now browsing by tag


Sports Cyber Security Business Leader

Source: National Cyber Security News

NBCUniversal  – Minneapolis, MN

The Sports Cyber Security Business Leader will be a lead contributor to the NBC Universal Cyber Security organization, responsible for executing and contributing to the cyber security strategy and maintaining operational engagement with key Sports leaders.

The Cyber Security Business Leader will assess business cyber security practices and provide recommendations on the implementation of security controls, technologies and supporting workflows consistent with the NBC Universal cyber security strategy. Additionally, executing the Sports cyber security program with accountability for delivery and measurement consistent with organizational objectives and standards. This position requires an experienced security professional, ideally with experience in the media and entertainment industry in customer facing roles.

A successful candidate is expected to understand and articulate business operational processes and risks while leveraging existing internal and external business and technology resources to provide program and project related insight. Clear and concise oral and written communication are required.


Advise and lead the execution of a comprehensive cyber security risk-based program for NBC Universal’s Sports business.
Provide insight and seek support from the enterprise NBC Universal Cyber Security function to inform and align with the Sports strategy
Support cyber security organization leadership in the identification and communication of relevant cyber security-related issues, risks and events, including leading operational engagement and supporting metrics for measuring cyber security maturity
Keep abreast of cyber security trends, with an ability to articulate security related themes and principles in to business terms
Drive the delivery of cyber security plans, implementations and leading practice controls, with an understanding of Active Defense security principles and strategies
Lead business engaged risk exercises to identify and measure risk posture and provide recommendations on mitigation strategies
Actively engage and support security incident response team in resolution and close of investigations of incidents with ownership of post mortem and remediation plans
Support the development of business-relevant metrics and key performance indicators to measure cyber security program maturity

Read More….


View full post on National Cyber Security Ventures

Integrating #cyber security with #business #continuity

Cyber security is a top concern for nearly all companies. While addressing cyber security is clearly a technology-centric issue, recent incidents show it is no longer only a technology issue.

The integration of technology into all areas of credit union operations means that all functions will be impacted in the event of a cyber security response. Similarly, an event impacting business continuity may also have security implications. Today’s level of integration makes it nearly impossible to delineate between cyber and business continuity problems.

The time has come for credit unions to think outside the box and integrate these two important functions. Integrated cyber incident and business continuity programs can deliver benefits that go well beyond dollars and cents.

Consider the below steps to ensure integration is both smooth and effective:

Integrate management teams and resources. Many organizations still consider cyber security incident response and business continuity efforts to be separate functions, primarily because the two disciplines have long been thought of as separate and distinct, each intended to ensure an efficient and appropriate reaction to a unique event. Significant efficiencies and benefits can be realized if the relevant resources and processes are integrated, even if the practices have performed well as individual disciplines in the past. Creating a single process not only optimizes process flow and facilitates training, but it also forms a cohesive function, the goals of which are protecting the organization’s reputation and ensuring continuity of operations.

Align policies, procedures and training. Similar management teams and supporting activities exist in both specialties. Combining these teams and processes will yield a more cohesive, streamlined process that is capable of bringing more assets to bear when an event occurs, regardless of the incident type — which is increasingly important as security and continuity-impacting incidents become themselves more and more frequently integrated. For example, it is not uncommon for cyber criminals to attempt to leverage a physical incident to cover phishing or social engineering attacks. Timely involvement of all business-area leadership is crucial, as any sort of incident could raise immediate issues that require decision-making.

Leverage common touch points between business functions. A comprehensive response plan typically includes many “touch points” between IT and business functions. These touch points are usually coordinated through a response team that has common resources for communication, including periodic situation updates, designated response options and identified  potential business impacts. A common framework may help mitigate the impact of negative events.

Coordinate crisis communications. The key to effective resolution is clear, concise communications, regardless of whether a business-impacting event is cyber or physical in nature. If an event requires communication with members of the public, it is essential to identify and follow regulations specifying how and when impacted individuals must be notified. Establishing clear communication protocols and procedures in advance ensures a credit union’s crisis management team will have the information it needs to develop and distribute authorized communications quickly, effectively and cohesively when the time comes. This preparation will pay off in ensuring an organized response to public concerns and inquiries, and will also make it easier to monitor external activity.

Optimize after action reporting. The root cause of an event is not always obvious, and unless identified through a complete and careful analysis, the event could recur. What actually happened, and why? Once the cause of an incident has been identified and remediated, the credit union should update its incident response program documentation to integrate the lessons learned. Regularly updating an integrated plan reduces the potential for mistakes and eliminates duplication of effort.

