Businesses in the Pikes Peak region can now earn a Cyber-Aware Business badge — the first of its kind in the nation — to show they’ve “done the hard work” of protecting themselves and their customers against cyber attacks.
The cyber badge is a pilot program between the Pikes Peak Small Business Development Center and the Better Business Bureau of Southern Colorado. Pikes Peak SBDC guides businesses through risk assessment, cybersecurity training and one-on-one consulting, before recommending eligible businesses for the cyber badge.
The badge is awarded by the BBB of Southern Colorado, and can be displayed on websites, email, social media and storefronts.
Jonathan Liebert, CEO of BBB of Southern Colorado, said the badge will benefit individual businesses and, through better protections for consumers, the community as a whole.
“It’s going to be important for a consumer who’s savvy about [cyber risk]. And unfortunately, with more and more people’s information getting stolen, people are going to become more aware of it,” Liebert said.
Consumers are going to start asking businesses what they’re doing to protect them from data theft and cyber attacks, he said, and that’s where the badge becomes a competitive edge.
“This is certainly one of those areas that they can have an opportunity [to advertise] an advantage, as more people’s identities are stolen; as people are scammed,” Liebert said. “You can think of it this way: Trust is a new currency. Trust has always been important, there’s no question about it. But in this day and age, trust is absolutely a new way of thinking about a form of transaction — and it’s a form of currency. … Businesses that are absolutely taking care of their consumers’ information and data are [doing] a really, really important thing.”
To earn the cyber badge, businesses first complete the Cybersecurity Awareness & Implementation Series, an eight-week cyber business planning course that’s part of the Colorado SBDC’s Leading Edge series.
“During the first two weeks, SBDC cyber subject matter experts visit each business’ location, whether it’s in the home, online, or a storefront,” Aikta Marcoulier, executive director of the Pikes Peak SBDC said via email. “We conduct a full business risk assessment (normally very expensive!). The following weeks are focused on cyber education all the while providing the businesses with consulting, guidance, and solutions to fill the gaps/risks we found associated in their business.
“This is very much what you do for business continuity planning. However we add on cyber along with external and environmental threats.”
Sessions cover privacy and data security, scams and fraud; network and website security; email, social media, mobile devices; employees, facility security, operational security; payment cards/PCI compliance; incident response and reporting; policy development and management; and implementation of infrastructure.
During the Cybersecurity Awareness & Implementation Series, each business must complete five hours of additional one-on-one consulting to address their specific needs.
Marcoulier said the cyber badge can only be earned by businesses that:
• complete the eight-week course;
• submit a final cyber business plan with risk assessment;
• hire an IT/cyber management solution; and
• provide proof they have cyber insurance.
“The IT/cyber company must check in with the [business mid-year] and at the end of the year to [assure] the SBDC, BBB and the small business they are still within compliance and also taking care of themselves in case of a hack,” Marcoulier said.
Shawn Murray, chief academic officer and president/CEO at Murray Security Services and cybersecurity consultant with the Pikes Peak SBDC, facilitates instruction for the course. He said it’s important that cyber badge businesses are required to maintain their cyber hygiene, and to have that third-party assessment each year.
“This assures customers that the business is really invested,” he said.
Too many small businesses don’t understand the risks in their environment, Murray said, and they’re still struggling with the basics of cybersecurity.
“The benefit for small businesses [working to earn the cyber badge] is that they have a better understanding of where their cyber risks are, and they know how to address them,” he said. “… Customers can then choose the business as ‘preferred’ over others. This provides value.”
The Cybersecurity Awareness & Implementation Series runs Oct. 8-Nov. 26 and costs $695 ($250 for additional people from the same business). The cost also covers the risk assessment and reporting, as well as the five hours of one-on-one consulting.
Liebert said the Colorado Springs community is becoming more aware of the importance of cybersecurity.
“I would tell you two years ago, you mentioned cybersecurity and people wouldn’t even understand what that meant. Because it was just: ‘It’s this invisible thing that happens. I don’t get it. Sounds expensive. Sounds scary. I don’t want to know any more,’” he said. “Now … I think we’re finally seeing this reaction in the community where cybersecurity is becoming more of a household idea, which is good. So if you’re going to be a good business, there’s certain things you’ve got to do — and having cybersecurity as part of your business model is one of those things.
“[The training] is giving them the tools and the education to know what’s OK and what’s not OK in this new day and age of doing business — because consumers have to be more careful than ever, and businesses do too.
“It’s all changing so rapidly, they’ve got to be up to speed and up to date on this stuff.”
Liebert said it was important for the BBB to partner with Pikes Peak SBDC on the cyber badge program because of their cyber expertise.
“From BBB, I am not comfortable saying to anyone, ‘We’re the experts in cybersecurity so I’m going to create this badge.’ That’s not what we do,” he said. “I’m totally comfortable, though, partnering with other experts … .
“SBDC is really partnering with a lot of great people in town to provide hands-on skills and training, and then they’re going through a whole series of tests and penetration tests … and that’s where I get the information so I can then tell the consumer, ‘Hey, here’s a business that’s gone above and beyond. Here’s a business that’s gone through extra classes, extra training, their stuff’s been tested.’ Nothing’s 100 percent, so I would never certify anybody as ‘cyber secure’ — that just doesn’t exist. But to have them more cyber aware, and to know that they’ve actually done the homework, and that a cyber professional has actually tested their system.”
Liebert said he hopes the cyber badge “becomes a symbol for folks to rally under, for businesses to recognize the symbol and want to attain that: ‘I do believe in it, and I want the mark because that shows that I’ve gone and done the hard work.’
“I hope that it helps businesses think about their strategies, and to know that there’s a formalized process to be able to do it. And then I hope on the consumer side, it’s the same thing: It’s a recognizable symbol, it’s a trust mark. … I hope it’s recognizable, more and more in the future, for people to see it and understand what it stands for.”