Abstract

This is a proposal for a business innovation called Chary. Chary is pronounced like the Cherry fruit, and it is an organization that is dedicated to cybersecurity for small businesses. Chary offers an online class that is designed to help small businesses avoid becoming victims of cybercrime. Chary will educate the employees of small businesses because social engineering has become the prevalent attack method of cybercriminals against small businesses.

Chary

Section A: The times, they are a-changin”. When Bob Dylan sang this famous line in 1965, he was emphasizing the need for people to grow and adapt to new situations. This idea has never been more true for businesses. Thanks to technology and The Internet, businesses have more opportunities for growth and change, and these opportunities are arriving at such an accelerating rate that it is difficult for businesses to keep up with the times. Businesses need to adapt to survive, and conducting business online has become the new par for the course. Conducting business online has become an everyday occurrence for most Americans, but the convenience offered by online transactions comes with a hidden cost. The information of customers, commonly referred to as their personal information, is very valuable. According to Belinda Barnet in her article Spectre of you: Social Data Australians Cannot Control and the Data Broker Industry Built On It, “there is an entire industry and infrastructure worth US$300 billion per year set up to facilitate data mining and matching, analysis and trading with social media companies (Barnet, 2021, p.192).” The companies that collect the personal information then sell it to other companies to help customized advertising for target audiences. In other words, it makes advertisements more persuasive because the advertisers know more about you. Armed with the knowledge of all of your weak spots, the companies attack you when you are most vulnerable by persuading you to buy things you otherwise would not have purchased. This new form of vulnerability is one of the key reasons guarding the personal information of customers is imperative. According to Professor Sumaryanti in the article Improvement Security in E-Business Systems Using Hybrid Algorithm, “The need for increased customer service and transaction security for business process management and presenting information in real-time has become a new revolution as a breakthrough in utilizing the capabilities of internet technologies that use e-business (Sumaryanti,2021, p. 1535).” Businesses need to educate themselves on Information security and Data Privacy, and our innovation Chary is designed to help these businesses learn about Information Safety.

Chary is an adjective that means “cautiously or suspiciously reluctant to do something”. We named the innovation Chary because we want to emphasize that businesses need to be wary of transactions and also understand the ways criminals can steal information. And why should businesses be cautious? Because the cost of leaking customer information is high. According to an article by gflesch.com, “The average remediation costs reach $200,000 — enough for about 10% (of small businesses) to go out of business( Moore, 2022, p. 3).” The main service that Chary offers is the online seminar for small businesses and training classes for employees. The classes will also include practice material. This seminar focuses on educating businesses on the importance of Information Security and the value of customers’ personal information. Chary will be offered first as a website and we plan to develop the app after some growth. We would like to offer the class as a one time charge of $100 and offer the training materials with a subscription fee of $20 per month as the secondary income for the business. The team at Chary understands that business owners are very busy, so we would like to make the class available as a 2 part experience with both parts being offered on each scheduled day in order to increase flexibility of scheduling. Initially, the class will be led by an instructor, but as the business grows and becomes more defined and assimilated to the environment, we would like to explore the opportunity to use Artificial Intelligence as the course instructor. Even if we cannot accomplish an AI instructor, I would like to move away from classes that require a physical instructor because it limits our availability and increases our cost of service. Overall, Chary aims to help businesses defend themselves from cybercrime without incurring the full cost of an information technology professional.