Risks related to cyber security should be handled similarly to any other business risk. Whatever the specifics of the incident, a single framework and management reporting structure should be in place to identify and control the incident’s potential impacts. Different subject matter experts may be brought in and out to assist, depending on the nature of the specific problem, but leveraging a common framework, training and reporting structure will facilitate the response and help to reduce negative impact to the business.

Start small when it comes to developing an integrated process. Pay attention to the details, taking it one element at the time. In the end, you will learn a great deal about your business and end up with a process that will support your credit union’s needs well into the future.

View full post on National Cyber Security Ventures

Just half of #UK #business confident of #cybersecurity skills as #GDPR nears

more information on sonyhack from leading cyber security expertsAt this time of unparalleled cyber danger, it has been found that only half of companies in the UK believe they are equipped with adequate cybersecurity skills. The root of this shocking lack of confidence may be in another finding that just 51 per cent of IT workers in the UK said that cybersecurity has […] View full post on | Can You Be Hacked?

Ignorance Of #Cyber Threat Creates #Conundrum For Small #Business #Data #Security

Ignorance Of #Cyber Threat Creates #Conundrum For Small #Business #Data #Security

McAfee Labs recently published its 2018 Threats Predictions report, and after a year of high-profile cyberattacks and data breaches, analysts say the threat won’t let up in the new year. A rising challenge for the enterprise is the fact that cyberattackers are becoming increasingly sophisticated in their methods. According to McAfee, while companies are embracing innovations like machine learning to safeguard their systems, attackers, too, are using these same tools.

“Machine learning can process massive quantities of data and perform operations at great scale to detect and correct known vulnerabilities, suspicious behavior and zero-day attacks,” McAfee said in its report. “But adversaries will certainly employ machine learning themselves to support their attacks, learning from defensive responses, seeking to disrupt detection models and exploiting newly discovered vulnerabilities faster than defenders can patch them.”

If there’s one thing the enterprise has learned this year, it’s that a data breach can happen to any business — including small businesses (SMBs). Or, according to the latest data, many small businesses haven’t learned this lesson.

In this week’s B2B Data Digest, PYMNTS dives into new research about small businesses’ data security and cybersecurity efforts. Small businesses seem quite confident in their ability to protect themselves and their customers’ data, but according to researchers, that confidence is likely misguided.

—60 percent of SMBs said they don’t follow PCI DSS or HIPPA rules when storing customer credit card and banking information, according to new research from Clutch. The firm surveyed 300 small businesses about how they store data in the cloud and found that the majority aren’t following the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPPA) as required by law. Clutch warned that fines for non-compliance with these rules can reach into the millions of dollars.

—54 percent of SMBs that store medical data in the cloud admit they don’t follow storage industry regulations, meaning these businesses could be putting sensitive company and consumer data at risk, Clutch also found.

—90 percent of SMBs are at least “somewhat” confident in their cloud storage’s security, a 3 percent increase from 2016 figures. That statistic is troubling, considering so many small businesses are actually lagging in cloud data security, according to the survey.

—60 percent of small firms say they use encryption to safeguard data in the cloud, the most common security measure cited by SMBs in Clutch’s survey. More than half (58 percent) said they train employees in data security, and 53 percent said they use two-factor authentication, though Clutch warned that businesses should be using more cybersecurity strategies than these three methods alone.

—74 percent of SMBs don’t have cyber liability insurance, according to separate research from Insureon. The small business insurance company surveyed 2,500 members of the small business community Manta, and the results suggest that the SMBs that aren’t following data storage regulations may not only be at risk for fines, but could face added-on consequences if they go uninsured.

—25 percent of small firms have consumer data that is susceptible to an attack on their business network, Insureon found, while nearly a sixth said they have already experienced a data breach.

—82 percent of small businesses told Insureon they don’t feel they’re at risk for a cyberattack or data breach, echoing similar sentiments found by Clutch: SMBs could be ignorant to their cybersecurity threats, despite many having already experienced an attack. Insureon President Jeff Somers said in a statement that the research is “surprising, considering the amount of media circulating about mass data breaches and cybersecurity. Many small business owners have their whole life savings tied up in their businesses, and they don’t understand how vulnerable they are to a cyberattack.”

