After numerous conversations with C-suite executives about assessing their company’s cybersecurity posture, I am no longer surprised by the quick response delegating this conversation to the IT Department. While recent studies indicate Cyber Risk is gaining equal footing as a business’ traditional exposures to loss, there appears to still be a disconnect with many organizations lacking awareness about the serious nature of Cyber Risk and how to execute a comprehensive cybersecurity program.
The ubiquitous use and reliance on technology permeates every business. Yet, corporate structures and decision-making processes remain in a siloed and unintegrated past, where each department makes decisions independently that is today a corporate fact of life. The risk management discipline that CEOs have relied upon to deal with brick-and-mortar risks has not yet been systematically applied to digital risks.
As hackers recognize that good things come in small packages, and as large enterprises improve their information security, these thieves are increasingly targeting small- and medium-sized businesses (SMB). Limited resources, budgets and staffing make these businesses easy targets for cybercriminals, who are adept at finding their way around security roadblocks, requiring every business to constantly be alert.
To further complicate matters, the rapid and unexpected transition to Work-from-Home, caused by COVID-19, has put SMBs more at risk for data breaches, which are costly to any organization, even in the best of times. Remote employees who are not used to working from home may not have adequate security, while employers lack the capability to effectively manage the increase in endpoints. This all adds up to new access points for hackers to gain network entry, and implant malware to demand ransom or steal data.
Consider these alarming statistics:
- 43% percent of cyberattacks target small businesses
- Only 14% of small businesses consider their cyber defenses to be highly effective
- The average SMB data breach costs $86,500 in recovery costs
- 60% of small companies fail within six months of a breach
SMBs face life-threatening reputational, financial and operational risks should a breach occur. Additionally, on January 1, 2020 the California Cyber Protection Act (CCPA) became effective. CCPA created the nation’s most far-reaching data privacy law, enabling California residents to have more control over their personal information. The regulations include certain provisions and penalties for any breach of that information. Now is a crucial time to concentrate on creating an effective cybersecurity strategy that maximizes protection and minimizes risk.
Several different scenarios can open the door to data theft. Its impact usually extends well beyond the business itself to customers, vendors and others. For SMBs, the top security concerns are:
- Targeted phishing attacks against employees or vendors
- Identity theft
- Financial access
- Advanced persistent threats
- Denial-of-service attacks
- The proliferation of employees permitted to use their own mobile devices
Cyber security is not just an IT problem, but a business problem, with mission critical systems at stake Corporations need to fully understand the financial impacts of insufficient cybersecurity. In addition, they need to enact management systems, as guided by the CEO or Board of Directors that bring together all the necessary executives to address cybersecurity issues on an enterprise level. The core competencies necessary for an IT professional to operate a network are a completely different set of skills needed to ensure site security. Also, IT lacks the organizational authority to run a cybersecurity program. IT professionals have operational and technical responsibilities, but to run a competent cybersecurity program requires outside support to attain first-amongst-peer position.
The quality of our questions determines the quality of the answers. With this context, here are five questions CEOs should ask about the company’s cyber risks.
- How is our executive leadership informed about and engaged with the current level and business impact of Cyber Risks to our company?
- What is the current level and business impact of Cyber Risks to our company? What is our plan to address identified risks?
- How does our Cybersecurity program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber incident response plan? How often is it tested?
- How well is our company protected by insurance in the event of a successful breach of our systems?
For an enterprise to successfully protect the myriad collection of digital information there must be a high level of cybersecurity in place. Here are six steps to help build a robust platform.
1. Assess your vulnerability to a cyberattack. Retain a firm that specializes in cybersecurity and knows how to spot network, infrastructure and other related exposures. While almost all SMBs have an information technology professional or several onboard, they don’t necessarily understand how to conduct a true security audit and deal with the weaknesses identified. Your insurance broker should help identify local cybersecurity professionals. The audit should examine entry points into your system — workstations, communications and mobile devices, the internet and cameras — and assess the threat of a breach from emails, passwords, client lists, data logs and backups, among others. Be sure to judge the vulnerability of the access you give to customers and vendors.
2. Identify and protect sensitive personal information. Find out where sensitive personal information is stored and how it is accessed, used and transmitted. Determine all the risks that could lead to a breach of confidential and sensitive information. This should include the SMB’s banking, financial and other personal data, as well as the invaluable private information about employees, customers, vendors and others within your system. Develop data protection policies that apply to all servers, networks and endpoints. Review and update them regularly and conduct regular tests and audits to ensure security controls are performing as intended.
3. Establish a secure backup system. An enterprise-level cloud system can prove a good, secure standby. But it must deliver protections in particular for its platform, the data processes, access control, authentication and encryption.
4. Use security safeguards that mitigate risks. Reduce the transfer of sensitive data by banning or severely limiting its shift from one device to another external device. This can include restricting download of private and personal information from those devices cybercriminals often favor, limiting who has access to sensitive data, and forbidding any unencrypted device as they are susceptible to attack. Set strong password requirements that ensure hard-to-crack passwords and change them from time to time. Two-factor authentication helps mitigate risk since an attacker must get past more than a password. When disposing of data storage equipment, including computers, delete all the files and folders so that information can’t be retrieved.
5. Provide security training. Require employees to take privacy and security training that include the threat of cyberattacks. Provide such training to others, including clients and those responsible for data-related activities. It is vital that employees especially understand the importance of data privacy and security and the costly consequences of a data breach. Security training is increasingly critical because personal data privacy laws like GDPR in Europe, the California Consumer Privacy Act, New York and elsewhere apply to SMBs everywhere who collect personal data about customers and clients. They should include the common causes of data breaches, including phishing attacks and malware, and how to spot them. The training modules should be available on an SMB’s intranet and HR should remind employees frequently about any new or updated tutorials. In addition, the CEO should communicate the importance of cybersecurity training and their commitment to providing it. It is recommended to update training annually.
6. Consider obtaining cyber insurance. It has been available for many years, but still is emerging as companies, including SMBs, recognize cyberattacks are growing commonplace. Also, large enterprises are increasingly mandating cyber insurance for small business. By one estimate, nearly 30% of SMBs bought such insurance for contract compliance reasons. With a dozen different coverages available, SMBs can contact their insurance broker to find what options are most appropriate
, and understand the pros and cons of each to make an informed decision. Programs are available to help identify the type of cyber risk a to which a firm is exposed, what the cost would be should a breach occur and the recommended amount of coverage.
To delve deeper, the American National Standards Institute (ANSI) outlines 50 questions to guide organizations through their cyber awareness process. These include determining financial impact, re-evaluating technical resources, predicting future vulnerabilities, business continuity plans, testing, remote access, vendor access, physical security, employee training, stakeholder communication, and disposing of old data /documents. 50 Cyber Questions Every CEO Should Ask
With data breaches making daily headlines and security fears rising about a possible contagious global malware, or so-called Bashe attack, more SMBs recognize the necessity of a secure and protected data network and system. They especially grasp that a serious cyberattack could ruin their reputation, revenues and very existence.
Remember, an attacker doesn’t have to be good every time, they just need to be successful once! We believe the best defense against this is a good offense.