Section B:Cybercrime is growing at an alarming rate, but what is even more alarming is the fact that we do not know exactly how much cybercrime is going on around us. This is because businesses and people frequently do not report cybercrime! The crimes are often never even looked into. I can attest firsthand. When my friend had her car stolen while delivering pizza for Papa John’s Pizza, the police had all of the information they needed. They had things like customer name, phone number, address, likely even an IP address for the phone that was used. The thing that was missing was protocol and procedure. Even though all of the evidence was right in front of them, they were not prepared to help. If your small business becomes a victim of cybercrime it can be very scary because the traditional methods of recovering stolen items and discovering identities do not work anymore. Our innovation is intended to educate businesses about cybercrime and to develop good business practices because cybercrime is on the rise. In his article When Do Businesses Report Cybercrime? Findings from a UK Study, author Steven Kemp from the United Kingdom notes “The National Crime Agency has stated that cyber criminality is rising and criminals are increasingly targeting businesses (Kemp, 2021, p. 2 ).” Kemp additionally states that there was a sharp increase in cybercrime thanks to the 2019 and 2020 Covid-19 Pandemic. Kemp then refers to the National Cybersecurity Centre for a shocking statistic: “‘if you’re a small or medium-sized enterprise (SME) then there’s around a 1 in 2 chance that you’ll experience a cyber security breach( Kemp, 2021, p. 2).” Although the dangers of cybercrime are begging to be more acknowledged, there still is not enough being done. In his article, Kemp discusses how businesses are not likely to report the cybercrimes against them. This results in a lack of reliable data for criminological research. Furthermore, Kemp argues that if companies continue to ignore cybercrime, the prevention strategies and techniques will become “inadequately informed.” Chary believes education is a key component of cyberdefense.

So what is Cybercrime? Researcher Matti Nasi makes a distinction in his article Cybercrime Victimization Among Young People: a Multi-nation Study. Nasi explains the primary distinction that cybercrimes are crimes committed using computers and other electronic networks. “Despite the commercialization of the Internet and other new information and communication technologies only a couple of decades ago, different forms of cybercrime have become a daily occurrence(Nasi, 2015, p. 203).” Crimes such as identity theft, fraud, and even harassment are evolving into cybercrime as criminals find new ways to communicate and interact with each other. Phishing is a cybercrime that is the base of many cybercrimes. A phishing attack is an attempt to gain access to sensitive information. Author Rundong Yang from the School of Cyberspace Security in Beijing describes phishing more technically as “ using social engineering and/or technical deception to obtain private user information” and he adds that phishing attacks are often successful because people are often the weakest point in the defenses (Yang, 2022, p.1).

Billions of records have been stolen in the past decade. UpGuard.com lists some of the biggest data breaches of the decade such as the CAM4 data breach, the Yahoo! data breach, and the Aadhaar data breach. The CAM4 data breach of 2020 leaked a whopping 10 billion records, including things such as full names, sexual orientations, and IP addresses. Once the attackers gained this information, they attempted to use more targeted attacks in order to access any cloud-based accounts attached to the leaked information. While the CAM4 breach leaked 10 billion records, the Yahoo! Breach affected 3 billion accounts with an increased chance of identity theft. Thankfully much of the sensitive information in the Yahoo! breach remained safe, but it alerted more people to the reality and danger of cyber attacks. The goal of Chary is to help businesses learn to manage their own information technology and protect those businesses from cyberattacks.

While Chary certainly cares about the safety of businesses and their customers, we are not urging businesses to stay safe out of good will. There are several rules and regulations that determine the things a business will be required to do in order to stay up to date. CyberInsureOne.com is the website for Cyber Insurance Education and Information and it discusses some of the ways laws can entangle privacy and cybersecurity. The laws regarding information are mostly determined by what kind of data it is, but there are some general laws that apply to most businesses. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 applies to organizations that handle medical information. This law establishes standards for how the medical information is shared, accessed, and stored. The Gramm-Leach-Bliley Act (GLBA) of 1999 may come into play if your organization handles personal or private financial information. The GLBA also creates standards for how data is stored, but it additionally details what parties may have access to that data. If your business handles government information, the Homeland Security Act and the Federal Information Security Management Act (FISMA) will likely apply to your business and there will be additional standards for your information. This group of Acts handles most of the regulations in cybersecurity, but there are also two more Acts that are much more recent and have been added as a result of the increase of cybercrime. The Cybersecurity Information Sharing Act (CISA) of 2015 discusses protecting data, but more importantly it is a government attempt for organizations to collaborate in response to cyber threats. Through CISA, companies and the government can share information to accelerate the response to threats. Finally, the Federal Exchange Data Breach Notification Act of 2015 is intended for companies that handle health insurance information. These companies are required by this Act to report breaches of cybersecurity and then alert the affected individuals within a certain number of days of the breach. In addition to these federal laws, California and New York are both examples of states that have additional laws about cybersecurity.