View full post on National Cyber Security Ventures

GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders

Source: National Cyber Security – Produced By Gregory Evans

As if the daily beating of data breach news wasn’t enough reason to bring the stark reality of cyber risks to the attention of corporate leaders, here comes the European Union’s General Data Protection Regulation (GDPR). Taking effect in May 2018, GDPR is managing to elevate cyber risks to the top of the corporate agenda for organizations that store data in citizens of the European Union.

According to a survey of more than 1,300 senior executives, conducted by insurance and risk management firm Marsh, 65 percent of respondents from organizations that operate in the EU say that they consider “cyber” to be a top risk. That’s a doubling from a similar survey conducted last year that found 32 percent citing “cyber” as a top five risk. Further, the survey finds that 23 percent of those organizations that fall under GDPR have endured a successful cyber attack in the past year.

The heightened cybersecurity concerns and looming GDPR deadline have EU organizations upping their security and risk management spending. “Of those respondents whose organizations have plans for GDPR implementation, 78% said they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance. Notably, 52% of those who do not have a plan for GDPR indicated that their investment in cyber risk management would increase,” Marsh writes in this news release.

Surprisingly, with about seven months left, only 8 percent of survey respondents claim that their organizations are currently GDPR compliant and a startling 57 percent say that their enterprises are currently developing compliance plans. And another 11 percent of respondents are in for a very rude awakening, as they’ve reported that they have no compliance plans at all. “Smaller organizations were more likely not to have a plan for GDPR with 19% of respondents from businesses with less than $50m annual revenue replying that no plan was in place,” Marsh wrote.

For those not familiar, GDPR mandates:

  • EU citizens’ personally identifiable information (PII) must be adequately protected, managed, and controlled.
  • Data breaches must be reported within 72 hours.
  • Non-compliant organizations risk significant fines, from 4 percent of annual revenue down to €20 million.

Forty-nine percent have fully developed a data breach incident response plan. Another 10 percent, however, have no plans to do so. It’s shocking that any organization today doesn’t have an incident response plan should sensitive data be exposed.

It is not pragmatic for an organization to assume it will never have to disclose a breach as required by GDPR – that’s just hope. It’s much more sensible to expect to be breached at some point and consider how to make a public disclosure. Because when it comes down to it, the difference between the winners and losers here is how well the breach is mitigated and managed, and the effectiveness of the public response.


The post GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Where #Emerging #Cybersecurity #Technology Fits in Your #Business

Source: National Cyber Security – Produced By Gregory Evans

Where #Emerging #Cybersecurity #Technology Fits in Your #Business

As 2017 enters the final stretch, security professionals still find themselves locked in a furious battle with hackers.

Some 80 percent of the IT and security executives surveyed for the most recent AT&T Cybersecurity Insights report said their organizations came under attack during the previous 12 months. The percentage soars to 96 percent for companies in the technology industry.

All the more reason why enterprise defenders are under acute pressure to create multiple layers of defense, detection and mitigation to withstand future attacks. But what worked in the past is no guarantee it will work in the future. This is a threat landscape that is fluid and changes from one year to the next.

Tool Up for the Long Haul

In the end, a good cyberdefense strategy depends on making hard decisions that correctly match investments against an organization’s risk profile. There’s never a one-size-fits-all solution, but the approach should start with the recognition that breaches are inevitable. Then it’s up to management to select countermeasures that will mitigate potential damage, all the while ordering steps to routinely tighten up vulnerabilities in order to reduce the risk of a devastating attack.

The stakes are as high as ever: Ponemon Institute estimates the average cost of a data breach in 2017 at $3.6 million. But in the AT&T report, 65 percent of the executives surveyed expressed confidence about their ability to handle cybersecurity challenges in the coming year.

Also, more than two-thirds (70 percent) of them said they plan to increase their investments in next-generation security technologies, including threat analytics, cloud security solutions and machine learning.

New skills will clearly be in high demand as organizations seek to deploy next-generation technologies in areas such as cloud security, data science and analytics. And as more information gets pumped out daily, artificial security intelligence will become increasingly important.

Clearly, those new tools and techniques would not only come in handy against their adversaries. They can also help bridge gaps in their cybersecurity defenses exacerbated by a nagging skills shortage. But what if they don’t have the personnel to deploy them?

Half of the organizations surveyed by AT&T indicated they plan to increase their security staffs over the next 12 months. However, talent has never been as tough to come by. The U.S. has a reported skills gap of 300,000 cybersecurity experts. The shortage is particularly evident when it comes to threat prevention, threat detection and threat analysis – three of the most important areas of any cyberdefense.

Even those organizations that lean heavily toward security technology can be hard-pressed to stay abreast of the rapid advances in security defense because of the state of the IT jobs marketplace.

