As the founder and chief executive officer of two, small technology businesses, Ola Sage is a strong advocate for cybersecurity preparedness. She meets regularly with small business groups and CEOs. She also promotes information-sharing among small and midsize businesses to help increase readiness.
One of her businesses, Maryland-based CyberRx, developed software that is designed to help businesses work through detailed, federal cybersecurity guidelines to assess and strengthen their protection strategy. CyberRx is one of SDN Communications’ business partners.
Sage’s other business, e-Management, an 18-year old company which she recently sold, is an IT services company that serves federal government clients.
Her experience and expertise put her in a good position to assess the general ability of businesses to recognize and fight cybersecurity threats. So, I asked her if cybersecurity risks facing businesses are getting bigger, staying the same or getting less serious.
“It’s becoming a bigger and bigger issue,” she said. Awareness of potential problems has increased, but awareness has not yet translated to substantial action among businesses, she said. “It’s a persistent problem.”
In testimony last November before the U.S. House Committee on Small Business, Sage pointed out that in the prior 12 months, 61 percent of small and midsize businesses had reported that their companies had experienced a cyberattack. More than half the attacks involved exposure of customer and employee information. The average cost in damages and stolen assets was more than $1 million.
Obviously, for a lot of companies, especially small businesses, surviving a significant cyberattack hinges on avoiding or effectively reducing damages. Preventing attacks before they cause any damage should be the goal.
To be able to avoid serious damages, companies must thoroughly and constantly monitor threats, and then adjust their protective strategies accordingly. That usually means that cybersecurity has to be a priority from board members and owners on down to the company’s team.
Cybersecurity should not just be a duty handed off to an IT staffer and then checked off of an executive’s to-do list. To effectively keep up with evolving threats and staff-training needs, cybersecurity needs to be a companywide priority.
So, I also asked Sage what were the most important questions that company board members should ask their managers about cybersecurity. Here are her suggestions:
- How are managers being informed and kept up to date about cyber risks and the potential impact of risks on the company’s business?
- Does the company provide cybersecurity awareness training for employees? If so, how often is the training provided?
- Does the company have a cyber incident response plan?
- How does the company prevent penetration of its network and damage from unauthorized penetration?
- Does the company carry cybersecurity insurance? If so, what does it cost and what does it cover?
- Does the company back up its corporate data? If so, how often?
One good resource available to help businesses assess their risks and implement and improve their protective strategies is the NIST Cybersecurity Framework. NIST is short for the National Institute of Standards and Technology, which is an agency within the U.S. Department of Commerce.
NIST worked with business, education and government leaders to come up with a flexible series of detailed guidelines for companies to work through. Businesses of all sizes can benefit from using the NIST Framework, Sage said.
That’s why her company developed CyberRx, a tool to help organizations work through the framework. The CyberRx software and coaching help that Sage’s company developed is available through SDN.
Becoming a reseller of CyberRx service was a natural fit for Sioux Falls-based SDN, a regional leader in providing broadband connectivity and cybersecurity services for businesses. SDN became a CyberRx reselling partner after the company worked through the NIST Cybersecurity Framework to sharpen its own security focus. After that, SDN searched for a good tool to help the company stay on track in regularly assessing and updating its cybersecurity strategy. The company chose CyberRx.
Other companies have a similar choice. No matter how a company chooses to review or update its strategy, making cybersecurity a priority - starting with board members and top leaders – is a good place to start.