The penalty for breaking cybersecurity laws is usually determined by the nature of the cyber attack and the severity. Penalties include fees, fines, and even public shaming in some instances. Breaking a cybersecurity law can become expensive quickly. HIPAA fines range from $50 to $50,000 per record! While there is a maximum fine, businesses may be fined the maximum amount for many years in a row. Violators of HIPAA could even be looking at up to 10 years. The penalties for violating the Gramm-Leach-Bliley Act are even more severe than the penalties for HIPAA because organizations dealing with GLBA are handling financial information. Each violation of the GLBA can mean up to a $100,000 fine for the guilty business.To make matters worse, if a business is found guilty of violations of GLBA, leaders of that organization may face a prison sentence. Even one violation of one of these policies and acts can be enough to set a small business behind or maybe even go out of business. The team at Chary provides the lessons and the poise for employees and business owners to stay out of trouble when handling personal information.

Our objective at Chary is to spread information and awareness about cybersecurity to small business owners. We want to teach these businesses lessons they will remember and practices they use, but learning online is not easy. This is why Chary takes a distinct approach: an approach that focuses on teaching strategy and not just course material. Our plan begins with offering the Cybercrime Safety Course led by an instructor, but we have high ambitions for evolving technologies and will be looking into a more asynchronous style of teaching. Many small business owners do not have time to leave their business to attend a regular class meeting. Chary understands this key problem that the business owner needs this service, cannot afford to pay someone to do it for them, and does not have the time to learn it themselves. For these reasons Chary plans to invest in a class structure that is more flexible for business owners because it does not require an instructor to be present. This will accomplish many objectives at once for Chary. Teaching asynchronously will allow Chary to scale to any number of clients, anywhere they have access to the internet. It will allow Chary to offer our services to a multitude of customers at once while a typical class or lecture is limited by its audience. This will also reduce the cost of services for Chary because once we invest into this technology, we will no longer need as many people available to instruct courses. However, before we can afford this investment I believe the traditional method of instruction may be adequate for our first generations of customers.

Although Chary would like to have classes without instructors, we have not forgotten pedagogy entirely. We understand that offering an online product will be challenging. In her article Strategies for Success: Teaching an Online Course, authors Jane Cole and Jefffrey Kritzer discuss some of the difficulties of transition to an online learning environment. “Some universities offer strong technology support services that provide training workshops on the use of the platform programs or other technology resources, but few offer training on how to actually teach an online or hybrid course with strong pedagogy (Cole, 2009, p.1).” Thankfully there have been many advancements in the ways we conduct business and in the words of Cole and Kritzer “New technology has provided better access, convenience, and flexibility for meeting the needs of adult learners (Cole, 2009, p. 1).” The authors then go on to list some of the key features that have been demonstrated to help online courses be successful: “adapting to students’ needs; using meaningful examples; motivating students to do their best; facilitating the course effectively; delivering a valuable course; communicating effectively; showing concern for student learning;” and, moreover, instructors who are “visibly and actively involved in the learning; work hard to establish trusting relationships; and provide a structured, yet flexible classroom environment (Cole,2009, p. 37).” Chary can be a successful online class as long as we follow these key guidelines. One of the technologies Cole and Kritzer highly recommend is the Electronic Discussion Board. According to the authors, the electronic discussion board is a great tool because it demonstrates the presence of the instructor. In other words, it assures the student that the instructor is engaged and actively reading and responding to the course work. It can also be helpful because there are many students who feel less comfortable sharing in large crowds. An electronic discussion board can be used to break down students into separate groups for discussion and promote a more interactive environment. With some research, hard work, and some dedication I know Chary can offer a valuable online experience.