In the interim, one option is to increase the use of outside consultants and managed service providers, who can provide the needed next-gen capabilities to deal with this ever-changing constellation of cyberthreats.

These specialists are able to attract top-of-the-line talent and can implement cutting-edge security technologies rapidly. They also can deploy analytics that generate deep insights about the overall threat landscape – knowledge that can be shared with all of their customers to strengthen their own defensive postures.

The post Where #Emerging #Cybersecurity #Technology Fits in Your #Business appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Business Intelligence Analyst

Source: National Cyber Security – Produced By Gregory Evans

Business Intelligence Analyst
Job Details


Corporate – Austin, TX

Full Time

4 Year Degree

Silvercar is looking for a motivated analyst with a get-it-done attitude to join our growing business intelligence team. As a BI analyst, you will be responsible for leveraging the vast amounts of data at Silvercar and enabling business users access to data needed to drive business decisions. You will work directly with the head of business intelligence team and support each of Silvercar’s business units with their BI, analytics and reporting needs.


  • Drive BI use cases throughout the company
  • Provide reliable access to high quality data through dashboards and reports
  • Work with business stakeholders across the organization to gather and analyze BI requirements
  • Provide technical leadership for and hands on experience in BI, analytics, ETL, data warehousing and reporting
  • Architect an ETL process using Treasure Data by importing data from various sources (transactional databases, business systems, and flat files), transforming data using SQL, and outputting data into BI systems for analysis and visualization
  • BA/BS in Mathematics, Computer Science, Engineering or other quantitative field
  • 3+ years of experience working directly with BI tools like Looker or Treasure Data
  • Advanced SQL skills
  • Solid spreadsheet skills (Excel, Google Sheets, etc.)
  • Experience with ETL processes, data warehousing or building out data pipelines
  • Ability to work with business stakeholders to define BI requirements
  • Ability to act as a project manager and collaboratively work with business stakeholders to define and develop BI use cases
  • Maintains a positive attitude and shares Silvercar’s values

The post Business Intelligence Analyst appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

14 #Cybersecurity Tips All #Business Leaders Should Know

Source: National Cyber Security – Produced By Gregory Evans

14 #Cybersecurity Tips All #Business Leaders Should Know

As a business owner, cybersecurity can be a daunting topic: It’s complex, threatening, and you might not even know where to start. But considering hacks will cost companies as much as trillions of dollars annually within the next five years, cybersecurity is a measure all businesses — both big and small — must take.

To help break down different pieces of the puzzle, we’ve compiled tips and takeaways from 14 cybersecurity experts from Forbes Technology Council.

1. Cyber criminals feed off human error

“With the proper behavioral changes, organizations can greatly minimize their chances of suffering a devastating blow. It all starts with developing a culture of cybersecurity. But what does that look like?,” writes Reg Harnish, CEO, GreyCastle Security.

“A consistent buy-in among employees starts with driving home the fact that everyone has a role to play in protecting the company’s assets, and no role is more important than any other,” writes Harnish. “Additionally, employees are more likely to stay committed to the task if the security concepts can be easily implemented into their daily routines, much like brushing their teeth.”

Read more in What It Means To Have A Culture Of Cybersecurity

2. But you might want to hire a hacker …

Research forecasts the cost of cybercrime to hit $6 trillion per year by 2021. Whether you own a company or not, everyone is at risk of having their data stolen, as cybercrime is the fastest-growing crime in the U.S.. Knowing how to best position yourself before an attack happens is essential.

“More and more businesses and government agencies are engaging with independent security researchers to help them find vulnerabilities in their systems that they otherwise wouldn’t,” writes Alex Bekker, VP of engineering at HackerOne, “Most cyberattacks are executed via security holes unknown to the target organization, so having well-intentioned hackers find vulnerabilities in our computer systems is the closest we can get to real-world conditions.”

3. Most companies know about cyber threats, but aren’t doing much about it

“The hackers have done an excellent job of bringing the cybersecurity industry to the forefront, but how can we translate that into successfully helping corporations, governments and individuals defend themselves? The answer is rather simple: education,” writes Nick Espinosa, Chief Security Fanatic of Security Fanatics.

“Consider two major points in this vein: First, a recent study of global governments shows that while they’re aware of cyberthreats to their infrastructure, roughly 50% of said governments do not have a formal cyberdefense strategy or plan,” writes Espinosa. “Second, we have plenty of corporations and governments with vast amounts of intellectual property who continue to be behind in cyberdefense, using outdated strategies instead of the latest and greatest defense hardware, software and methodology. The ‘if it ain’t broke, don’t fix it’ mentality is alive and well, sadly.”

