Bureau in conjunction with National
Cybersecurity Awareness Month.

“Profitability is the ultimate test of risk,” said Bill Fanelli,
CISSP, chief security officer for the Council of Better Business
Bureaus and one of the authors of the The State of Small Business
Cybersecurity in North America report. “It’s alarming to think that
half of small businesses could be at that much risk just a short time
after a cybersecurity incident.”

The agency surveyed approximately 1,100 businesses in North America
(71.4 percent of the sample came from the United States, 28.5 percent
from Canada and 0.1 percent from Mexico). Two-thirds of the
participants were BBB Accredited Businesses, and they apparently fared
marginally better in most measures, such as awareness of specific
threats and adoption of cybersecurity measures. The data was collected
in an online survey with a margin of error of approximately plus/minus
3 percent or a 95 percent confidence interval.

The report focuses on cybersecurity effectiveness from three
perspectives: a) cybersecurity standards/frameworks; b) best
practices; and c) cost-benefit analysis. One of the key findings is
that the NIST Cybersecurity Framework, technically a voluntary
standard from the National Institute for Standards and Technology, is
becoming mandatory in some markets. Not only are many companies
requiring it of their vendors for procurement, but many businesses are
adopting it because it helps them run a better business. The NIST
framework is the basis for BBB’s training program, “5 Steps to Better
Business Cybersecurity” (BBB.org/cybersecurity).

The State of Small Business Cybersecurity emphasizes the need not only
for education and training, but for cost-benefit analysis of
cybersecurity measures. The report suggests a formula created by two
professors at the University of Maryland, Martin P. Loeb, PhD and
Lawrence A. Gordon, PhD, to help small business owners estimate their
risk from cybersecurity attacks and calculate an appropriate
investment in prevention.

“It doesn’t do any good for a small business to adopt a $10,000
solution if the potential risk reduction is only worth $5,000,” said
Fanelli. “We hope this report will give small business owners greater
awareness of the real and the perceived risks of cyberattacks, as well
as best practices for protecting against these types of security
threats. We hope it serves as a step forward in advancing
cybersecurity in the marketplace.”

“Small business owners get it,” Fanelli continued. “When we asked them
about the most common cybersecurity threats — ransomware, phishing,
malware — they know what’s out there, and most of them have basic
protections in place. For instance, 81 percent use antivirus software
and 76 percent have firewalls. But one of the most cost-effective
prevention tools, employee education, is used by fewer than half of
the companies we surveyed. Other prevention measures scored even
lower.”


More information about the BreachExchange mailing list