Visit Us

Cybersecurity

Small Business Insights from the CEO of the NCSS (National Cybersecurity Society)

Small Business Insights

Mary Ellen Seale, Founder and CEO of the NCSS, is no stranger to small business cybersecurity. As a small business owner and former employee of the Department of Homeland Security, she knows what it takes for small businesses to protect themselves from cyber-attacks. Jami Schwartz from small business lending platform Kabbage interviews Seale about how small businesses can improve their cybersecurity.

Jami Schwartz: If there was one “must do” for small businesses to be proactive and avoid online threats what would that be?

Mary Ellen Seale: The number one “must” for any business is for leadership to provide the resources needed to implement cyber safe business practices. Cybersecurity is not just an IT issue – business owners need to look at the risks to their entire organization and develop enterprise risk management and resiliency strategies.

 

J.S.: Why did you decide to start this organization?

M.E.S.: I recently retired after 30 years of government service, with the last several years working at the highest levels in federal cybersecurity. During my tenure, I saw first-hand the destruction a cyber-attack can have on public and private sector organizations, especially small business. Working with the industry leaders in technology and IT security, I learned there were limited affordable resources for small businesses to access in order to stay safe. I want to change that.

 

J.S.: What is the most common pitfall small businesses succumb to?

M.E.S.: The most common pitfall businesses succumb to is the lack of resources – time and money. Most small business owners and employees are just too busy taking care of core business and serving customers. I’m guilty of that too!

The number one threat vector many companies fall victim to is phishing scams. They receive an email that looks legitimate, click on the malicious link, and their computer becomes infected.  The best defense is learning how to evaluate phishing emails and refraining from clicking on a link in an email from an unknown sender.

As an NCSS member, your company will have access to the tools, training, and techniques to help prevent you from falling victim to these scams.

 

J.S.: Should your cybersecurity strategy differ based on what type of business you have?

M.E.S.: Yes. Your cybersecurity strategy should include the identification of risks tailored to your business and a plan developed to either avoid, accept, mitigate, or transfer the risk. One way to transfer the risk is through cyber insurance, which members learn about through NCSS.

As a business owner, you should also understand the legal issues that affect your business and industry. The strategy and methods you develop should comply with regulations and law as well as with risk. The NCSS will also help small businesses develop these strategies tailored to their business.

 

J.S.: When should you start thinking about implementing a plan?

M.E.S.: Now! Recent studies indicate that 60% of small businesses fail after a cyber-attack, so there is no time to wait. NCSS is here to help with implementing your cybersecurity plan. Step one is completion of CARES – Cybersecurity Assessment and Resiliency for Small Business – a tool that will give you a score and an NCSS Insights Report – a step-by-step recommendation on how to implement cyber safe practices based on industry best practices.

 

J.S.: Do you need to hire someone or a company to manage your plan?

M.E.S.: The real answer is “yes” and “no”. Leading cyber-safe organizations spend between 5-8% of their IT resources on security. Many organizations outsource their IT and IT security to managed security services.

Even if you outsource your IT security, you should identify someone in your organization to be the lead for IT security management, and all staff must be trained on potential threats such as phishing emails and social engineering scams.

 

J.S.: What are some other good resources for small businesses to help protect you online?

M.E.S.: A wide range of resources exist for small businesses to gain insight on general cybersecurity best practice guidelines. Notable resources include:

  • Federal Trade Commission’s (2015) “Start With Security: A guide for business”
  • National Institute of Standards and Technology’s “Cybersecurity fundamentals for small business owners” and the Cybersecurity Framework
  • U.S. Chamber of Commerce’s (2012) “Internet Security Essentials for Business 2.0”
  • Stop, Think, Connect website managed by National Cybersecurity Alliance and the Anti-Phishing Working Group (2015)

However, these resources don’t allow small businesses to measure their individual risk. NCSS recognizes that small business owners don’t have time to search for the right cybersecurity tools and resources. We consolidate various resources as well as create guides and training to help.

 

J.S.: Do you still need a cybersecurity plan if you’re not an online business and don’t sell online?

M.E.S.: Absolutely. You are in business to make money; therefore, you have something of value to steal. Your employees, customers, and suppliers all have sensitive data to protect.  In today’s digital world, a business can’t afford not to have a cybersecurity plan.

 

J.S.: What are the costs associated with putting together and managing a plan?

M.E.S.: The costs for putting together a plan depend upon the type of industry you are in, the scope of operations, and the risks you are willing to manage or reduce.  That’s why the NCSS CARES survey and the resulting Insights Report are invaluable because it’s easy to follow the steps needed to devise and implement a plan.

Now is the time to reevaluate your business expenditures and establish a line item for IT security.  Adding 3-4% to your total IT budget for IT security is a start. We at NCSS understand that every dollar invested in something other than core business is a hard decision to make, but recovering from a data breach is much costlier when there is no plan in place and damage is rampant.

NCSS can help you decide where best to invest those dollars so you get the most for your money. Our members have access to discounted cybersecurity services and tools from vetted providers, which will help stretch the IT security budget further.

 

J.S.: How do you know if the changes you’ve implemented are successful?

M.E.S.: NCSS recommends that our members retake the CARES assessment to understand how the methods they have employed have improved their risk score. Another recommendation would be to have a penetration test and vulnerability assessment done to identify other issues in your infrastructure and give you a better understanding of the risks. Perform these assessments now and again in one year to ensure all of the controls you put in place are working.

 

NCSS wants to ensure you are RESILIENT – even if you have a breach, you can recover easily with the least amount of disruption to your business – that is our measure of SUCCESS – keeping you in business!

email

Kabbage Team

Kabbage is here not only to provide access to the small business funding you need, but to also help you grow your business through free marketing tips, webinars, tools and more. Is there something you'd like us to cover or want to get your small business featured on our blog? Send us a note at content@kabbage.com.