Li 1

Allison Li

Mrs. Sasser

IR-3 /11 AP/ 23

27 March 2019

Modern Society: The Growing Need of Cybersecurity

“As information technology has advanced, so has the threat of security problems for the

small business owner” (Burstein 3). Over 76% of all cyber attacks affect companies with less

than 100 employees. However, the main issue is that roughly 50% of these companies believe

that they are too small or insignificant to be noticed by mainstream hackers. While companies

have been spending their budget on technology that will increase their profit, the advanced

computers and other machinery that hackers have purchased have already become more than

capable to bypass a companies’ old security system (Columbus 3). Additionally, modern

cybersecurity companies have started to design and manufacture their systems around the needs

of larger companies simply because larger companies obtain more money in comparison to

smaller ones. Small companies are unaware of the huge amounts of risk that they face. When

combined with the widespread growth of technology that has become increasingly in favor of

hackers, these companies could lose thousands of dollars without the proper defense. ​Companies

implementing a real-time risk management system as well as raising awareness for

employees would provide small business owners with a way to determine their risk

tolerance and improve their companies’ overall security.

Issues involving cybersecurity first became prevalent in 1988. Technology was becoming

increasingly advanced and people were becoming more reliant on technology to complete their
 Li 2

daily tasks. New computer systems were being released every year from various companies and

technology quickly spread all over the market (Wright 2). People quickly became attached to

these pieces of tech and now, in modern society, most individuals are so dependent that they

cannot go a full day without checking their phones. Simultaneously, hackers have begun using

these technological advances to their advantage. Since hackers usually work alone or in small

groups, it is much easier for them to get ahold of new technology before companies are able to

upgrade their entire system and the interconnected desktops. Hackers can utilize this time and

discover the weaknesses in new security systems, making it easier for them to infiltrate

companies employing those systems.

Ever since its major outbreak, technology been consistently growing at an exponential

rate. With this growth, it is becoming increasingly difficult for companies to remain constantly

updated with the technology and led​ a rise in cybercrime and antivirus software. ​The costs of

these technologies are already extremely high, and companies simply do not have the resources

to afford the newly released technology to defend themselves from threat actors. Additionally,

companies themselves do not take the initiative to fully equip their employees with the proper

technology because they do not see it as beneficial or necessary. ​Utilizing a company’s IT

support system is certainly beneficial, but it is not enough – by itself – to protect the company

from modern threats (Ten “Cybersecurity for Critical Infrastructures” 13). The combination of

these two factors allows threat actors (hackers) to more easily penetrate a company’s security

system and gain access to their data systems. A study conducted by the Cyberspace Safety and

Security (CSS) discovered that by 2013, there were approximately 30 million security breaches,

a 12.8% annualized growth since 2011 (Nurse 7).

 Li 3

A “small company” is usually classified as one that has less than 200 employees. Since

threat actors could earn more profit from infiltrating large companies, SMB’s (small-medium

businesses) believe that they are not at risk, which is simply not the case. But because of this

belief, results of their research showed a moderate level of security awareness (60-70%) and a

rather low level of implementation (34-45%) for the simplest of all technology levels (Goolsby

8). Even though some companies are aware of the fact that they face increasing amounts risk,

they fail to implement systems and even the most simple technology to defend against these

risks. Not only do SMB’s fail to act on the amounts of risk that they face, but they also lack the

necessary attention on cybersecurity that is needed for a company to properly function.

Approximately 50% of businesses reported no attack-related downtime when surveyed in 1988

(​Sreedhar​ 5). In other words, 50% of businesses do not spend any time focusing on the potential

attacks that their companies could face and how to better their security systems on top of simply

not implementing any security software.

The size of security systems are another issue that SMB’s face with society’s current

status of cybersecurity. Existing cybersecurity systems are too complex, too large, and too

expensive for small companies to implement as they are mainly designed for larger companies.

Companies that create these systems tend to deviate their software towards larger companies

because of the substantial profit that they would receive. 50% of organizations that were polled

in 2006 have annual IT budgets of $5,000 or less, and 50% of those have security budgets of less

than $1,000 (Stevens 7). Most SMB’s are on the lower end of this spectrum due to the amount of

business and income they receive. Unfortunately, the cheaper end of the network security

software costs around $1,400 meaning that if SMB’s manage to pay this cost, it will be very
 Li 4

strenuous to cover those costs. However, ​without cybersecurity solutions, a large company could

risk up to $4.43 million in breach costs (Creery 1). When considering the costs a SMB could risk

in comparison to large companies, they most likely risk up to $2,000 per infiltration. In addition,

it is not only the cost of a possible infiltration that should be considered when discussing the

necessity of network security software for a company. SMB’s must be aware of the impacts that

after-effects of an infiltration can have on their business. It has been found that 60% of small

companies go out of business within just 6 months of a cyber attack (Koulopoulos 5). In order to

prevent this from occurring, small business owners must begin to take more drastic measures in

protecting their company. However, it is very difficult when security systems are so expensive,

but one way that they can overcome this is by implementing real-time risk management systems

as well as employ white-hat hackers.