Chary will need to advertise in order to get new customers. We can save money by only advertising to consumers that we believe will buy our product. In the case of Chary, our target audience is small business owners. We will use targeted advertising to reach small business owners. In the Vanderbilt Law Review, author Christina Claxton gives a more detailed description of targeted advertising in her article Private Offering & Targeted Advertising. Claxton defines targeted advertising as “the practice by which companies seek to promote a service or product direct advertisements at certain consumers based on characteristics those consumers possess (Claxton,2021, p. 1203).” Claxton describes the current advertising situation as surveillance capitalism. She defends this claim by detailing how social media companies such as Facebook (Meta) and Tiktok collect details about the habits of consumers with enough precision to predict and affect the decision making of the consumers. While Claxton argues that the gathering and selling of such data is immoral, Chary will need to take advantage of this new technology if we wish to be successful. There are different options available for targeted advertising online. Google advertisement or a sponsored advertisement could be a more direct link to our audience, or we can purchase data from a data broker. In his article “How Much Should Data Cost Me?,” author Gareth Perry explains that the cost of data varies by its quality. Things like how often the files have been verified and the expected bounce rate affect the cost of the data. A bounce rate, in non- technical terms, is a measure of how often consumers clicked on your ad but did not continue any further or otherwise lost interest. This is a very useful metric because we want to be sending our advertisements to people who will click on them and then read them. According to Perry, with a relatively high bounce rate of 15% and files that have been verified less regularly, “you’re looking at getting 20,000 contacts for around £100-150 per 1000 (Perry, 2021, p.4).” in American dollars, that would be $124-$186 per 1000 contacts or roughly $3,000 for the 20,000 contacts previously mentioned.

Chary should have a social media presence. Similar to how Cole and Kritzer enlightened us to the importance of an instructor’s presence, customers should know that Chary is actively listening to feedback and staying relevant. The cost of advertising in this way can be as little as $0 because the company is using an online presence as an ongoing advertisement, but we can also invest into a social media manager or content creator to make us a bigger online presence.

Section C: The idea for Chary stemmed, or should I say STEMmed from my classes as a cybersecurity student. Classes such as Information Systems, Digital Forensics, and Cyberwar all certainly affected the decision to make a company that teaches other companies how to be safer in the cyber environment, but the classes outside of my major set me up for success in this venture as well. Before I was a cybersecurity major , my major was Accounting. I have taken classes such as the Principles of Financial Accounting, Probability in Decision Analysis and Business Statistics, Principles of Macroeconomics, Calculus in Business Matrices. I have taken classes such as Managerial Accounting, Contemporary Business Managerial Economics and Business Intelligence. I have always wanted to be in business, and I think my choice of classes speaks for itself. I am happy to give credit to the classes I took here at Old Dominion University because almost all of them were relevant to this proposal, and yes I even mean Film Appreciation. Accounting classes taught me the importance of good housekeeping. This phrase might normally mean sweeping and mopping, but when it comes to handling money, there are several rules to keep things nice and tidy. One principle is that the revenue needs to be recognized in the period when the payment was received. Many of the accounting principles deal with being fastidious, but the intention of this intense inspection, labeling, and matching process is to make records and then have those records available and accessible. Accounting classes taught me that Chary should be honest with its finances and keep the receipts, just in case.

One of my favorite classes I have taken is the course for decision analysis and business statistics. The course was focused on descriptive analytics, decision making under uncertainty and risk, and decision analysis incorporating sample information. In our business, of course we want to gather as much information as we can.The unfortunate truth of the matter is that there is no magic 8 ball that can tell the future. My classes such as macroeconomics and microeconomics helped teach me the importance of the financial past to predict the financial futures, but these classes both stress that the past does not guarantee the future. This is why the decision analysis course had such an impact on me because it details how to use math to make decisions.Decision analysis incorporating sample information involves using statistical methods to make informed decisions based on limited information. Chary will be a successful business if it can adapt and use some of these tactics to make informed decisions.

