83%of small and medium-sized businesses are not financially prepared to recover from a cyberattack. 

 

For too long, cybersecurity has been considered an IT problem and assigned to the technology guy. However, as threats increase it’s not simply a “technical” issue, but one of strategy, culture, and teamwork. It requires business leaders to prioritize managing cyber risk within their company to protect their customers, employees, and their businesses.

 

The threat is accelerating, especially with an increase in how we do business, the “digital transformation”. 63% of the global population is now online and being “connected” has become an integral part of the digital transformation.

 

According to a report from Barracuda Networks, Small Businesses are “more likely … to be targets for an attack. SMBs are an attractive target for cybercriminals because collectively they have a substantial economic value and often lack security resources or expertise.”

 


 

61% of small to midsize businesses (SMBs) reported at least one cyberattack during the last 12 months.

 


 

Cybercrime is Easy.

 

Cybercrime has become simplified and streamlined. The barrier to entry is low and for as little as $10 a wannabe hacker can subscribe to simple cyber-attack tools or for only a few hundred dollars a much more sophisticated one. These are now what we are now calling “cybercrime-as-a-service”.

 

The risk of getting caught and prosecuted is low and the rewards are very high when the average ransom payment for organizations hit with ransomware is almost $234,000 paid in hard-to-trace cryptocurrency.

 

None of this is new but the increasing and alarming rate at which the problem is growing has put this top of mind for leaders across the globe. Not surprisingly, our local community of small to medium-sized businesses have been hit hard as well. Unfortunately, victims of cyberattacks are hesitant to talk about it and they certainly don’t put out press releases.

 

 

What is Cyber-resilience?

 

Cyber-resilience refers to an organization's ability to identify, contain, respond, and recover from a cyberattack. Building cyber-resilience assumes the business will at some point face a breach or an attack.

 

What has your organization done to mitigate the impact of a cyber event or cyber breach? 

 

There needs to be multiple layers. So, if one component is compromised, there’s a barrier. This means establishing continual controls and processes within organizations, not from just a technical standpoint, but from an operational and leadership standpoint on managing business risk. And it needs to be evaluated on a regular basis.

 

When considering your organization's cyber-resilience plan, keep the following controls in mind. Protect. Detect. Respond.

 

Lifecycle: strategy, design, operation, response, and improvement.

  • Strategy: identify your security vulnerabilities and determine your risk based on your unique business. 
  • Design: technology, training, policies, and procedures.
  • Operation: cybersecurity preparedness to protect, prevent and reduce business compromise. This includes continuous security monitoring to identify and remediate attacks.
  • Response: restore critical business functions quickly after a breach.
  • Improvement: review on a regular basis.

 


 

43%SMBs do not have any cybersecurity plan in place. 

 


 

1200x627

 

Here are Six Items Organizations Should Prioritize to Implement Cyber-resilience.   

 

 

1. Include Cybersecurity as a business priority for your organization.

Cyber-risk = business risk + financial risk and must be prioritized in strategic and operational decisions.

  

Any organization entrusted with customer data must take cybersecurity seriously. Not only are data breaches expensive, but they can also ruin an organization's reputation.

 

Implementing cybersecurity tools and techniques does come with added costs, but the cost of a successful cyberattack can be enough to put a small company out of business.

 

Every company, no matter its size, needs to take steps to tighten its cybersecurity posture in 2022.  Invest in solid cybersecurity infrastructure, be prepared and create an incident response plan, train your team on security awareness, and get cyber insurance for your business.

 

 

2. Develop your cyber-resilient company culture.

There are three key factors to address when managing cyber risk: process, technology, and people.

 

According to Cybint 95% of cybersecurity breaches are due to human error. Cybercriminals will take advantage of human error and vulnerabilities. One mistake from just one employee can put the security of your entire network at risk.

 

Utilizing security awareness training educates employees on what is considered risky, what clues to look for that indicate a threat, and how to respond. 

 

In order to promote a cyber-resilient company culture, business leaders must set the tone. Open, regular communication about your company’s cyber strategy and best practices will foster a sense of ownership among employees. 