A real-time management system is a security software which constantly updates itself in

order to have “real-time” tracking of the level of risk that a company faces at any given time. In

comparison to other security softwares, real-time risk management systems provide a company

with the ability to accurately measure the amount of risk that they face rather simply act as a

detector of risk ​(Delgado, 14). ​Companies will be more successful in defending against

infiltrations if the amount of risk that they face as well as their security software’s most

vulnerable areas are already known. ​If companies are able to apply the correct controls to the

right assets while simultaneously being implemented effectively relative to the level of threat,

then the organisation will be able to defend itself against the threat (Dunn, 5). Real-time risk

management systems may be difficult to implement due to their complexity, but their costs are

significantly lower compared to normal network security systems. Additionally, by utilizing

 Li 5

real-time management systems, companies are able to determine their risk tolerance: the

maximum amount strength of an infiltration that a company’s software system can endure before

failing. Only by understanding and measuring their status can companies manage their cyber

risks and, given the very high threat that hackers have on small companies, managing cyber risks

is an absolute necessity.

Most real-time risk management systems utilize metrics, ​a standard of measure of a

degree to which a software system or process possesses some property. Metrics are employed in

companies for multiple different reasons: measuring software performance, planning work items,

measuring productivity, and many others. There are certain metrics that are utilized in real-time

risk management systems order to help them properly assess the amount of risk that a company

is facing (Ezrati 2). ​These metrics measures the patch status of security software and ​provides

insight into the state of patching on a specific device as well as providing metrics for reporting

on affected assets. This reporting will help indicate certain areas of weak system performance to

companies in order to help them better understand their vulnerabilities and what needs to be

improved (Jang-Jaccard 9). Metrics can not only point out the weaknesses in a security system’s

network, but it can also help companies keep track of all the issues that have occured with the

system before. A real-time management system must be constantly updated in order to maintain

a real-time view of cyber security risk status and companies need to be able to update and read

risk measurements whenever relevant changes occur.

In order to further secure their company, there are certain steps that employees can take

as well as measures that owners can implement. ​Human error is the leading cause of company

infiltration and threat actors are becoming increasingly dependent on it ​(Meghji 11). Nowadays,
 Li 6

most infiltrations are caused by employees ignoring mainstream advice around avoiding clicking

on suspicious links and maintaining secure passwords. In a study conducted by Thomas Morris,

it was found that ​66% of SMB employees and 44% of leaders connect to public Wi-Fi to do

work, 62 percent of employees and 44% of leaders use their work computers to access personal

social media accounts” (Morris 14). Public WiFi is a very simple method that is utilized by

threat actors in order to penetrate a device as it establishes a connection between a public server

that can be accessed by anyone with said device. After accomplishing this, when the device is

then reconnected to company wifi, the hacker can easily bypass the security system and gain

access to unauthorized data. ​Companies should place educating their employees on the basics of

cybersecurity at a higher priority because of the increasing amount of infiltrations that are

occuring due to employee error.

69% of employees and 76% of leaders do not protect their work email with multi-factor

authentication (Ten “​Anomaly Detection for Cybersecurity of the Substations”​ 4). Multi-factor

authentication ​is an authentication method in which a computer user is granted access only after

successfully presenting two or more pieces of evidence to an authentication mechanism:

knowledge, possession, and inherence. When multi-factor authentication is not implemented by

company employees, and more importantly, company leaders, it places the entire company at

risk. Without multi-factor authentication, it becomes significantly easier for threat actors to

infiltrate a system (Penkala 2). Hackers will no longer need to spend strenuous amounts of time

utilizing various applications in order to bypass multiple authentication tests and instead will

mostly likely only need to decode a passcode which poses a huge risk for companies. It takes a

mere 10 minutes for an individual to successfully set up multiple factors of authentication for
 Li 7

both personal devices and work devices, but it would make a strong impact on the security of the

company. Additionally, ​companies should limit the amount of people who have special access to

certain sensitive data and to closely monitor those people who have access to the data. There

have been many known instances where hackers were able to bribe an employee and persuade

them into assisting threat actors and providing them with access to sensitive data.

