No business owner or CEO wants to see their company name in the next cybercrime headline, and if you are like many executives, you may have thought that the topic of cybersecurity should be confined to IT. But these days, managing the risk of cybercrime is integral to managing overall business risk, so the discussion about cybersecurity needs to include all levels of management, all departments and all employees, and here’s why:
Cybercrime is Easy, and Your Business is a Target
Enterprise level corporations aren’t the only targets for cybercriminals. Small and medium sized businesses are at risk for cybercrime more than ever before. Attacks have increased both in volume and severity. Chances are good that you know of at least one, and maybe more than one, company that has been the victim of a cybercrime and you probably didn’t read about it on the news. Most companies that encounter a breach do not report it but try to take care of it quietly so that as few people know about it as possible. Despite that, cybercrime is in the news just about every day.
Why Cybercrime is So Prevalent
To understand the need for the security conversation at all levels of business, it’s important to understand why cybercrime has become so prevalent. Just as businesses have taken advantage of new technologies to run processes and create efficiencies, so have the bad actors. (slang in the security industry for hackers or cybercriminals)
SaaS (Software as a Service) has made it easier for businesses to get specialized applications without having to build servers or go through months of setup time. Infrastructure as a Service (IaaS) makes it easy to rent servers and data storage space. Cybercriminals are also taking advantage of the same efficiencies and Cybercrime as a Service (CaaS) now makes it easy for just about anyone to become a bad actor. You don’t even need to have much money. In fact, $20 will get you started and you can buy a subscription service by the month. The result is that cybercrime is easy and every company is a potential target.
The Impact of Cybercrime is Devastating
The results of a cyberattack are very damaging, so damaging that 60% of small companies go out of business within six months of a data breach. (The US National Cybersecurity Alliance) Companies experience:
- Business downtime
- Lost productivity
- Loss of company assets (product designs, customer records, company strategies, employee information, money)
- Costs to clean up the breach
- Damage to reputation
- Litigation and legal fees
The Multilayered Approach to Security
Every effective approach to cybersecurity has to have strong technical layers such as firewalls, anti-virus, spam filters, and intrusion detection systems. Security systems need to take into account the locations where data is stored and used, whether on premise or in the cloud, and how data is accessed. Mobile devices, smart controls on equipment and machinery that are connected via the internet pose special issues for cybersecurity and when not protected can inadvertently provide access to company systems and information.
Backups and Recovery for “When” Not “If”
Read a few articles on cybersecurity and you’ll soon see that many experts don’t talk about “if” a hack will happen but “when” it will happen. Having sufficient backup and recovery procedures in place allows companies to minimize damage and to get back up and running quickly if and when evolving hacker tactics penetrate defenses.
The People Layer of Cybersecurity
Training employees how to recognize and respond to potential threats is just as important as a strong technical defense. Consistent, predictable behaviors can be molded with company policies that determine the desired behavior; procedures that provide guidelines for how to comply with the policy; and training on both of these elements.
A good place to start is to see what is already in your employee handbook. Chances are that you already have some elements, but you just aren’t enforcing them.
Cybersecurity Awareness Training is a Must
The tactics that the bad actors use rely heavily on manipulating people to get them to do something that opens the door to the company network. Whether through a phishing email or a fraudulent telephone call, hackers know that it’s easy to by-pass a network firewall if you can get a user name and a password. Cybersecurity Awareness Training teaches people how to identify the tactics the bad actors use so that they don’t inadvertently turn an error or omission into a company disaster.