The State Of Cybersecurity - BBB: Start with Trust ......4 | The State Of Cybersecurity Among Small...

bbb.org/stateofcybersecurity | 1

The

State Of Cybersecurity Among Small Businesses In North America

2 | The State Of Cybersecurity Among Small Businesses In North America

“Cybersecurity is a complex topic and our findings suggest that additional education and awareness efforts

focused on smaller businesses are necessary...”



Cybercrime is growing rapidly with annual costs to the global economy estimated to reach over US$2 trillion by 2019.1 Organizations of all sizes are at risk of cyber-attacks. Small businesses represent more than 97% of total businesses in North America and make up an essential part of the supply chain to some of the largest businesses, many of which are in critical infrastructure sectors, from financial and transportation organizations to power, water and healthcare suppliers.2,3 For this reason, small businesses have a unique role in the cybersecurity ecosystem, and overall national security strategies, since they are also targeted by cybercriminals as gateways into larger corporations.4,5 Clearly, cybersecurity threats to small businesses are of great concern not just to small business owners but to the economy at large.

In keeping with its mission to advance marketplace trust for all, the Better Business Bureaus (BBB) began ongoing research on the

topic with this pilot report on The State of Cybersecurity Among Small Businesses in North America. Among other discoveries, BBB found that small business owners are aware of cyber-threats, concerned about the risks, taking some proactive security actions, and willing to act and invest more in cybersecurity if clear instruction and an approach customized to their size and type of business are available.

Today’s cyber-criminals are increasingly sophisticated and pose more significant threats to the economy than ever before. In order to protect businesses both small and large, additional safeguards are needed. Cybersecurity is a complex topic and our findings suggest that additional education and awareness efforts focused on smaller businesses are necessary and would contribute to advancing cybersecurity practices in this market segment. There is definitely still much that can be done to educate, support and encourage small businesses to be more

cyber-secure, to dispel inaccurate understandings of potential cybersecurity impacts, and to help make cybersecurity a top priority for smaller organizations.

It is time to focus on comprehensive cybersecurity solutions that are customized for the needs and constraints of smaller businesses. BBB’s 5 Steps to Better Business Cybersecurity – based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework – is a good first step for small business owners to see how cybersecurity can work for their businesses.6

This report aims to educate and bring awareness to the topic of cybersecurity by exploring the real and perceived risks of cyber-attacks to small businesses, as well as best practices for protecting against these types of security threats. We hope it is a step forward in advancing cybersecurity in the marketplace.


1 http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#63bf0af73bb02 https://www.ic.gc.ca/eic/site/061.nsf/eng/03021.html3 https://www.sba.gov/advocacy/firm-size-data4 https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html5 http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf6 https://www.bbb.org/council/for-businesses/cybersecurity/the-5-step-approach

Executive Summary


In a world increasingly dependent on digital technology, and with supply chains becoming more interconnected and malevolent actors more sophisticated, cybersecurity has become a critical management issue.7,8 The estimated annual cost of cyber-attacks for businesses is more than US$400 billion globally, which includes direct damage costs plus post-attack disruption to the normal course of business.9,10 This annual cost is projected to reach over US$2 trillion by 2019. 9,11 In 2015, 43 percent of all attacks were directed at small businesses.12 Despite the steady increase in attacks targeting businesses with less than 250 employees, however, 77 percent of small business owners believe their company is not at risk for cyber-threats such as viruses, malware, hackers or a cybersecurity breach.c,14

In keeping with the Better Business Bureaus’s (BBB) mission to advance marketplace trust for all, the idea behind The State of Cybersecurity Among Small Businesses in North America was born. In September 2016, the BBB began ongoing research with a poll of 2,000 consumers and a survey of more than 1,500 businesses in the U.S. and Canada. The goals of this research were to collect information on the state of cybersecurity among small businesses, understand cybersecurity risks and practices, and uncover the roadblocks faced by smaller businesses that could lead to better cybersecurity practices. The primary objectives of this report are to advise our community of trusted businesses and the marketplace at large, dispel common misperceptions, show that cybersecurity could eventually become a driver for consumers’ purchasing decisions, and inform cybersecurity education, research and awareness efforts.

