83% of small and medium-sized businesses are not financially prepared to recover from a cyberattack.
For too long, cybersecurity has been considered an IT problem and assigned to the technology guy. However, as threats increase it’s not simply a “technical” issue, but one of strategy, culture, and teamwork. It requires business leaders to prioritize managing cyber risk within their company to protect their customers, employees, and their businesses.
The threat is accelerating, especially with an increase in how we do business, the “digital transformation”. 63% of the global population is now online and being “connected” has become an integral part of the digital transformation.
According to a report from Barracuda Networks, Small Businesses are “more likely … to be targets for an attack. SMBs are an attractive target for cybercriminals because collectively they have a substantial economic value and often lack security resources or expertise.”
61% of small to midsize businesses (SMBs) reported at least one cyberattack during the last 12 months.
Cybercrime is Easy.
Cybercrime has become simplified and streamlined. The barrier to entry is low and for as little as $10 a wannabe hacker can subscribe to simple cyber-attack tools or for only a few hundred dollars a much more sophisticated one. These are now what we are now calling “cybercrime-as-a-service”.
The risk of getting caught and prosecuted is low and the rewards are very high when the average ransom payment for organizations hit with ransomware is almost $234,000 paid in hard-to-trace cryptocurrency.
None of this is new but the increasing and alarming rate at which the problem is growing has put this top of mind for leaders across the globe. Not surprisingly, our local community of small to medium-sized businesses have been hit hard as well. Unfortunately, victims of cyberattacks are hesitant to talk about it and they certainly don’t put out press releases.
What is Cyber-resilience?
Cyber-resilience refers to an organization's ability to identify, contain, respond, and recover from a cyberattack. Building cyber-resilience assumes the business will at some point face a breach or an attack.
What has your organization done to mitigate the impact of a cyber event or cyber breach?
There needs to be multiple layers. So, if one component is compromised, there’s a barrier. This means establishing continual controls and processes within organizations, not from just a technical standpoint, but from an operational and leadership standpoint on managing business risk. And it needs to be evaluated on a regular basis.
When considering your organization's cyber-resilience plan, keep the following controls in mind. Protect. Detect. Respond.
Lifecycle: strategy, design, operation, response, and improvement.
- Strategy: identify your security vulnerabilities and determine your risk based on your unique business.
- Design: technology, training, policies, and procedures.
- Operation: cybersecurity preparedness to protect, prevent and reduce business compromise. This includes continuous security monitoring to identify and remediate attacks.
- Response: restore critical business functions quickly after a breach.
- Improvement: review on a regular basis.
43% SMBs do not have any cybersecurity plan in place.
Here are Six Items Organizations Should Prioritize to Implement Cyber-resilience.
1. Include Cybersecurity as a business priority for your organization.
Cyber-risk = business risk + financial risk and must be prioritized in strategic and operational decisions.
Any organization entrusted with customer data must take cybersecurity seriously. Not only are data breaches expensive, but they can also ruin an organization's reputation.
Implementing cybersecurity tools and techniques does come with added costs, but the cost of a successful cyberattack can be enough to put a small company out of business.
Every company, no matter its size, needs to take steps to tighten its cybersecurity posture in 2022. Invest in solid cybersecurity infrastructure, be prepared and create an incident response plan, train your team on security awareness, and get cyber insurance for your business.
2. Develop your cyber-resilient company culture.
There are three key factors to address when managing cyber risk: process, technology, and people.
According to Cybint 95% of cybersecurity breaches are due to human error. Cybercriminals will take advantage of human error and vulnerabilities. One mistake from just one employee can put the security of your entire network at risk.
Utilizing security awareness training educates employees on what is considered risky, what clues to look for that indicate a threat, and how to respond.
In order to promote a cyber-resilient company culture, business leaders must set the tone. Open, regular communication about your company’s cyber strategy and best practices will foster a sense of ownership among employees.
Again, the importance of continuous training to raise awareness among employees about cyber-resilience concepts and best practices cannot be overstated.
3. Cyber Insurance is a must.
The threat of a cyber-attack is too high, and the consequences can be devastating. At this point, it's important for all businesses to have cyber insurance regardless of their size, industry, or IT needs.
If your business stores or processes sensitive information like names, addresses, social security numbers, medical records, or credit card information you need cyber insurance.
What’s interesting today is we’re seeing cyber insurance companies asking some deep and intensive questions that a lot of organizations are having to say no to. In turn, companies are questioning if they have enough cybersecurity protection.
4. Understanding fines, penalties, and regulatory compliance.
Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications related to and required for your industry.
In September 2022, the White House released new cybersecurity guidelines based on the Cybersecurity and Infrastructure Security Agency’s (CISA) recommendations and findings in May 2021. The White House’s statement mentions these guidelines will help ensure protection and enhance security of the software supply chain to government agencies as well as the Nation itself.
For Washington State, in 2020, the new data breach and notification laws reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days and expanded the definition of “personal information”.
If a security breach affects more than 500 Washington residents, electronic notification must also be provided to the Attorney General's Office.
Attorney General Bob Ferguson’s sixth annual Data Breach Report showed that 2021 set a new record for the highest number of data breach notices sent to Washingtonians, 6.3 million. Compared to 1.1 million in 2020.
Data breach protections give Washington one of the most robust data breach notification policies in the country.
An established cybersecurity program not only puts controls in place to prevent a cyber incident or breach, but also includes automated mechanisms to monitor their networks, systems, services, and users to notify them when something bad or unintended is happening. This is part of the technology factor mentioned earlier.
Have you considered outsourcing with a Managed Security Service Provider? An experienced and knowledgeable helping hand with ongoing security and compliance expertise can mean a lot in knowing that you’re less vulnerable to the internal and external risks to your business.
Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:
Tri-Cities, Washington 509.396.6640
Yakima, Washington 509.396.6640
Bend, Oregon 541.848.6072
Questions about your IT or Cybersecurity? Give us a call today!