Gone are the days when old-fashioned competition between companies was the biggest threat facing organizations; today, cyberattacks pose one of the most formidable challenges any business will encounter. For proof, you need look no further than news headlines, which are routinely peppered with reports of massive data breaches and cyber hacks at some of the country’s largest corporations.
Leading the way is Yahoo (known now as Altaba), which continues to pay fines and settle claims stemming from its August 2013 hack. In that case, cybercriminals stole names, email addresses, and passwords for 3 billion Yahoo customers.
The Marriott Hotels Group breach of late 2018 impacted far fewer people (500 million), but hackers were able to attain names, addresses, credit card numbers, and phones numbers and, in some cases, passport numbers, travel locations, and arrival and departure dates. In 2017, a cyberattack on Equifax compromised the personal information (Social Security numbers, birth dates, addresses, and in some cases drivers’ license numbers) of approximately 143 million customers, more than 200,000 of which had their credit card data exposed.
While security breaches on this scale garner most of the media’s attention, the threat of attacks on smaller companies is no less real—and far more prevalent. According to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-sized Businesses report, the percentage of small businesses that experienced a cyberattack increased from 55 percent in 2016 to 61 percent in 2017. What’s more, cyberattacks cost small- and medium-sized businesses an average of $2.2 million.
The effects of a security compromise can be particularly devastating to small companies, with the average cost ranging between $84,000 and $148,000. Worse still, 60 percent of impacted organizations go out of business within six months of an attack.
Those figures will likely increase. Cybercriminals are constantly finding new ways to infiltrate networks and information systems, and they’re discovering the path of least resistance is typically through smaller companies. It should come as little surprise, given the fact that many small- and mid-size businesses lack the resources to invest in adequate cybersecurity protection. Even those organizations that do have the means to address vulnerabilities often don’t understand where, why, or how to focus their efforts.
Considering the stakes and the impact that even a single cyberattack can have, the need for innovative solutions that mitigate risks has never been greater. That’s why, at a minimum, you should follow the steps outlined below to improve your chances of avoiding an attack or reduce the impact to your business should you be compromised:
Assess your overall cybersecurity posture
Before you can develop a plan to protect your business, you need to understand your company’s critical assets and current risks associated with cyberattacks, data breaches, and other threats. Cyber program assessments, incident response plan reviews, and internal and external technology vulnerability assessments are a few ways to identify areas of strengths and weakness.
Develop a plan
Once you have a better understanding of your critical assets and areas of greatest risk, you can prioritize where and in what manner to invest within your organization. The plan should include processes, procedures, and best practices to reduce threats and ensure client data, company information, intellectual property, and key applications are protected. It should also provide strategies to limit disruptions and speed recovery if and when a cyberattack occurs
Developing and maintaining a cyber risk management program is only part of the effort needed to protect your company from potential data breaches; you must also ensure your systems and processes comply with an increasingly stringent set of regulations and security requirements. Failing to comply with regulations can result in significant fines and other penalties.
Quite often, employees are the weakest security links within an organization. That’s why it’s essential they understand the threat posed by cyberattacks and data breaches, and are equipped to help protect the company. This starts with training all team members to avoid emailed or online links that are suspicious or from unknown sources. These links can release malicious software, infect computers, and steal company data. Being able to recognize common social engineering risks is the first line of defense
Protecting your business from cyber threats doesn’t end once you’ve developed and implemented a plan; it requires an ongoing commitment to protecting your data as well as your clients’ information. You must continually assess risks, make plans for mitigating them, implement solutions, monitor to ensure they work as expected, and use that information as feedback for your next assessment phase. Jimmy Buddenberg is director of the Risk Advisory and Cybersecurity practice for Elliott Davis LLC. He can be reached at firstname.lastname@example.org