7 http://www.mckinsey.com/business-functions/business-technology/our-insights/meeting-the-cybersecurity-challenge8 http://news.stanford.edu/features/cybersecurity/9 http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#63bf0af73bb010 http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf ttps://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html11 http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion12 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf 13 https://staysafeonline.org/about-us/news/new-survey-shows-us-small-business-owners-not-concerned-about-cybersecurity14 https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html

Introduction


Cybersecurity – the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access – is a popular topic in government and corporate circles, and is a growing concern for smaller businesses. In 2010, Canada developed and published a national cybersecurity strategy for meeting and mitigating cyber-threats, the first element in a series of initiatives to protect the digital infrastructure.15 In 2015, the U.S. government identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” 16 Not surprisingly, in the BBB’s study, more than 80 percent of small businesses were aware of cyber-threats (e.g., phishing, ransomware, malware, credit card skimmers and website compromise) and the potential business impacts of cyber-attacks (e.g., unauthorized cash transfer, data breach and damage to reputation).

The businesses surveyed were also quite clear on how they would react if data was stolen from them, with 8 out of 10 stating they would notify those affected (Figure 1), a very responsible and ethical approach. The smaller the business (as measured by the number of full time employees), the more likely it is to call the BBB for help in the event of a cyber-attack. The larger the business, the more likely it is to invoke an existing response plan.

Ideally, all businesses should put a plan in place before a breach occurs. Breach notification is a complex issue that varies by region and should be part of advanced incident response planning. Notifying those affected, while a very responsible and ethical approach, could cause harm for the business if done incorrectly.

Figure 1 - Question: If a block of data was stolen from your business (e.g., your customer information), what would you do? Select all that apply.

15 http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/cbr-scrt-strtgy-eng.pdf16 https://www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure

Cybersecurity Awareness, Understanding & Practices


Fortunately, our survey found that 6 out of 10 businesses had some protective activity, processes or controls in place (Table 1), with the most common overall being: • IT in charge of data security, • a security strategy, • cyber-insurance, • actively monitoring/analyzing security intelligence, and • a response plan.

However, the smaller the business, the less likely it is to have a current plan/activity in place for cyber-threats. Meanwhile, the larger the business, the more likely it is to have some of these plans/activities in place, such as having someone in IT in charge of data security, possessing cyber-insurance and actively monitoring and analyzing security intelligence.

While risk-based cybersecurity frameworks are commonly adopted by larger businesses, we found that there is still little awareness (and even lesser adoption) of cybersecurity frameworks among smaller businesses in

North America (Table 2).17 The levels of both awareness and adoption of the Cybersecurity Framework from the U.S. National Institute of Standards and Technology (NIST CSF) are worthy of note. Standards from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the Control Objectives for Information and Related Technologies (COBIT) have been defined for decades, while the NIST CSF was first released in 2014.

It is important to highlight that most of our sample was composed of BBB Accredited Businesses – companies which have pledged to uphold BBB Standards for Trust.18 While we cannot confirm it with this study, these businesses appear to be more attuned to the topic of cybersecurity and taking (or willing to take) action, as compared to prior secondary research we reviewed that focused on the overall small business market.19,20 We hope to explore this comparison further as we expand this research in the future.

0 to 10 Employees

11 to 24 Employees

25 to 249 Employees

250+ Employees

Overall Average

No current plan/activity in place. 47% 34% 15% 4% 40%

We have someone in IT in charge of data security. 26% 44% 60% 78% 33%

We have a security strategy. 24% 32% 44% 78% 29%

We have insurance in place. 19% 31% 45% 70% 25%

We actively monitor/analyze security intelligence. 19% 26% 29% 74% 22%

We have a response plan. 17% 24% 37% 70% 21%

We conduct threat assessments. 12% 20% 23% 65% 16%

We offer employee training and awareness program. 11% 23% 27% 57% 15%

We have security baselines/standards for third parties. 10% 17% 20% 52% 13%

We have a Chief Information Security Officer in charge of data security. 6% 7% 14% 43% 8%

Table 1 - Question: What is your organization doing in relation to cybersecurity? Please select all that apply.

17 http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html18 https://www.bbb.org/council/about/vision-mission-and-values/bbb-standards-for-trust/19 https://staysafeonline.org/about-us/news/new-survey-shows-us-small-business-owners-not-concerned-about-cybersecurity20 https://www.theguardian.com/business/2015/jan/21/cybersecurity-small-business-thwarting-hackers-obama-cameron

US National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 19% Aware 9% Adopted

ISO/IEC 27000 series published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 19% Aware 7% Adopted

Control Objectives for Information and Related Technologies (COBIT) 13% Aware 6% Adopted

Table 2 - Question: Are you aware of any of the following cybersecurity frameworks? If aware of framework, have you adopted it?