4. Beware of another threat: biased security providers

As cybersecurity becomes non-optional, third-party vendors seem to be popping up out of the woodwork. They make big promises, but not all of them can deliver.

“Setting advanced testing standards would be an important step in codifying what is promised and delivered by various products,” writes Jamie Butler, CTO of Endgame, “Unfortunately, much of the available third-party testing organizations receive compensation for testing, which makes the results inherently biased. Instead, non-pay-to-play organizations like MITRE and the Cyber Independent Testing Lab need to become the norm.”

5. It’s not enough to plan against an attack, IT departments must plan for one as well

“No matter the extent and level of investment an organization puts into cyberthreat prevention, leadership must recognize a hard reality: It only takes one wrong click to invite an intrusion . Thus, a restorative approach (i.e., a well-equipped disaster recovery plan) is needed to ensure ongoing business in the event of a ransomware attack,” writes Jeffrey Ton, EVP of product and service development at Bluelock.

“It’s crucial for companies to ensure their restorative capabilities are just as strong, if not stronger, than their preventative measures in place. In every breach scenario, quick responsiveness avoids extensive data loss and reputational fallout,” writes Ton. “Achieving the creative and analytical tension for this type of resilience is just another reason for IT departments to shift their traditional approach.”

The post 14 #Cybersecurity Tips All #Business Leaders Should Know appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The #Future of #Work Hinges on Making #Cybersecurity Everyone’s #Business

Source: National Cyber Security – Produced By Gregory Evans

The #Future of #Work Hinges on Making #Cybersecurity Everyone’s #Business

Conversations about the future of work have to include security. I’ll take that one step further: the future of work very much revolves around the future of security. New ways of working offer exciting opportunities to boost employee productivity, creativity, and engagement, but they can’t come at the expense of security. On the contrary, many of the same practices already shaping the future of work—BYOD, unprecedented mobility, any-network access, employee-centric experiences—can increase risk for data, applications and networks. The attack surface has never been so broad or so inviting—and threats have never been more sophisticated.

At a time when data is both more valuable and more vulnerable than ever, how will we secure the future of work? As a guiding principle, we can’t rely on add-on security technologies and siloed teams. Security must be woven throughout both the IT architecture and the organization to ensure that no matter how or where people work, the organization is protected. At the same time, the measures we rely on can’t be allowed to impair the user’s experience or productivity. Today’s workforce won’t accept arbitrary restrictions or barriers; the same creative spirit that fuels innovation will also lead them to seek consumer-market workarounds.

The key is to make cybersecurity everyone’s business. When employees are fully bought in to security—when they understand its importance and relevance, and they’re empowered to support it without sacrificing their own work, your security team becomes truly organization-wide.

To that end, here are five security best practices for the future of work.
Educate users
This isn’t exactly new—fair enough. User education has been a tenet of cybersecurity since the early days. But that makes it all the more important to reinforce its importance, so that we never overlook it or take it for granted. As people gain the freedom to work anywhere, on any device, knowing how to do so safely must be a top priority.

In the employee-centric modern workplace, it’s also important to consider how this education takes place. It’s not enough simply to recite lists of rules and protocols. Instead, engage in a true dialogue—take the time to understand users’ needs and practices, and then explain your security policies in ways that are accessible and relevant to their daily experience.

Extend the discussion beyond the office environment to encompass every other setting where work takes place. How can you recognize whether a public wifi connection is safe to use? What are the risks around USB sticks? How can employees secure the consumer technologies in their homes, so their kids don’t introduce vulnerabilities into the family WiFi network with a jailbroken phone?

Engage with lines of business
Security doesn’t happen in a vacuum. The most effective policies are grounded in a firm knowledge of operational processes. Meet regularly with business decision-makers to understand the implications of new initiatives. By building rapport and trust, you can gain a seat at the table to make sure that appropriate safeguards are built into each project right from the beginning. You’ll also get crucial perspective into the tools, workflows and practices that enable the group to drive value, helping you design measures that maintain protection and control without getting in the way of business.

Modernize and mobilize your security policies
Mobility increasingly defines IT—in terms of both the mobile devices people use, and the constant movement of people, devices and data from one place to another. As employees use non-corporate devices, networks and storage systems to meet their needs—whether personally owned, third-party or public—your risk profile rises dramatically. At the same time, they usually have valid reasons for doing so. You can’t just say no; you’ve got to find secure ways to accommodate it.

