When you envision the impact of a cyberattack on your business, it becomes clear that including cybersecurity in your risk management plan is a necessity. The cyberthreat landscape has evolved to the point where it is very easy for a would-be hacker to get the tools needed to have a very profitable business preying on small and medium sized companies that are easy targets because they still think cyberattacks are only going to happen to large corporations. Here are four questions to help you envision the impact of cybercrime on your business and start a discussion about what your company can do to mitigate the risks.
Will your business continue to operate after a cyberattack?
If you don’t want to be in the 60% of small and medium sized companies that go out of business within six months of a breach, you need to think about what your response will be at that moment when you learn that your data has been stolen, kidnapped or vandalized. How you regain control of your digital assets will depend largely upon the type of breach you experience, but you’ll certainly need a response that will bring the incident to a stop.
In the meantime, what will happen if your people cannot work and if they cannot communicate with customers because your whole network is down or inaccessible? Do you have another way to get to the key information you need to complete your daily transactions? Let’s say that you totally lost your data. Do you have a business continuity plan that details how you will use your backups to get back up and running? Do your people know how to work with a backup? Have you practiced this?
How will people be affected by a hacking incident?
At the very least, a cyberattack is going to be stressful on the people at your business. Depending upon what happened, they also could be fearful and worried. As you work to stop the incident and get operations up and running again, everyone will be under pressure to meet customer needs. They could also be worrying about their paychecks, and concerned about the survivability of the company. If your HR records were compromised they will worry that their identify might be stolen.
Then there’s your reputation. Will people want to work for you in the future? Will people stay on after the incident or will the scare be enough to lead them elsewhere? The reputation that you have with your customers will be scarred. If you have their product designs or any intellectual property that belongs to them, they are going to worry about the future security of their own company. Will there be some sort of next attack that will affect them because of their relationship to you? New customers will be harder to get if you have a reputation for having succumbed to a cyberattack. How can you be trusted? Are you even going to be in business long enough to fulfill their orders?
What are the legal or regulatory ramifications of a cyberattack?
The data that you gather and store has value to your business, your employees, your vendors, and certainly your customers. Depending upon how upset and fearful people are, you could get sued by the people who are involved. The client whose intellectual property was stolen could take action because loss of their proprietary information means a loss of their competitive edge. If your industry has strict regulatory compliance laws that you have to follow such as ITAR, HIPAA or PCI, then there will be fines. You’ll come under intense scrutiny as your company, people and policies are studied to see if you failed to implement important protection measures which ultimately led to the breach.
The legal fees that you will mostly likely not have to pay will be to prosecute the criminal. The chances of bagging the bad actor (slang for cybercriminal) are very slim. It could be very difficult to actually trace all of the individuals involved in the crime because the cybercriminal marketplace allows people to buy and sell services that can be woven together to create a complex web of interactions that resulted in the crime.
What are the financial repercussions of a cyberattack?
You can put a dollar sign beside just about every effect discussed so far. Employee downtime acquires cost for the length of time you are down. You are going to have to spend money to deal with the incident, to bring it to and stop and get operations going again. Then what are you going to do differently so that it doesn’t happen again? You might have technical and non-technical strategies that you’ll need to put in place to strengthen your protection.
Those legal ramifications are going to cost money for representation and possible settlements. What if your lack of reputation causes you to lose customers or to limit your ability to attract new customers in the future? If you can’t get the employees that you need your abilities to fulfill customer needs could affect profits, too. If you have to provide some sort of protection for individuals or clients after the breach, which will cost you something and so will the improvements that you are going to make to your technical and non-technical security.
Protection and Resiliency
Asking yourself questions about how you would respond to a potential cyberattack doesn’t need to be just a depressing exercise. Use your answers to start a discussion at your company about how you can strengthen your risk management strategy with cybersecurity. An approach to security that includes technical and non-technical components will allow you to avoid hacking incidents, and help you to develop the ability to bounce back with resiliency if your company ever does becomes a victim.
Access our on-demand webinar to learn more about cybersecurity and why your company is more vulnerable than you think.