Since eliminating threats is impossible, protecting against them without disrupting business innovation and growth should be a top management priority.21 This doesn’t seem to be the case for small businesses as cyber-threats (including lack of data security) were not listed among the top five challenges for growth and survival (Figure 2). Growing revenue, increasing profit, managing cash flow and attracting and retaining qualified employees were the top challenges identified by the respondents overall. In our study, about 20% of respondents identified cyber-threats, including lack of data security, as a top challenge for growth and survival.

Furthermore, even with a trend of increasing digitalization and cyber-incidents, 7 out of 10 considered it unlikely that their business will suffer a cyber-attack (e.g., phishing resulting in stolen credentials, ransomware) in the next 24 months (Figure 3).22 The smaller the business, the less likely it is to feel at risk for cyber-threats.

This false sense of safety could be due to the lack of expertise and information, as well as common misconceptions. For example, we found that 7 out of 10 businesses either believed the bank would cover a substantial loss if credentials were stolen, or simply did not know who would be responsible for such a loss (Table 3). The smaller the business, the more likely it is to either believe the bank would be responsible or be unsure of where the responsibility lies. The larger the business, the more likely it is to expect cybersecurity insurance to cover the losses. The reality is that the burden of proof lies with businesses – not banks – when it comes to business losses due to cyber-incidents. This is the opposite of what happens when consumers are victims of cybersecurity theft and fraud.

Figure 2 - Question: What are the most significant challenges to the future growth/survival of your business? Please select the top 5.

21 http://www.mckinsey.com/business-functions/business-technology/our-insights/meeting-the-cybersecurity-challenge22 http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

Figure 3 - Question: How would you rate the likelihood that your business will suffer a cyber-attack (e.g., phishing resulting in stolen credentials, ransomware) in the next 24 months?

A (Likely False) Sense of Security


Contrary to previous research that showed most U.S. small business owners were not concerned about cybersecurity, the businesses surveyed for this report were apparently aware of this false sense of security, even as they indulged in it.23 Less than 40 percent were completely comfortable with the protections they have in place, less than 30 percent were completely comfortable with their ability to detect and respond to cyber-incidents, and about 70 percent mentioned their leadership team was concerned or very concerned about cybersecurity (Figure 4).24 The larger the business, the more concerned it was about cybersecurity. Also, having experienced a cyber-incident recently increased the likelihood of being concerned about cybersecurity with about 80 percent mentioning their leadership team was concerned or very concerned.

For the minority of businesses that were not concerned about cybersecurity, the key reasons were related to a low assessment of risk and potential impact due to (Table 4):• Having a plan already in place (e.g., “We have a backup

plan.” or “We have strategies in place to prevent breach of security.”)

• The smaller size of the business (e.g., “Business too small to be a target, and even if it was, damage would be minimum.”)

• Limited online presence (e.g., “Because other than bank accounts, we do not do business online.” or “Because we don’t have networked computers or anything online, really.”)

For the majority of businesses, the top concerns were tied to (Table 4):• Perceived threat of breaches (e.g., “I feel like it’s only

a matter of time until a cyber-threat happens to my company, like it’s inevitable nowadays.” or “Company has been hacked a couple of times.” or “Because it has become so prevalent in today’s world.”)

• Risk of potential negative impacts on business, such as loss of credibility (e.g., “A cyber-attack could ruin my business and reputation and could possibly shut me down.” or “Could cause harm to our customers.” or “Don’t want to lose information or the trust of our customers.”)

0 to 10 Employees

11 to 24 Employees

25 to 249 Employees

250+ Employees

Overall Average

By the bank 38% 40% 20% 13% 35%

Don’t know 38% 31% 32% 13% 36%

By our business 14% 11% 18% 13% 14%

By our cybersecurity insurance 10% 18% 30% 63% 14%

Table 3 - Question: If stolen credentials resulted in a substantial loss from your business banking accounts, how do you expect that loss would be covered?

