Documente Academic
Documente Profesional
Documente Cultură
Allison Li
Mrs. Sasser
27 March 2019
“As information technology has advanced, so has the threat of security problems for the
small business owner” (Burstein 3). Over 76% of all cyber attacks affect companies with less
than 100 employees. However, the main issue is that roughly 50% of these companies believe
that they are too small or insignificant to be noticed by mainstream hackers. While companies
have been spending their budget on technology that will increase their profit, the advanced
computers and other machinery that hackers have purchased have already become more than
capable to bypass a companies’ old security system (Columbus 3). Additionally, modern
cybersecurity companies have started to design and manufacture their systems around the needs
of larger companies simply because larger companies obtain more money in comparison to
smaller ones. Small companies are unaware of the huge amounts of risk that they face. When
combined with the widespread growth of technology that has become increasingly in favor of
hackers, these companies could lose thousands of dollars without the proper defense. Companies
employees would provide small business owners with a way to determine their risk
Issues involving cybersecurity first became prevalent in 1988. Technology was becoming
increasingly advanced and people were becoming more reliant on technology to complete their
Li 2
daily tasks. New computer systems were being released every year from various companies and
technology quickly spread all over the market (Wright 2). People quickly became attached to
these pieces of tech and now, in modern society, most individuals are so dependent that they
cannot go a full day without checking their phones. Simultaneously, hackers have begun using
these technological advances to their advantage. Since hackers usually work alone or in small
groups, it is much easier for them to get ahold of new technology before companies are able to
upgrade their entire system and the interconnected desktops. Hackers can utilize this time and
discover the weaknesses in new security systems, making it easier for them to infiltrate
Ever since its major outbreak, technology been consistently growing at an exponential
rate. With this growth, it is becoming increasingly difficult for companies to remain constantly
updated with the technology and led a rise in cybercrime and antivirus software. The costs of
these technologies are already extremely high, and companies simply do not have the resources
to afford the newly released technology to defend themselves from threat actors. Additionally,
companies themselves do not take the initiative to fully equip their employees with the proper
support system is certainly beneficial, but it is not enough – by itself – to protect the company
from modern threats (Ten “Cybersecurity for Critical Infrastructures” 13). The combination of
these two factors allows threat actors (hackers) to more easily penetrate a company’s security
system and gain access to their data systems. A study conducted by the Cyberspace Safety and
Security (CSS) discovered that by 2013, there were approximately 30 million security breaches,
A “small company” is usually classified as one that has less than 200 employees. Since
threat actors could earn more profit from infiltrating large companies, SMB’s (small-medium
businesses) believe that they are not at risk, which is simply not the case. But because of this
belief, results of their research showed a moderate level of security awareness (60-70%) and a
rather low level of implementation (34-45%) for the simplest of all technology levels (Goolsby
8). Even though some companies are aware of the fact that they face increasing amounts risk,
they fail to implement systems and even the most simple technology to defend against these
risks. Not only do SMB’s fail to act on the amounts of risk that they face, but they also lack the
(Sreedhar 5). In other words, 50% of businesses do not spend any time focusing on the potential
attacks that their companies could face and how to better their security systems on top of simply
The size of security systems are another issue that SMB’s face with society’s current
status of cybersecurity. Existing cybersecurity systems are too complex, too large, and too
expensive for small companies to implement as they are mainly designed for larger companies.
