By Ajay Unni, Founder and Chief Executive Officer of Stickman
Cybersecurity is a concern for businesses of any of size, but it’s especially pressing for smaller companies.
That’s because they tend to be more vulnerable than larger enterprises. They often lack the resources and manpower to fully protect themselves from a sophisticated attack, which can make them very appealing targets.
In fact, Small Business Trends reports that smaller businesses encounter nearly half (43 percent) of all cyber-attacks. What’s scary is the damage that can stem from an attack. Many companies never recover, and 60 percent of SMBs end up going out of business within six months.
Protecting your business through effective cyber security processes can literally mean the difference between averting disaster or being so crippled by it that you have to close your doors.
One area where many organizations go wrong is taking a reactive approach to security rather than a proactive one. They often end up waiting until something happens and responding to it rather than taking effective measures to heighten cyber security ahead of time.
This obviously isn’t ideal, but could it put you out of business?
Some Unsettling Statistics
Small Business Trends provides some additional data that puts perspective on the current state of cybersecurity attacks.
Studies have found that 55 percent of SMBs dealt with a cyber-attack between May 2015 and May 2016. They also found that 50 percent experienced data breaches that compromised customer and employee data during that same period.
So in theory, at least half of all SMBs will suffer from some type of cyber-attack during any given year. In terms of specific attacks, these were the most common:
- Web-based attack (49 percent)
- Phishing/ social engineering (43 percent)
- General malware (35 percent)
- SQL injection (26 percent)
- Compromised/stolen devices (25 percent)
- Denial of services (21 percent)
In terms of costs, the affected enterprises ended up spending an average of $879,582 to cover the expenses of damage or theft to their IT assets. On top of this, there’s the issue of disruption to operations, which resulted in an additional $955,429.
Add this together and it amounts to more than $1.83 million. With such exorbitant costs, it’s easy to see why 60 percent of all SMBs inevitably go out of business. Often a single cyber-attack is a deathblow from which they never recover.
Operating in the Danger Zone
Here’s the problem. Even though most companies are at least somewhat aware of the growing threat of cyber-attacks, not much is being done about it.
President and Co-founder of CSID, Joe Ross explains that 58 percent of companies have expressed concern, but a staggering 51 percent have failed to allocate any budget into mitigating cybersecurity risks.
He also reports that only:
- 38 percent of small businesses regularly upgrade their software solutions
- 31 percent monitor business credit reports
- 22 percent of encrypt databases
This disconnect creates a tremendous amount of risk where it’s not a matter of if but when a crisis occurs. Way too many organizations are ill-prepared for the increasing number of cyber-attacks that are happening each and every day.
The FBI even listed the number of ransomware attacks to be 4,000 per day in 2016 – a 300 percent increase from the 1,000 in 2015. If this trend continues, countless businesses will experience the backlash.
The Consequences of a Reactive Approach
There are a variety of reasons why companies are reluctant to invest time and resources into cybersecurity. It could be a limited budget, a lack of knowledge, a false sense of security or a combination of these factors.
Some companies even operate under the assumption that these types of things happen to other businesses, but it won’t happen to them. Regardless of the reasoning, a reactive approach is a recipe for disaster.
One scenario could involve your organization becoming the victim of ransomware where an attacker hijacks your data and demands compensation for it. Without paying up, your operations come to a screeching halt, and your revenue plummets overnight.
Another would be having a sensitive customer or employee information fall into the wrong hands. This can lead to everything from identity theft to corporate espionage. Even basic information, like email addresses, phone numbers, and billing addresses can be of significant value to cybercriminals and open a can of worms.
You also have to consider the level of disruption that comes along with an attack. Not only does downtime cost your business serious money, but it can also tarnish your brand reputation, and many customers may end up turning to competitors. Hardly anyone wants to risk their own security and privacy by doing business with a company with inadequate security protocol.
It’s a bad deal all around. If your organization isn’t taking proper cybersecurity measures, it’s something you’ll want to address right away. You’ll want to make the transition from being reactive to proactive.
Taking Steps Toward Becoming
Proactive It’s clear that the threats modern businesses face are very real. But what can they do in order to mitigate their risks?
It all starts with a mental shift where there’s a genuine commitment to enhancing cyber security. This is integral to creating a security-minded culture and lays the groundwork for a real transformation to begin.
Our philosophy is based on cybersecurity by design rather than chance. As cybercriminals continue to become more sophisticated and advanced with their attacks, it requires diligence and perseverance to stay ahead.
You need a comprehensive plan that covers all of the core areas and enables you to get your cybersecurity to where it needs to be. This involves a five-step process:
- Define
- Plan
- Execute
- Report
- Monitor
Defining involves examining where your company is currently at in terms of cyber attack prevention and determining where you need to be and what your target profile looks like.
Planning is where you develop and implement a plan that will ultimately enable you to attain your cybersecurity target profile. It’s where you must devise realistic and actionable steps to take.
Execution revolves around the implementation of the plan that’s based on a specific timeline while taking resources and budget into account.
These first three steps are what allow you to initially ramp up your cyber security. They help catalyze the transformation and get security to where it needs to be.
At that point, reporting and monitoring are what allow you to assess and track the results and continually fine-tune your security practices. This provides consistent protection even as threats evolve and advance over time.
Performing Penetration Testing
One of the most effective ways to protect your data assets is to identify potential vulnerabilities before attackers have the chance to. Penetration testing is a means of accomplishing this and involves a comprehensive assessment of your web app, mobile app, network and so on.
By pinpointing weaknesses, you can come up with viable solutions to drastically reduce the attack surface. In turn, you can ensure that your company remains ahead of cyber attackers, which will give you greater peace of mind.
Developing a Business Continuity Plan
A business continuity plan is based upon devising a strategy and creating a plan of action in the event of a disaster. If your enterprise is in fact hit with a serious attack, you will have a sequence of steps in place to minimize the damage and get operations back to normal in the shortest amount of time possible.
In turn, there should be minimal disruption and less frustration for your customers. Some specific steps that your company might want to take include:
- Identifying potential cyber security disaster scenarios
- Determining the series of steps that must be taken to restore IT
- Educating employees on proper protocol and behaviour
- Organizing recovery teams (e.g. who’s responsible for what?)
- Having a failover database server in place in case your primary server goes down
It’s also smart to periodically have “test drills” where you assess the effectiveness of your business continuity plan. This increases your efficiency should you have to use it.
Making the Transition
The ISACA’s 2015 Global Cybersecurity Status Report found that only 38 percent of organizations were prepared for a sophisticated cyber attack. A lack of planning and preparation could prove disastrous or even fatal for many SMBs.
Research has proven that a reactive approach can be incredibly costly, and even a single attack puts more than half of all companies out of business. As attacks become more and more prevalent, the threat level will only continue to rise.
Fortunately, there are numerous ways to protect your organization, and it all starts with making the shift to taking a proactive approach.
Being on the offense arms your company with the tools it needs to combat the omnipresent threat of cyberattacks and gives you a much greater level of control. In the long run, this can mean the difference between avoiding/withstanding attacks or being ruined by them.
How comfortable are you with your company’s current cyber security, and are there any specific areas you need to improve upon?
About the Author
Ajay Unni is the Founder and Chief Executive Officer of Stickman. Ajay specializes in helping customers manage the growing threat of data breaches and compliance with globally accepted industry standards for data security and compliance. Ajay can be reached online on Twitter: https://twitter.com/ajayunni, Linkedin: https://www.linkedin.com/in/ajayunni/ and via their company website: https://www.stickman.com.au