23 https://staysafeonline.org/about-us/news/new-survey-shows-us-small-business-owners-not-concerned-about-cybersecurity24 https://staysafeonline.org/about-us/news/new-survey-shows-us-small-business-owners-not-concerned-about-cybersecurity

“The reality is that the burden of proof lies with businesses – not banks – when it comes to business

losses due to cyber-incidents.”


Figure 4 - Question: How concerned is your organization’s leadership team about cybersecurity?

Why Concerned Why Not Concerned

39% It’s a reality/real threat to small businesses

27% Plan/IT support already in place

25% Negative impact on business/

loss of credibility

26% Don’t conduct business online/

don’t collect data

17% Loss of data/assets

20% Small business = small/no threat

7% Cost/lost of money

18% Not a serious threat/

not cost effective

6% Unprepared/uneducated/

unaware of the effects of cyberattacks

7% Lack of knowledge/

understanding on cybersecurity

6% Previously attacked

2% Never had an issue

Table 4 - Question: Why is your organization’s leadership team concerned (or not concerned) about cybersecurity?

VERY CONCERNED

CONCERNED

NOT VERY CONCERNED

NOT AT ALL CONCERNED


That brings us to the question: What are the key barriers for small business to do more to be cyber-secure? The top three reasons hindering small businesses in the advancement of cybersecurity efforts are:• Lack of cyber-education (including expertise/

understanding/ information/ training)• Lack of resources• Lack of time

Cybersecurity is a complex topic, and these findings suggest that additional education and awareness efforts focused on smaller businesses are needed and would progress cybersecurity practices in the marketplace. One example of such activities is the BBB’s 5 Steps to Better Business Cybersecurity, which helps smaller businesses understand the need to identify and protect vital data and technology assets, and teaches them how to detect, respond to and recover from a cybersecurity incident.25

Why Aren’t Small Businesses Doing More?

0 to 10 Employees

11 to 24 Employees

25 to 249 Employees

250+ Employees

Overall Average

Lack of expertise/understanding 56% 50% 51% 52% 54%

Lack of information 43% 44% 42% 35% 43%

Lack of resources 42% 32% 44% 39% 41%

Lack of time 35% 35% 37% 39% 35%

Lack of training 26% 31% 26% 35% 27%

Table 5 - Question: What are the top 3 factors that hinder your organization’s ability to advance cybersecurity efforts?

BBB 5 Steps to Better Business Cybersecurity Training

BBB 5 Steps to Better Business Cybersecurity, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, represents an approach that applies to the specifics of businesses, helping them understand a process to identify and protect vital data and technology assets, and teaching them how to detect, respond to and recover from a cybersecurity incident.

25 https://www.bbb.org/council/for-businesses/cybersecurity/the-5-step-approach


Is It Good Business For Small Businesses To Be Cyber-Secure?

Cybersecurity starts with understanding and managing risks. To better understand the risks associated with cyber-attacks and the potential benefits of cybersecurity activities, the BBB started by polling 2,000 U.S. and Canadian consumers regarding the value they place on personal data, including the likelihood of walking away from a purchase if a business fails to safeguard their data.26 Nearly 80 percent of consumers (Table 6) would be likely do so, with female consumers and higher income individuals more likely than males to walk away, in particular in the U.S.

We also looked into the annual risk of becoming a cyber-attack victim and losing money to a cyber-attack, including the potential monetary loss. Forty-two percent of small businesses surveyed by the National Small Business Association (NSBA) reported being targets of a cyber-attack.27 The NSBA also found that cyber-attacks cost an average US$32,021 for firms whose business banking accounts were hacked, and US$7,115 on average for small businesses overall.28 Additionally, about 70 percent of Canadian businesses have been victims of cyber-attacks, with an average cost of CAD$15,000 per incident.29 The estimates for losses vary wildly among various studies, with some placing the average cost of a cyberattack for a small or midsize business as high as US$188,242.30

In the BBB’s study, approximately 1 out of 4 businesses (Figure 5) suffered one or more cyber-attacks that affected their business in the last 12 months. The industries with higher cyber-attack incidence were: manufacturing, real estate and leasing, retail, finance and insurance, and construction. The overall average total loss from these cyber-attacks was estimated to be US$4,387, with a maximum total loss of US$150,000. Our survey found that the smaller the business, the less likely it had suffered a cyber-attack in the last 12 months. However, the risk of cyber-attacks is still present, even for smaller businesses. Just over 1 in 3 businesses with more than 25+ employees suffered attacks. For businesses with 10 employees or less, the attack rate dropped to 1 in 4.

