For business owners, it’s a wise decision to put internal and external controls in place that help monitor your cyber security. For small business owners especially, hackers expect loopholes or flaws in your technology environment. Owners who underestimate the importance of cyber security have a huge target on their backs. They are sitting ducks for an experienced hacker. Hackers aim to either make money or prove a point. They do this by stealing your company’s data to sell to others, interrupting your day to decrease your company’s profitability, holding your files hostage for ransom, or even taking over your systems and web platforms for their own free use.


As an owner, it is imperative that you know who is in control of your information internally. When your employees are left responsible for managing your company, it’s crucial to know who has access to secure information, such as your company’s intellectual property, customer lists, customers’ sensitive information, and your own financial and accounting records. Extensive background checks help label which employees are genuinely suited to be put in higher power positions that are granted access to your most precious information. Otherwise, your confidential information is in the hands of a high-risk employee. These external and internal threats are reasons why every business owner needs to be planning to the “when’s” and not “if’s” of security breaches.


Cyber security management is essential for all businesses, and if your business is planning for “when” something happens, the controls you have in place will generate better results than if you plan for the “if.” First, you must identify who will be in charge of security for your organization. While most small businesses do not have a full time person dedicated to this, all should have a person who is willing and able to take responsibility for both preventative and reactive measures when it comes to protecting technology systems and valuable data. This person may act as the point of contact to a technology partner, or they may deploy some of the preventative measures themselves. Once you detailed who in your organization is responsible for security measures, you may want to consider external response and investigation teams. You will likely need one point of contact within your business managing your security, and one external associate or team of associates to help respond and investigate.


This idea of having a point person for your business is a trending topic in cyber security circles. Cyber security analysts and managers call it a model of convergence. Roland Cloutier, ADP’s Chief Security Officer, essentially created convergence, a security leadership model that focuses on having a single security executive responsible for all operating functions around security risk and privacy programs.

This is not a complicated approach to security leadership, it actually will clear up lots of problems happening within a business.

  • Convergence will enable faster decision making and increases incident response time.
    • The decision making model can become very confusing within a business that consists of multiple executives. Deciding who is actually responsible for making the decision and the time it takes to reach the decision, creates lag time that leaves room for error and miscommunication. Due to rapid changes, businesses need to facilitate a rapid response. Fraud or any other type of cyber incidence can happen at any time, and speed is of the essence when there is a breach in security. Being able to make affirmative decisions with information given and being able to act quickly is imperative, and that is hard to do when there are multiple levels of management.
  • Convergence creates transparency and cost management as well as a centralized visibility into all security, privacy, and risk related processes.
    • It’s better financially and creates a better understanding for the executives who run the business when companies have identified their converged security model. For large companies, convergence creates a transparency by combining critical technology human resources into a single team to center around privacy, security, and threat response. In smaller companies without an in house technology department, the aim is still to have transparency in your security model and identify who you will go to in the event of a cyber-attack.


If When an event occurs that indicates a cyber security breach is present, large companies must know who to turn to internally, and small and medium sized companies must know who to turn to externally. If you are a small or medium sized business ready to take a next step in your security model, you should begin by doing the following:

  • Determine who is responsible for cyber security internally
  • Interview and retain a managed services partners for prevention, data recovery, and threat response
  • Talk to your legal team about your exposure if you lose data
  • Discuss cyber security insurance policies with your business insurance agency
  • Contact a private investigations company like Barefoot Private Investigations to begin a background check and/or computer forensics services