Companies that create these systems tend to deviate their software towards larger companies
because of the substantial profit that they would receive. 50% of organizations that were polled
in 2006 have annual IT budgets of $5,000 or less, and 50% of those have security budgets of less
than $1,000 (Stevens 7). Most SMB’s are on the lower end of this spectrum due to the amount of
business and income they receive. Unfortunately, the cheaper end of the network security
software costs around $1,400 meaning that if SMB’s manage to pay this cost, it will be very
Li 4
strenuous to cover those costs. However, without cybersecurity solutions, a large company could
risk up to $4.43 million in breach costs (Creery 1). When considering the costs a SMB could risk
in comparison to large companies, they most likely risk up to $2,000 per infiltration. In addition,
it is not only the cost of a possible infiltration that should be considered when discussing the
necessity of network security software for a company. SMB’s must be aware of the impacts that
after-effects of an infiltration can have on their business. It has been found that 60% of small
companies go out of business within just 6 months of a cyber attack (Koulopoulos 5). In order to
prevent this from occurring, small business owners must begin to take more drastic measures in
protecting their company. However, it is very difficult when security systems are so expensive,
but one way that they can overcome this is by implementing real-time risk management systems
order to have “real-time” tracking of the level of risk that a company faces at any given time. In
comparison to other security softwares, real-time risk management systems provide a company
with the ability to accurately measure the amount of risk that they face rather simply act as a
detector of risk (Delgado, 14). Companies will be more successful in defending against
infiltrations if the amount of risk that they face as well as their security software’s most
vulnerable areas are already known. If companies are able to apply the correct controls to the
right assets while simultaneously being implemented effectively relative to the level of threat,
then the organisation will be able to defend itself against the threat (Dunn, 5). Real-time risk
management systems may be difficult to implement due to their complexity, but their costs are
real-time management systems, companies are able to determine their risk tolerance: the
maximum amount strength of an infiltration that a company’s software system can endure before
failing. Only by understanding and measuring their status can companies manage their cyber
risks and, given the very high threat that hackers have on small companies, managing cyber risks
is an absolute necessity.
degree to which a software system or process possesses some property. Metrics are employed in
companies for multiple different reasons: measuring software performance, planning work items,
measuring productivity, and many others. There are certain metrics that are utilized in real-time
risk management systems order to help them properly assess the amount of risk that a company
is facing (Ezrati 2). These metrics measures the patch status of security software and provides
insight into the state of patching on a specific device as well as providing metrics for reporting
on affected assets. This reporting will help indicate certain areas of weak system performance to
companies in order to help them better understand their vulnerabilities and what needs to be
improved (Jang-Jaccard 9). Metrics can not only point out the weaknesses in a security system’s
network, but it can also help companies keep track of all the issues that have occured with the
system before. A real-time management system must be constantly updated in order to maintain
a real-time view of cyber security risk status and companies need to be able to update and read
In order to further secure their company, there are certain steps that employees can take
as well as measures that owners can implement. Human error is the leading cause of company
infiltration and threat actors are becoming increasingly dependent on it (Meghji 11). Nowadays,
Li 6
most infiltrations are caused by employees ignoring mainstream advice around avoiding clicking
on suspicious links and maintaining secure passwords. In a study conducted by Thomas Morris,
it was found that 66% of SMB employees and 44% of leaders connect to public Wi-Fi to do
work, 62 percent of employees and 44% of leaders use their work computers to access personal
social media accounts” (Morris 14). Public WiFi is a very simple method that is utilized by
threat actors in order to penetrate a device as it establishes a connection between a public server
that can be accessed by anyone with said device. After accomplishing this, when the device is
then reconnected to company wifi, the hacker can easily bypass the security system and gain
access to unauthorized data. Companies should place educating their employees on the basics of
cybersecurity at a higher priority because of the increasing amount of infiltrations that are
69% of employees and 76% of leaders do not protect their work email with multi-factor
authentication (Ten “Anomaly Detection for Cybersecurity of the Substations” 4). Multi-factor
authentication is an authentication method in which a computer user is granted access only after
company employees, and more importantly, company leaders, it places the entire company at
risk. Without multi-factor authentication, it becomes significantly easier for threat actors to
infiltrate a system (Penkala 2). Hackers will no longer need to spend strenuous amounts of time
utilizing various applications in order to bypass multiple authentication tests and instead will
mostly likely only need to decode a passcode which poses a huge risk for companies. It takes a
mere 10 minutes for an individual to successfully set up multiple factors of authentication for
Li 7
both personal devices and work devices, but it would make a strong impact on the security of the
company. Additionally, companies should limit the amount of people who have special access to
certain sensitive data and to closely monitor those people who have access to the data. There
have been many known instances where hackers were able to bribe an employee and persuade
them into assisting threat actors and providing them with access to sensitive data.