US Canada

Not at all likely + Not very likely 22% 23%

Likely + Very likely 78% 77%

Table 6 - Question: How likely would you be to walk away from a purchase from a business that fails to keep safe your personal data?

“In the BBB’s study, approximately 1 out of 4 businesses suffered one or more cyber-attacks that affected their business in the last 12 months.”

Figure 5 - Question: Think about the cyber-attacks (if any) that have affected your business, and answer the following question. How many cyber-attacks have affected your business in the last 12 months? Note: Due to limited data we combined 25 to 249 employees with the 250+ employees’ categories.

% of businesses with at least 1 cyber-attack that affected their business in the last 12 months

26 Written by CBBB Research and conducted using Google Consumer Surveys, September, 2016 27 http://www.nsba.biz/wp-content/uploads/2016/02/Year-End-Economic-Report-2015.pdf28 http://www.nsba.biz/wp-content/uploads/2016/02/Year-End-Economic-Report-2015.pdf29 http://news.gc.ca/web/article-en.do?nid=111199930 http://www.symantec.com/content/en/us/about/media/pdfs/SMB_ProtectionSurvey_2010.pdf

Ove

rall

Ave

rag

e

25+

Em

plo

yees

11-2

4E

mp

loye

es

0-1

0E

mp

loye

es


The overall top impacts of cyber-attacks included (Figure 6):• Interruptions in operations (service or website)• False information sent from email addresses• Financial losses• Hackers obtaining access to business credit card(s)

Interestingly, the smaller the business, the more likely it was to experience financial losses and have hackers obtain access to business credit card(s) as the result of a cyber-attack.

Figure 6 - Question: How did the cyber-attack(s) affect your business? Check all that apply. Note: Due to limited data we combined 25 to 249 employees with the 250+ employees’ category.

0 to 10 Employees

11 to 24 Employees

25+Employees

Overall Average


Risk Assessment

Risk assessment is a function of probability and impact. The ultimate measure of successful cybersecurity planning is the ability to suffer a major data loss and remain profitable. We found that about half of businesses could remain profitable for up to two months if they permanently lost access to essential data (Figure 7).

Even though it is not easy to establish the return on investment of cybersecurity (something we did not

cover on this study, but recommend others continue researching), 5 out of 10 small businesses that participated in our survey said they were likely or very likely to invest in well-defined cybersecurity policies and controls in the next 24 months (Figure 8). The larger the business, the more likely it was to be likely or very likely to invest in cybersecurity. Additionally, 4 out of 10 expect current spending on cybersecurity to increase in the next 24 months (Table 7; Figure 9).

Figure 7 - Question: How long could your business remain profitable if you permanently lost access to essential data? For example, ransomware on a customer database.

Figure 8 - Question: What is your likelihood of investing in well-defined cybersecurity policies and controls in the next 24 months?

VERY LIKELY

LIKELY

NOT VERY LIKELY

NOT AT ALL LIKELY


0 to 10 Employees

11 to 24 Employees

25+ Employees

Overall Average

US$0 34% 24% 10% 29%

Up to US$20 per month 22% 12% 3% 18%

From US$20 to US$50 per month 17% 14% 11% 16%



From US$500 to US$1,000 per month 1% 7% 13% 4%

US$1,000 or more per month 1% 8% 24% 6%

Table 7 - Question: How much do you currently spend (in US$ per month) on cybersecurity? Think of your expenses with vendors of products/services and licenses, not including personnel/staff. Note: Due to limited data we combined 25 to 249 employees with the 250+ employees’ category.

Figure 9 - Question: How do you expect your budget/expenses with cybersecurity to change in the next 24 months?


Building A Better Business Future

Cybercrime is growing rapidly, with annual costs to the global economy estimated at more than US$400 billion.31 Yet, there is still much that can be done to educate, support and encourage small businesses to be cyber-secure, to dispel misconceptions, and to help make cybersecurity a priority for smaller organizations.