Section D: Measuring the cybersecurity of a business involves assessing its overall level of protection against cyber threats, vulnerabilities, and risks. The first step that we can take is to conduct a Cybersecurity Assessment: Chary can assess the organization’s current security posture, including evaluating the security measures, policies, and procedures in place, and then identifying vulnerabilities.We would then identify the risks and also identify the potential risks that could impact the organization’s security, such as the likelihood and impact of a data breach or cyber attack. We need to keep in mind the organization’s unique business processes and technologies, so our plan of testing would be esoteric to each business. We must also evaluate security controls. Chary will evaluate the effectiveness of any security controls currently in place, such as firewalls, antivirus software, and intrusion detection systems. This helps to determine if the controls are adequate and if they are being properly used and managed. Afterwards,we will move to test and see if the business has a security incident response plan and if so, test the organization’s security incident response plan to ensure that it is effective and that staff knows what to do if there is ever an incident or a threat. It is important that businesses maintain compliance with regulations and standards: One of the first things Chary can do is check if the business is compliant with relevant cybersecurity regulations and standards, such as the General Data Protection Regulation or International Organization for Standardization (ISO) 27001.Businesses should conduct regular security audits to make sure that the organization’s cybersecurity is always up to date and meets the latest threats. It requires a lot of effort to maintain a cybersecurity system and it should not be taken lightly.

Section E: In order to turn Chary into a reality, there are several things we must do as a team. First we should do some market research. We have our target audience in mind already, but I believe we should attempt to understand our competition better. I know one of the ideals that Chary is focused on has been affectionately named a PICNIC. It is an endearing term to remind computer users that the problem is in the chair, not in the computer. While competitors such as Norton and McAfee offer antivirus programs, the statistics we have given show that most cybercrimes are achieved through social engineering. This means they more than likely tricked a user into giving away information or the criminal downright may even walk right into areas where sensitive data is stored if safety measures are not maintained. After our market research, we should develop a more concrete business plan. We need to nail down things such as our goals as a company, what strategies we will use, our financial projections, and a timeline for execution. Once we have our timeline it will be time to take it to the bank! It will be time to find some investors. Investors can be many different entities. We may be able to get a loan from a bank. A better option for Chary may be to get a grant from the government because grants do not have to be paid back to the lender. There is a lot of competition for grants so we would have to be resourceful. One of those resources is the United States Small Business Administration ( SBA). There are also federal grants available such as those at grants.gov. State governments also offer grants to small businesses and there are often less applicants to these grants, so it could be well worth it for Chary to take a look at these grants. We may also try the United States Economic Development Administration (EDA) to see if they will give us a loan. Our team should also check out a Small Business Development Center (SBDC). An SBDC is a great resource because it offers free consulting and training. These topics even include digital advertising, so I am sure Chary could find some insight there. The consultants there might even help us find a grant.

After we secure funding, it will be time to hire any additional employees. Once we have defined our goals and plans further, we should be able to identify which kinds of talents we need. I have never started a business before, so I am not sure if we should build our building around the needs of our staff or if we should build our staff around the needs of our building. Either way, we will need to identify what kinds of equipment we will need and the layouts we would like. This will affect the location and the building we select. After understanding our needs better, we can look for a location for our office. We will have to pay attention to commercial zoning, but the services offered by Chary are very simple compared to those of other industries such as a restaurant or a factory. We will need to figure out more details about the salaries we plan to offer our employees because it affects our budget for the building. It will be so exciting when we get tot visit potential locations. We need to evaluate the condition of each place and we should not just jump at the first offers we are given.Ultimately, all of the locations will have advantages and disadvantages, and the company needs to weigh and assess these options to make a decision.

Section F: The next steps for Chary are all about putting our team together. If Yohannes, Diego, Tobi and I can figure out who we will need to add to our team, we can start putting the other pieces into place. We need a list of employees and an organizational chart for the ways authority works and who answers to whom. Chary also needs a few other things I believe we could assemble before having a physical location. It is possible we could run Chary from a home office. It could avoid many of the burdens and costs associated with renting an office from a landlord. Ever since the Pandemic of 2020, employees have been discovering that working from home just makes sense to some situations, and I believe Chary is one of those situations. We will need to build a website, and maybe even an app. We also have to register our business. Without a location and a team roster, we won’t be sure how to register, but once we have a more solidified plan we can register our business with state and local governments. Chary might also benefit from a motto or a slogan and a logo. This could help our brand awareness. After we have our team, our buildings, and our policies the fruit of our work for Chary will bloom.

