In our weekly Library Card Series we highlight a selection from our resource library to help introduce the content to our industry partners.

In this Library Card Series we’ll take a look at the Cybersecurity & Infrastructure Security Agency’s (CISA) resource titled The Business Case For Security. The resource is intended to help small and mid-sized businesses consider how they can sell the costs for security improvements to senior leaders. It provides statistical data on common physical and cybersecurity challenges, as well as suggestions for first steps and resources to assist organizations in bolstering their security postures. CISA provides facts, statistics, and information demonstrating how being prepared is more cost-effective than fixing a security issue after it happens. According to CISA, 43% of cyberattacks are aimed at small businesses; however, only 14% of small businesses are prepared to defend themselves. Not being prepared for attacks can have catastrophic impacts on small businesses that can find it difficult to fully recover. Types of threats that should be considered when developing a security plan.

Physical Threats:

  • Burglary
  • Theft
  • Vandalism
  • Arson
  • Natural Disaster

Cyber Threats:

  • Ransomware
  • Malware
  • Phishing
  • Hacking
  • Data Breaches

When building an argument for greater security investment, the following statistics may be useful.

Physical Attack Damages:

  • 50% decrease in productivity for an organization
  • 20%-40% employee turnover following a physical incident
  • $500,000 average out of court settlement

Cyber Attack Damages:

  • Only 35% of small to mid size businesses could remain profitable for more than 3 months with essential data lost
  • More than 50% of small to mid size businesses become unprofitable within a month
  • A small to mid size business will likely lose 25% or more of its earnings after a cyber attack

While developing a business case for a more robust security posture, consider the following:

  • Understand the business’ security posture
  • Identify business assets that need to be protected
  • Align security investments to business objectives
  • Determine the right areas for investment
  • Implement a security plan and schedule
  • Prepare the necessary resources

Again, being prepared for an attack, whether it be physical or cyber, will save time and money in the long run. Have a risk plan, educate employees, and take action before a crisis occurs.

For more information, CISA recommends the following resources:

To find more valuable resources covering a wide variety of topics, visit the resource section of our website, and check back to our blog every Tuesday for our Library Card Series where we highlight different resources from the library.