Focusing on small business is important since they represent more than 97% of the total businesses in North America and are frequently targeted by cybercriminals as gateways into larger corporations.32,33,34,35 Our findings confirm that the smaller the business, the more they would benefit from additional protections against cyber-threats. Because they are less likely to have taken comprehensive measures in regards to cybersecurity, businesses with fewer employees are more exposed to potential breaches and, thereby, the financial losses that can accompany such an attack. Furthermore, the data points to a possible loss in customer loyalty as a result of data insecurity, which should push small businesses to improve their cybersecurity measures.

We hope this pilot report will aid in the continuous support of our community of trusted businesses and the marketplace at large by increasing awareness about this complex issue among small businesses; by helping clarify the real risk of cyber-attacks and the potential financial and reputational

losses; by sharing experiences from other businesses in their efforts to be cyber-secure; and by informing key influencers about the obstacles hindering the advancement of cybersecurity efforts among this important market segment.

We recommend an increase in cybersecurity programs focused on smaller businesses that will allow further education and awareness efforts around this complex topic. Another area of focus should be public education on programs such as cybersecurity accreditations or certifications that showcase to the public at large an organization’s intention to safeguard customers’ data. Additionally, a collaborative approach between government, industry, businesses and non-profits is needed, as well as additional research.

In a world increasingly interconnected and digitally driven and in which cyber-criminals have become more sophisticated, cybersecurity is a pressing concern for everyone and should become an increasingly critical management issue. By using the statistics and recommendations laid out in this report, many small businesses can begin putting effective plans and activities into place before a breach occurs. For more information about the 5 Steps to Better Business Cybersecurity and recommended procedures for protecting against cyber-attacks, small businesses should contact their local BBB.

“In a world increasingly interconnected and digitally driven and in which cyber-criminals have become more sophisticated, cybersecurity is a pressing concern for everyone and

should become an increasingly critical management issue.”

31 http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf 32 https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html33 http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf34 https://www.sba.gov/advocacy/firm-size-data35 https://www.ic.gc.ca/eic/site/061.nsf/eng/03021.html

Interested to learn more or to support BBB’s work to advance cybersecurity? Contact Bill Fanelli at [email protected]


AUTHORSBill Fanelli is Chief Security Officer for the Council of Better Business Bureaus (CBBB), the umbrella organization for BBBs across North America. Mr. Fanelli initially worked with CBBB as interim Chief Information Officer during a major phishing scam in 2012, and permanently returned as CSO in 2014. Mr. Fanelli has a wide breadth of information security experience, including over 25 years of assessing Critical Infrastructure Protection (CIP) IT and SCADA (supervisory control and data acquisition) systems as well as administering NIST 800-53 Controls on Federal Information Security Management Act (FISMA) systems. For the last 11 years, his focus has been in the deployment of data center, desktop and network security solutions in enterprises with 300,000+ devices. Mr. Fanelli is also primary author of the BBB 5 Steps to Better Business Cybersecurity training.

Rubens Pessanha, director of market research and insights with the CBBB, has more than 20 years of global experience in marketing, strategic organizational development, project management and market research. He has presented at conferences in the U.S., Japan, South Africa, Belgium and his native Brazil. A production engineer with an MBA, he is about to finish his doctorate at George Washington University.

Amy Gwiazdowski is the Internal Communications Manager for the CBBB actively engaging with BBBs across North America to better understand their needs. Before joining the CBBB, she was the communications director for a business trade association for companies with employee stock ownership plans (ESOPs) in Washington, DC. Previously, she spent a few years working for the publishing industry’s trade association where she had the opportunity to indulge her love of reading.

Tiffany Scott is currently the Market Research Analyst at the CBBB, where she gathers insights and data to help inform various marketing initiatives. Beyond market research, Tiffany’s passion is developing acquisition, retention and engagement strategies for both consumer and business audiences.

For more than 100 years, from small community stores to multinational enterprises BBB has been on the forefront of positive marketplace change by partnering with leading companies committed to the best practices of business ethics, marketplace excellence, and effective industry self-regulation.

Trust always matters. BBB is deeply committed to building and advancing a better marketplace, a trusted marketplace for all.

Council of Better Business Bureaus, Inc.3033 Wilson Boulevard, Suite 600Arlington, VA 22201 | bbb.org

The State Of Cybersecurity - BBB: Start with Trust ......4 | The State Of Cybersecurity Among Small...

Documents

Transcript of The State Of Cybersecurity - BBB: Start with Trust ......4 | The State Of Cybersecurity Among Small...