How Should Small Businesses Measure Cybersecurity?
By Dan Fries
How do you know if your business is safe and secure online? Measuring how effective your cybersecurity is can be tricky for small businesses. Cybersecurity firms make use of complex key performance indicators (KPIs) to measure how effective their security tactics are, but building these systems is generally beyond the capabilities of small businesses.
Just as there are some marketing metrics you are probably paying too much attention to, you might be looking at the wrong measurements when it comes to cybersecurity. In this article, we’ll strip back some of the jargon, and give you five KPIs that are easy to measure, and that will keep your focus on what actually matters when it comes to cybersecurity.
First, the most basic thing you should be measuring is the number of security incidents that your systems experience. In some ways, that would seem like a fairly easy number to measure. Surely you know when your systems have been affected by a hack or a breach, right?
Well, yes and no. If you are the direct victim of a hack, you are certainly going to know about it.
With the rise of SaaS business models, even small companies are using multiple interlinked systems. This means that staying on top of incidents that affect all of them can be difficult.
Luckily, there are tools that can do this for you, and which will automatically alert you if any of your systems – even those that you use infrequently – are vulnerable.
Number of large incidents
Once you’ve collected the raw number of incidents that have affected your systems, you should segment this data into (at least) two types: large and small incidents.
Into the “large” category will go incidents that affected your company directly, or those that have the potential to compromise critical parts of your infrastructure. A commonly overlooked metric is just how many vulnerabilities are reported in backup systems. Since these systems are generally invisible to the average worker during the typical workday, they are not top of the list. As a result, you can easily overlook the need to harden your backup systems.
Into this category will also go the incidents that have (or have the potential to have) the biggest financial impact on your company. These incidents are the most useful to be aware of especially if you are seeking more funding for cybersecurity.
Number of small incidents
Cybersecurity is an area in which it pays to sweat the small stuff. For that reason, you should also collect data on the number of small security incidents you experience each period. These incidents can be as benign as an attempted (and obvious) email phishing scam that was immediately detected.
Collecting this data will allow you to focus resources on the areas of cybersecurity in which you are most vulnerable. It might be, for instance, that you see a high number of attempted hacks on your office communication software, indicating that you need to secure your internal communications.
In addition, don’t be fooled into thinking that these small incidents do not have an effect on the profitability of your business. As Ludovic Rembert, CISO at community research group Privacy Canada, points out, “many small businesses spend an inordinate amount of resources clearing up after small incidents.”
Because no individual one of these incidents seems to warrant extra spending on security software, the same easily preventable issue can act as a drag on productivity for years.
Cost per incident
The cost of cybersecurity goes way beyond the amount you spend on security software and analysis. Even small hacks can cost your business a significant amount of money, and eat into your profitability. To make matters worse, the incidents that cause the most panic for entrepreneurs are often those that don’t have the largest effects on your bottom line. That’s why assessing the monetary impact of each incident is critical for any small business.
According to CSO, the average cost per compromised record was $221. If you only have one or two compromised records, your business may be in good shape, but the overall cost per incident could be much higher than you anticipated. You should also factor into this calculation the cost of cyber investigation, additional staff, overtime and a messaging campaign to address your customers, and maybe even the public. It’s possible that your communication response could cost more than restoring your data and removing malware from your systems.
By far, the most important metric to collect is the effect of security incidents on your customers. Ultimately, protecting your customers — and potential customers — is the main goal of your cybersecurity measures.
Assessing customer impact can be difficult to measure due to the domino effects of a hack. For example, business blogs often lose traffic due to their web host (or even their marketing software) being hacked. For this reason, many full-time business bloggers recommend Bluehost or other secure hosting solutions, as it saves money down the line. As a result, when measuring this KPI, you should also reach out to your customer base and ask them what impact security breaches have had (or potentially would have) on them or their businesses.
Just as email marketing strategies vary by industry, the assessment of this customer impact will also vary by sector. But don’t be worried that, in reaching out to your customers, you will be pointing out the vulnerability of your own systems. Instead, they are likely to see this outreach as evidence that you are taking cybersecurity seriously.
Once you have a basic system in place, it is fairly easy to expand the number of KPIs you look at and to develop your own measurements that are particularly useful to your business. The key step, in fact, is to begin to collect data on the number and type of security incidents your small business faces.
Armed with this data, you can then begin to plan your counter-measures more effectively. And trust me, cybersecurity is an area in which the old maxim is definitely true: Knowledge is power.