Computer security is a growing problem for all businesses and according to many of the

studies that were analyzed, hackers are clearly doing a better job of infiltrating systems than

small companies are at defending against them. While implementing real-time risk management

systems are not the only solution to the ongoing issues that small companies are facing, utilizing

them are certainly the most ideal way for companies to resolve those issues. Real-time

management systems are not only more easy to employ in a company, but they are also more

beneficial. They can provide a constantly updated measure of risk rather than a indicator of risk

that needs to be constantly manually refreshed. Additionally, companies must take the necessary

precautions and put more effort into providing their employees with the information necessary to

ensure that no company infiltrations occur due to a simple human error such as clicking a

mysterious link or opening a certain email. Small business companies need to start taking action

and begin implementing real-time risk management systems in order to prevent an infiltration

from crashing their business. Additionally, owners must begin taking extra measures by

enforcing new training procedures for employees to reduce the risk of human error. If all of these

steps are implemented properly, the company’s risk for malware will become practically

non-existent.
 Li 8

Works Cited

Burstein, Aaron J. ​Conducting Cybersecurity Research Legally and Ethically.​ p. 8. Accessed

on 22 Dec. 2018.

Carin, Lawrence, et al. ​Quantitative Evaluation of Risk for Investment Efficient Strategies in
Cybersecurity: The QuERIES Methodology​. 2007, p. 18.

Columbus, Brian B. “Investing in a Centralized Cybersecurity Infrastructure: Why ‘Hacktivism’

Can and Should Influence Cybersecurity Reform.” ​Boston University Law Review​, vol.
92, p. 49.

Creery, A., and E. J. Byres. “Industrial Cybersecurity for Power System and Scada Networks.”
Record of Conference Papers Industry Applications Society 52nd Annual Petroleum and
Chemical Industry Conference​, IEEE, 2005, pp. 303–09,
doi:​10.1109/PCICON.2005.1524567​.

Delgado, Rick. “A Hacker’s Perspective on Cyber Security.” ​The State of Security​, 5 Apr.
2017. Accessed 20 Nov. 2018.

Dunn Cavelty, Myriam. “Cybersecurity Research Meets Science and Technology Studies.”
Politics and Governance​, vol. 6, no. 2, June 2018, p. 22, doi:10.17645/pag.v6i2.1385

Ezrati, Milton. “Cybersecurity: A Major Concern And A Great Business Opportunity.”

Forbes​, 5 Sept. 2018. Accessed 13 Sept. 2018.

Goolsby, Rebecca. ​On Cybersecurity, Crowdsourcing, and Social Cyber-Attack​. p. 9.

Accessed 10 Jan. 2019.

Gordon, Lawrence A., et al. “Investing in Cybersecurity: Insights from the Gordon-Loeb
Model.” ​Journal of Information Security​, vol. 07, no. 02, 2016, pp. 49–59,
doi:​10.4236/jis.2016.72004​.

Jang-Jaccard, Julian, and Surya Nepal. “A Survey of Emerging Threats in Cybersecurity.”

Journal of Computer and System Sciences,​ vol. 80, no. 5, Aug. 2014, pp. 973–93,
doi:​10.1016/j.jcss.2014.02.005​.

Koulopoulos, Thomas. “60 Percent of Companies Fail in 6 Months Because of Cyber Attacks.”
Inc.Com,​ 11 May 2017.

Meghji, Sultan. “Will People Start Taking Cybersecurity Seriously In 2018?” ​Forbes,​ 3 Aug.
2018. Accessed 9 Oct. 2018.

Morris, Thomas H.​, et al. “A Testbed for SCADA Control System Cybersecurity Research
and Pedagogy.” ​CSIIRW,​ 2011, doi:​10.1145/2179298.2179327​.
 Li 9

Nurse, Jason R. C., et al. “Guidelines for Usable Cybersecurity: Past and Present.” ​2011
Third International Workshop on Cyberspace Safety and Security (CSS)​, IEEE, 2011, pp.
21–26, doi:​10.1109/CSS.2011.6058566​.

Parker, Bob. “The History of Cyber Security — Everything You Ever Wanted to Know.”
SentinelOne​, 10 Mar. 2018. Accessed 15 Nov. 2018.

Penkala, Ross. “13 Cybersecurity Training Tips For Employees (From 7 Insiders).” ​BitSight,​ 12
Jan. 2017. Accessed 10 Oct. 2018.

Sreedhar, Suhas. “Three Effective Approaches To Corporate Security.” ​Forbes,​ 9 April 2014.
Accessed 29 Sept. 2018.

Stevens, Melissa. “Cybersecurity Risk: A Thorough Definition.” ​BitSight​, 10 Jan. 2017.

Accessed 6 Oct. 2018.

Ten, Chee-Wooi, et al. “Anomaly Detection for Cybersecurity of the Substations.” ​IEEE
Transactions on Smart Grid​, vol. 2, no. 4, 2011, pp. 865–73,
doi:​10.1109/TSG.2011.2159406​.

Ten, Chee-wooi, et al. “Cybersecurity for Critical Infrastructures: Attack and Defense
Modeling.” ​In: Ieee Transactions on Systems, Man and Cybernetics, Part a: Systems and
Humans​, 2010, pp. 853–865.

Wright, A. (2011). Small Companies Targeted. Association for Computing Machinery.

Communications of the ACM, 54(9), 15-15.