 

Again, the importance of continuous training to raise awareness among employees about cyber-resilience concepts and best practices cannot be overstated. 

 

 

3. Cyber Insurance is a must.

The threat of a cyber-attack is too high, and the consequences can be devastating. At this point, it's important for all businesses to have cyber insurance regardless of their size, industry, or IT needs.

 

If your business stores or processes sensitive information like names, addresses, social security numbers, medical records, or credit card information you need cyber insurance.

 

What’s interesting today is we’re seeing cyber insurance companies asking some deep and intensive questions that a lot of organizations are having to say no to. In turn, companies are questioning if they have enough cybersecurity protection.

 

 

4. Understanding fines, penalties, and regulatory compliance.

Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications related to and required for your industry. 

 

In September 2022, the White House released new cybersecurity guidelines based on the Cybersecurity and Infrastructure Security Agency’s (CISA) recommendations and findings in May 2021. The White House’s statement mentions these guidelines will help ensure protection and enhance security of the software supply chain to government agencies as well as the Nation itself.

 

For Washington State, in 2020, the new data breach and notification laws reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days and expanded the definition of “personal information”.

 

If a security breach affects more than 500 Washington residents, electronic notification must also be provided to the Attorney General's Office.

 

Attorney General Bob Ferguson’s sixth annual Data Breach Report showed that 2021 set a new record for the highest number of data breach notices sent to Washingtonians, 6.3 million. Compared to 1.1 million in 2020.

 

Data breach protections give Washington one of the most robust data breach notification policies in the country.

 

 

5. Build your cybersecurity workforce by partnering with a Managed Security Service Provider (MSSP).

According to the (ISC) 2021 Cybersecurity Workforce Study, there is a serious shortage of cybersecurity talent globally. When asked whether their organization had the skills needed to respond and recover from a cyberattack, half of the respondents in the Forum’s Global Cybersecurity Outlook 2022 said they would find it challenging to respond due to the shortage of skills within their team.

 

An established cybersecurity program not only puts controls in place to prevent a cyber incident or breach, but also includes automated mechanisms to monitor their networks, systems, services, and users to notify them when something bad or unintended is happening.  This is part of the technology factor mentioned earlier.

 

Have you considered outsourcing with a Managed Security Service Provider? An experienced and knowledgeable helping hand with ongoing security and compliance expertise can mean a lot in knowing that you’re less vulnerable to the internal and external risks to your business.

 

 

6. Community Collaboration.

More openness would help everyone. To help educate, inform, and understand the business risk associated with a cyberattack and share the lessons learned.

 

Many ransomware incidents are simply kept under wraps, so it's hard to get a good picture of what's really happening in the world, the US, and our local community. The lack of transparency about ransomware attacks and other cyber incidents is damaging to everyone. 

 

Those business leaders that choose to speak up, do so to help prevent others from becoming the next victim by detailing the lessons they learned around strengthening cyber defenses to prevent future incidents. 

 

Lessons like applying security patches on time, providing users with multi-factor authentication (MFA), plus regularly updating backups, are gaps that can help others evaluate and improve their cybersecurity stance.

 


 

Many small business owners in America worry little about cyber security. For example,56%weren’t concerned about becoming a data breach victim in 2022. And 24% of them said they were “not concerned at all.” 

 


 
Develop your Cyber-resilience.

 

This problem isn’t going away and is in fact getting worse.

 

Leaders must understand that cybersecurity is a business issue, not just for IT to tackle.

 

What can you do as a business owner? The answer is that there are many simple and effective things you can do to reduce risk, but cybersecurity needs to be led from the top and the mindset needs to shift among business owners and executives.

 

The reality is that it’s not “if” but “when” a cyberattack happens. The focus needs to not only be on stopping attacks but on building cyber-resilience for when something does happen.

 

What have you done to mitigate the operational and financial risks? And when something does happen, how quickly can you recover?

 

Business Email Compromise, CEO Fraud

 

 

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

  • Tri-Cities, Washington 509.396.6640

  • Yakima, Washington 509.396.6640

  • Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!

 

New call-to-action

Subscribe to our blog

Recent Posts