Make sure your security policies reflect the real world—not some antiseptic, locked-down cybersecurity dream (and employee nightmare). Create clear rules and guidelines to help employees stay safe without losing the freedom and flexibility they’ve come to rely on. Specify convenient yet secure alternatives to consumer-grade technologies. Differentiate between scenarios—what’s safe at Starbucks vs. headquarters, what types of work should be saved for a more secure location—and set up your granular access control policies accordingly.

Enforce policies fairly and consistently
Inconsistent enforcement can doom even the best security policy—and can undermine the credibility of any subsequent policy. You put a lot of thought into creating the right rules and procedures for your business; now make sure they’re enforced the same way every time, for every user, with no exceptions. A sense of fairness will promote employee buy-in. After all, it’s not just a matter of meaning what you say—users have to take it to heart and mean it, too. When security becomes part of your culture, the whole organization becomes safer for the long term no matter what the future brings.

Make it seamless—and automatic
The less you have to rely on human intervention, the more reliable security becomes. This can include everything from conditional access controls that show employees only the apps they’re authorized to use in a given scenario, to business data encryption by default on mobile devices. Open-in controls can prevent email attachments from opening in non-corporate apps. Micro-VPN can ensure security over public wifi. Automated logging and reporting can facilitate compliance and audit readiness. There are many opportunities to make security more seamless and transparent for users, and simpler and more efficient for IT to maintain. As the scale and complexity of the enterprise environment continues to grow, steps like these will be critical to stay one step ahead.

The future of work gets a lot of buzz these days, and rightly so—it gets more exciting by the day. With these best practices, you can make sure it’s also growing more secure by the day.

The post The #Future of #Work Hinges on Making #Cybersecurity Everyone’s #Business appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

State of Small Business Cybersecurity in North America

Source: National Cyber Security – Produced By Gregory Evans

State of Small Business Cybersecurity in North America

Small business owners know they are at risk for cyberattacks, but they are somewhat at a loss as to what to do. That’s one of the findings of a new report from the Better Business Bureau, The State of Small Business Cybersecurity in North America, released today as part of National Cybersecurity Awareness Month. One of the more troubling findings is that half of small businesses reported they could remain profitable for only one month if they lost essential data.

“Profitability is the ultimate test of risk,” said Bill Fanelli, CISSP, chief security officer for the Council of Better Business Bureaus and one of the authors of the report. “It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident.”

“Small business owners get it,” Fanelli continued. “When we asked them about the most common cybersecurity threats – ransomware, phishing, malware – they know what’s out there, and most of them have basic protections in place. For instance, 81% use antivirus software and 76% have firewalls. But one of the most cost-effective prevention tools, employee education, is used by fewer than half of the companies we surveyed. Other prevention measures scored even lower.”

BBB surveyed approximately 1,100 businesses in North America (71.4% of the sample came from the United States, 28.5% from Canada and 0.1% from Mexico). Two-thirds of the participants were BBB Accredited Businesses, and they apparently fared marginally better in most measures, such as awareness of specific threats and adoption of cybersecurity measures. The data was collected in an online survey with a margin of error of approximately +/- 3% for a 95% confidence interval.

The report focuses on cybersecurity effectiveness from three perspectives: a) cybersecurity standards/frameworks; b) best practices; and c) cost-benefit analysis. One of the key findings is that the NIST Cybersecurity Framework, technically a voluntary standard from the National Institute for Standards and Technology, is becoming mandatory in some markets. Not only are many companies requiring it of their vendors for procurement, but many businesses are adopting it because it helps them run a better business. The NIST framework is the basis for BBB’s training program, “5 Steps to Better Business Cybersecurity”

The State of Small Business Cybersecurity emphasizes the need not only for education and training, but for cost-benefit analysis of cybersecurity measures. The report suggests a formula created by two professors at the University of Maryland, Martin P. Loeb, PhD and Lawrence A. Gordon, PhD, to help small business owners estimate their risk from cybersecurity attacks and calculate an appropriate investment in prevention.

“It doesn’t do any good for a small business to adopt a $10,000 solution if the potential risk reduction is only worth $5,000,” said Fanelli. “We hope this report will give small business owners greater awareness of the real and the perceived risks of cyberattacks, as well as best practices for protecting against these types of security threats. We hope it serves as a step forward in advancing cybersecurity in the marketplace.”


The post State of Small Business Cybersecurity in North America appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures