Cybersecurity key takeaways and action steps companies can leverage from this article
- Define your cyber risk strategy so resources are properly allocated.
- Work with cybersecurity professionals to ensure you have procedures in place which mitigate the risks as much as possible.
- Have an established and practiced an incident response plan through tabletop exercises is important.
- Understand your compliance and reporting requirements to contain indirect loss.
A recent report from the New York Times reported 205,000 companies experienced ransomware attacks in 2019, which was up 41% from the previous year of 2018, with the average cost per company being up to $191,000 per attack. (Coveware, NY Times, et al., 2019)
With evolving threats it’s nearly impossible to know what is coming, no system can ever be 100% secure, with nearly 1 million malware threats reported per day (Harrison and Pagliery CNN, 2015).
With the sheer number of threats, working with a cybersecurity company can help you reduce some of the risks and be informed rather than at the mercy of a potential cyber-attack. Working with a cybersecurity consultant can bring clarity to these concerns and open your eyes to variables that the leadership team had not previously considered.
Manufacturers who staff an internal IT department also benefit from the Strategy and Security Assessment process to focus limited resources and minimize cyber risk. No system is 100% secure, but knowing your probable threats and remediating with purpose, needs to be a part of every plan.
Planning for cyber risk starts with the leadership team. If the executive team lacks an advocate and does not devote resources to security strategy, that is a strong indicator that cybersecurity is not a priority. Cyber risk then accumulates as an IT issue that is misunderstood and unfunded. To be uninformed about cyber risk is to be at the mercy of others, such as hackers and greedy outsourced IT providers.
A key driver in this planning process is knowing the business impact of downtime. Some businesses can be down for a week or two with minimal revenue and reputational impact. There are also businesses where a few hours of partial downtime can be worth millions of direct losses.
Cyber-hygiene is imperative to mitigate probable threats especially now when digital transformation is becoming so important to company strategies.
Key themes that emerge when businesses start thinking about cybersecurity
Due diligence involves asking the right questions regarding what is important to your business operations, how does downtime impact revenue, what do you have to protect and how do you actively monitor for threats or if you are not already doing so, then what action steps can be taken to help protect your business?
Once needs are correctly articulated and identified the investment into IT infrastructure needs to be addressed. From software updates, security and encryption to data backup and recovery, a thorough assessment needs to be developed of existing infrastructure and vulnerabilities need to be identified.
When the gaps or vulnerabilities within the organization’s infrastructure are identified then decisions must be made on how to address these. By this stage, it is anticipated that your business is already working with a cybersecurity company to help rollout solutions such as two-factor authentication, endpoint detection, etc.
In addition, and beyond the scope of technical requirements are safety measures such as Cyber Insurance. Cyber Insurance can cover expensive liability and recovery costs this can include but is not limited to legal fees, lost business, repairing damaged systems or recovering compromised data.
Compliance is not necessarily the final step as it is persistent throughout the process from due diligence to implementation. Internally the culture of the organization or business is impacted by staff having to learn new protocols for working with and managing their data, different levels of an organization might also have different permissions, based on information they can or cannot access.
Externally the business needs to think about how the changes impact their clients, does the client need to be informed? Is the client a corporation or federal entity which has their own compliance requirements and how does the changes you are implementing adhere to the standards of the companies you might work for or with.
The key to a response plan in the case of a data breach is to make sure you have one and you’ve trained on it. By being prepared, the organization will be ready to respond immediately. In any kind of data breach, malware, or business email compromise situation, there are a lot of moving parts.
A key component to being prepared is to make sure you have a cyber security incident response team (CSIRT) in place. With the growing number and increasing sophistication of cyber threats, the FBI warns that it isn’t a matter of “if”, but a matter of “when.” A CSIRT is essentially your cyber swat team – a cross-functional team that bands together to respond to security incidents. These folks include cyber experts, technical, finance, legal, risk, HR, crisis communications, etc. Some members may be full-time, while others are only called in as needed. The comprehensive response provided by an incident response team reaches beyond the technical actions taken to remediate an incident. It includes recommending changes to systems or organizational practices to protect against future incidents. Plus, it includes non-technical responsibilities, such as managing internal communications, status reporting, assisting counsel, and handling personnel issues in the event an incident resulted from insider actions. Remember, the FBI is an ally and should be called in early. In a business email compromise situation, the FBI may be able to claw back money through the banking system if they are called in within 24-48 hours.
Easy steps to remember in case of an attack:
- Develop an incident response plan and be prepared for cyber-threats, designate team members, and assign their roles to carry out the plan and contain the incident quickly.
- Capture information about the attack and inform the appropriate authorities, law enforcement agencies etc.
- Shutdown critical equipment to prevent further contamination and eradicate incident on affected equipment as quickly as possible, work with cybersecurity professionals.
- Restore your data, once threat has been contained or eliminated.
One of the most important things to consider is how comfortable your leadership team and board is with “Not knowing what you don’t know.” This is where most of the danger lies in wait.
Lack of understanding is pain and the unknown is a recurring struggle. The unknown could be giving your capital away to attackers who haven’t earned it. Realize you have the freedom of choice. A growing number of horror stories depict victims who lost their businesses through negligence and suffered the consequences by ignoring their cybersecurity exposure.
The threats are real and increasing in sophistication daily…it’s not a matter of “IF” you will experience an event but “WHEN.” Depending upon the size of your operation, the investment doesn’t need to be a six-figure to get started. You need to understand your probable threats and focus resources on mitigation efforts you are willing to accept.
At least have the basics. Given the continued progression of the complexity of cyber threats and frequency, practicing basic cyber hygiene will help prevent, or minimize the impact of a breach when it happens.