Family-owned businesses are built on hard work, courage and determination. They depend on the energy and enthusiasm of parents, children and extended families to take an idea and plough countless hours of unpaid work to nurture them into a thriving enterprise.
In family-owned businesses, often in order to manage expenses, IT systems are purchased on the basis of lowest cost and are not planned with scale in mind or the expertise needed to maintain the mission critical systems. It’s common that available technical resources are highly proficient in setting up computers and running simple networks but the cyber security skills needed to protect those systems and, more importantly, the business they serve and support are very different. The threat landscape faced now by every Australian business is complex and constantly evolving. Many family-owned and operated- businesses are not equipped with the skills they need to recognise and protect themselves against the risks of a cyber attack.
The boards of family-owned businesses are often rich with deep knowledge and understanding about how their businesses run. In a highly competitive world where disruption in the new normal, this is an incredibly valuable asset. But successful boards of family businesses need more than operational and tactical nous. They need expertise in technology and an understanding of the risks they face. In particular, their boards have a blindspot when it comes to understanding the risks of a cyberattack, what effects an attack can have and how to remedy and recover should a breach occur. For family boards to better manage cyber risk, consider the three following three areas of focus.
1. Bring in expert cyber skills
The best boards in any business are those that bring a balance of relevant skills and valuable perspectives. While there is a lot of strength in having a cohesive board with directors who share a common vision, there is a need for strong diversity and background knowledge.
When looking for new board members, seek experience in how technology can be an enabler for the business. While there may be scepticism in bringing ‘outsiders’ to the board, the diversity of experience and thinking will bring more benefits than problems if you choose the right person.
Look for someone that understands the business you are in and has strong technical skills. You need to see board level technical and cyber security experience as being just as essential as accounting, marketing and management skills.
2. Think about risk more broadly
All businesses know that risk is a given. But, often, that consideration centres on operational and tactical challenges such as new competitors, interrupted supply chains, equipment failures and things that are visible and tangible. Cyber security risks require quite different thinking.
Attackers are typically motivated by money and are looking for easy targets that are likely to pay. This is why ransomware is such a lucrative business model for criminals. As well as thinking about the impact of a broken down truck on deliveries, consider what would happen if your point of sale systems were locked up or all your customer data was exfiltrated with the threat of it becoming public if you don’t pay.
This is a very real threat many family-run businesses have faced over the last year or so. When you start to think about risk in financial and operational terms, you can start to put appropriate mitigation strategies in place.
3. Invest intelligently in enabling technology
As the board of a family-owned business, you may not need everyone to understand how all the technology works. But you need to ensure you have the skills to make smart decisions about technology.
That means investing in technology that has baked-in security. For example, rather than relying on a server sitting in the office running a 15-year-old operating system, invest in services and software that are built with rigorous security to protect your data. An investment like this can not only boost security but improve customer service.
Family-run businesses that underinvest in technology and don’t acknowledge that cyber security is an existential threat can face dire consequences. As well as better protecting your business and customer data, it will ensure better reliability and business continuity. But it requires a strategic focus on technology investment and skills, at the board as well as operational levels, to ensure you make sound decisions that help the business to thrive in a changing environment.
This article was co-authored by my co-founder at The Secure Board, Claire Pales