References

Barbetta, P. M., & Morales, M. (2022). Three Low-Tech Active Student Responding Strategies for Inclusive Online Teaching. Teaching Exceptional Children, 54(5), 346–353. https://doi-org.proxy.lib.odu.edu/10.1177/00400599211025553

Barnet, B. (2021). Spectre of you: Social data Australians cannot control and the data broker industry built on it. International Journal of Media & Cultural Politics, 17(2), 191–198. https://doi-org.proxy.lib.odu.edu/10.1386/macp_00048_7

Claxton, C. M. (2021). Private Offerings in the Age of Surveillance Capitalism and Targeted Advertising. Vanderbilt Law Review, 74(4), 1187–1229.

Cole, J.E. & Kritzer, J.B.(2009). Strategies for Success: Teaching an Online Course. Rural Special Education Quarterly 28 (4) 36-40. https://journals-sagepub-com.proxy.lib.odu.edu/doi/abs/10.1177/875687050902800406

Cybersecurity Laws and Penalties (2021) Retrieved from https://cyberinsureone.com/laws-penalties/#:~:text=Cybersecurity%20breaches%20have%20many%20consequences,maintain%20baseline%20levels%20of%20cybersecurity. 2021

Cybersecurity Laws and Regulations in US [2023] Eescorporation.com. Retrieved from https://www.eescorporation.com/cybersecurity-laws-and-regulations-in-us/#:~:text=Businesses%20must%20comply%20with%20various,in%20significant%20fines%20and%20penalties.

Information Technology Professional Salary. Zippia.com. Retrieved from https://www.zippia.com/information-technology-professional-jobs/salary/

Kemp, S., Buil-Gil, D., Miró-Llinares, F., & Lord, N. (2021). When do businesses report cybercrime? Findings from a UK study. Criminology & Criminal Justice: An International Journal, 1. https://doi-org.proxy.lib.odu.edu/10.1177/17488958211062359

Mondaoa, G. (2022, November 4). Social Engineering Statistics: Psychological Crime Eftsure.com. Retrieved from https://eftsure.com/statistics/social-engineering-statistics/#:~:text=Nearly%2098%25%20of%20all%20cyber,domains%20associated%20with%20bait%20attacks.

Moore, K. (2022, June 6). Cybersecurity: Can Companies Be Sued for Data Breaches? Gflesch.com. Retrieved from https://www.gflesch.com/elevity-it-blog/will-you-get-sued-if-your-business-is-hacked#:~:text=Individuals%20may%20sue%20businesses%20for,bank%20accounts%20and%20tax%20returns.

Näsi, M., Oksanen, A., Keipi, T., & Räsänen, P. (2015). Cybercrime victimization among young people: a multi-nation study. Journal of Scandinavian Studies in Criminology & Crime Prevention, 16(2), 203–210. https://doi-org.proxy.lib.odu.edu/10.1080/14043858.2015.1046640

Perry, G (2021, October 13).How much should data cost me? Databroker.com. Retrived from https://www.data-broker.co.uk/insights/how-much-should-data-cost-me/

QoD: How much money is spent on the internet every 60 seconds? Ngpf.org. Retrieved from

https://www.ngpf.org/blog/question-of-the-day/qod-how-much-money-is-spent-on-the-internet-every-60-seconds/

Sumaryanti, I., Kusuma, D. H., Widijastuti, R., & Muzaki, M. N. (2021). Improvement security in e-business systems using hybrid algorithm. Telkomnika, 19(5), 1535–1543. https://doi-org.proxy.lib.odu.edu/10.12928/TELKOMNIKA.v19i5.20403

The Facts Get Clued into the Cyber World Reality (2017). Retrieved from https://www.cisa.gov/be-cyber-smart/facts

Tunggal, A. (2023, April 18). The 70 Biggest Data Breaches of All Time [Updated April 2023]. Upguard.com

Retrieved from

https://www.upguard.com/blog/biggest-data-breaches

Yang, R., Zheng, K., Wu, B., Li, D., Wang, Z., & Wang, X. (2022). Predicting User Susceptibility to Phishing Based on Multidimensional Features. Computational Intelligence & Neuroscience, 1–11. https://doi-org.proxy.lib.odu.edu/10.1155/2022/7058972

gmedv001757

Paper

Abstract

Chary

References