Computer security is a growing problem for all businesses and according to many of the
studies that were analyzed, hackers are clearly doing a better job of infiltrating systems than
small companies are at defending against them. While implementing real-time risk management
systems are not the only solution to the ongoing issues that small companies are facing, utilizing
them are certainly the most ideal way for companies to resolve those issues. Real-time
management systems are not only more easy to employ in a company, but they are also more
beneficial. They can provide a constantly updated measure of risk rather than a indicator of risk
that needs to be constantly manually refreshed. Additionally, companies must take the necessary
precautions and put more effort into providing their employees with the information necessary to
ensure that no company infiltrations occur due to a simple human error such as clicking a
mysterious link or opening a certain email. Small business companies need to start taking action
and begin implementing real-time risk management systems in order to prevent an infiltration
from crashing their business. Additionally, owners must begin taking extra measures by
enforcing new training procedures for employees to reduce the risk of human error. If all of these
steps are implemented properly, the company’s risk for malware will become practically
non-existent.
Li 8
Works Cited
Carin, Lawrence, et al. Quantitative Evaluation of Risk for Investment Efficient Strategies in
Cybersecurity: The QuERIES Methodology. 2007, p. 18.
Creery, A., and E. J. Byres. “Industrial Cybersecurity for Power System and Scada Networks.”
Record of Conference Papers Industry Applications Society 52nd Annual Petroleum and
Chemical Industry Conference, IEEE, 2005, pp. 303–09,
doi:10.1109/PCICON.2005.1524567.
Delgado, Rick. “A Hacker’s Perspective on Cyber Security.” The State of Security, 5 Apr.
2017. Accessed 20 Nov. 2018.
Dunn Cavelty, Myriam. “Cybersecurity Research Meets Science and Technology Studies.”
Politics and Governance, vol. 6, no. 2, June 2018, p. 22, doi:10.17645/pag.v6i2.1385
Gordon, Lawrence A., et al. “Investing in Cybersecurity: Insights from the Gordon-Loeb
Model.” Journal of Information Security, vol. 07, no. 02, 2016, pp. 49–59,
doi:10.4236/jis.2016.72004.
Koulopoulos, Thomas. “60 Percent of Companies Fail in 6 Months Because of Cyber Attacks.”
Inc.Com, 11 May 2017.
Meghji, Sultan. “Will People Start Taking Cybersecurity Seriously In 2018?” Forbes, 3 Aug.
2018. Accessed 9 Oct. 2018.
Morris, Thomas H., et al. “A Testbed for SCADA Control System Cybersecurity Research
and Pedagogy.” CSIIRW, 2011, doi:10.1145/2179298.2179327.
Li 9
Nurse, Jason R. C., et al. “Guidelines for Usable Cybersecurity: Past and Present.” 2011
Third International Workshop on Cyberspace Safety and Security (CSS), IEEE, 2011, pp.
21–26, doi:10.1109/CSS.2011.6058566.
Parker, Bob. “The History of Cyber Security — Everything You Ever Wanted to Know.”
SentinelOne, 10 Mar. 2018. Accessed 15 Nov. 2018.
Penkala, Ross. “13 Cybersecurity Training Tips For Employees (From 7 Insiders).” BitSight, 12
Jan. 2017. Accessed 10 Oct. 2018.
Sreedhar, Suhas. “Three Effective Approaches To Corporate Security.” Forbes, 9 April 2014.
Accessed 29 Sept. 2018.
Ten, Chee-Wooi, et al. “Anomaly Detection for Cybersecurity of the Substations.” IEEE
Transactions on Smart Grid, vol. 2, no. 4, 2011, pp. 865–73,
doi:10.1109/TSG.2011.2159406.
Ten, Chee-wooi, et al. “Cybersecurity for Critical Infrastructures: Attack and Defense
Modeling.” In: Ieee Transactions on Systems, Man and Cybernetics, Part a: Systems and
Humans, 2010, pp. 853–865.