Can Too Much Cybersecurity Be Bad for Your Small Business?

Can Too Much Cybersecurity Be Bad for Your Small Business?

By Samuel Bocetta

If you run a small business, security is probably near the top of your priority list—and if it’s not, it should be. Businesses are the most common targets for cyberattacks, and the consequences of having data stolen can be huge ever since the passage, implementation, and consequences of the GDPR (General Data Protection Regulation) in Europe.

Sometimes, though, your focus on cybersecurity can have detrimental effects on the rest of your business. This is due to two factors:

  1. While it’s good to have dedicated ICT (Information Communications Technology) staff who are charged with looking after your cybersecurity, in a small business this staff (or “the IT guy,” if you run a very small business) can quickly become overburdened.
  2. Sometimes there can be such a thing as too much security. That shouldn’t make you take your security any less seriously, of course; cybersecurity for small businesses is important. But it should stand as a reminder that you need to identify what threats your business actually faces, and prioritize defending against them.

Let’s take a look at these two issues in more detail and then consider some solutions.

Everything is ICT

To understand how ICT staff can easily become overworked, consider the following question: how much of your business doesn’t rely on ICT?

While we would always recommend having a dedicated IT consultant on your staff, whether they are contracted or employed directly, you should guard against the temptation to give them everything that has to do with computers. Doing that assigns them the responsibility for securing essentially everything the rest of your team does. Document security is an example of this. If you allow your staff to delegate this to a dedicated IT worker, they will quickly end up overseeing all the important information your business holds.

The situation is even worse where IT staff are charged with innovating new solutions as well as securing existing systems. Recently released research by Vanson Bourne for LastPass found that among their security objectives for the coming year, more than 50% of the 700 IT professionals who responded to the survey cited securing data (75%), securing new technologies as they’re adopted (68%), reducing risk (66%), and upgrading identify access management (65%).

That’s a huge workload, and so it comes as no surprise that burnout is a common cause of staff loss for IT professionals.

Other Articles From

  • The Complete 35-Step Guide for Entrepreneurs Starting a Business
  • 25 Frequently Asked Questions on Starting a Business
  • 50 Questions Angel Investors Will Ask Entrepreneurs
  • 17 Key Lessons for Entrepreneurs Starting A Business

Security vs. agility

A second issue is that is that it is possible to have too much cybersecurity. Or rather, to have an inflated sense of the risks your business faces, and to enforce security policies that are too rigid.

This is an unfashionable—and perhaps dangerous—thing to say. But if you run a small business, there is a very real danger that adding new security protocols every month will stifle the innovation and agility that makes your business competitive.

This is particularly true when a business expands rapidly. If you find yourself adding new systems, databases, and staff every month, there can be a tendency to add new security measures just as fast.

As Network World puts it, “Every new policy should be balanced against the opportunity cost and competitive cost of that policy, but after a while it becomes about security for security’s sake, the reasons long forgotten, the compromises adding up to less flexible operating practices until security is slowing everything down.”

This might sound like an excuse to become casual when it comes to information security, but it is not. Rather, it points to the importance of reassessing your business priorities at each stage of the journey.

The solution

The solution to these issues is to distribute responsibility for information security across as many staff as possible. In practice, this means providing rigorous training about the most common cyberattacks that affect small businesses and how to spot and avoid them. Will Ellis, Director of Research at of Privacy Australia, offers this insight: “Security should be a company-wide philosophy ingrained into every employee’s frontal lobe. It’s much too large a job to dump in the lap of one IT consultant or even a team.”

A good example of this is phishing, which is still the most common form of cyberattack. If you fall victim to such an attack, the natural response is to try and patch this vulnerability at a tech level. You might ask your ICT staff to lock the computers of other staff members so that they cannot open suspicious-looking attachments in emails.

In practice, though, that’s not a solution to the problem. It will quickly annoy and frustrate your staff, and ultimately limit their ability to adapt and innovate. Instead, all staff should be taught what a phishing scam looks like, how to avoid it, and the very real consequences such attacks can have on your business.

Creating a culture of cybersecurity is easier said than done, but in some ways small businesses have an advantage over larger operations. Staff can quickly share information and ask each other for advice when they see something suspicious.


In short, it’s easy for your (understandable) focus on security to quickly dominate all the other business priorities you have, either through giving your IT staff too much work and responsibility, or by imposing overly strict security protocols on your entire team. The solution is to reprioritize. Cybersecurity should be at the center of everything you do, but you should also realize that, precisely because of this, it is not a topic that can be dealt with separately from the rest of the business.

Instead of delegating security in its entirety to your ICT team, therefore, you should take care that every business decision is taken with an eye to its security implications. Rather than writing “security” at the top of your priorities list, include it in every other item on that list.

RELATED: What Does Your Business Stand to Lose in a Cyber Attack?

About the Author

Post by: Samuel Bocetta

Samuel Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.

Company: Samuel Bocetta Writing
Connect with me on Twitter and LinkedIn.

The post Can Too Much Cybersecurity Be Bad for Your Small Business? appeared first on

The post Can Too Much Cybersecurity Be Bad for Your Small Business? appeared first on Click for more information about Guest Post.


Leave a Reply

Your email address will not be published. Required fields are marked *