Sam Card, CEO of Cards Technology, explains why cybersecurity is a key business expense.
In today’s computerized world, new risks emerge every hour of every day. Just connecting to the Internet opens up the possibility of a hacker targeting your organization. Cybercrime is becoming big business and the associated risks should be the focus of every organization and government. Monetary and your reputation risks are high if organizations don’t have an appropriate cybersecurity plan which includes preparation, maintenance, and recovery.
Cybersecurity is making sure your organization’s data is safe from attacks from both internal and external parties. It can encompass a body of technologies, processes, structures, and practices used to protect networks, computers, programs, and data from unauthorized access or damage. The goal of any cybersecurity strategy is to ensure confidentiality, data integrity, and availability.
The reality of the situation for any business owner is that the cost of a cyberattack on their organization could be astronomical. For example, the costs for a small or medium-sized business averages nearly $200,000 per data breach. Meanwhile, according to the latest Cost of a Data Breach Report by IBM, the global average expense (including large businesses and enterprises) associated with a breach is $4.24 million. In addition to the costs it has been found that it takes IT teams an average of nearly 9 months, or 280 days, to identify and contain a breach. In that time a cybercriminal can cause a significant amount of damage – from gaining access to multiple devices within the organization, accessing a mass of critical business data to hacking into employee and client files and financial accounts.
The trailing costs of a data breach can last for years and include IT charges, legal expenses, and regulatory fines, not to mention the immeasurable sales and opportunity losses. In fact, in the first year after an attack, organizations absorb roughly 61% of those costs and incur another 24% over the next 12 to 24 months. The final 15% can stretch out two years or more for the average security incident. Those numbers help explain why 60% of small businesses close within six months of a significant cyberattack.
It is important to know that attacks on small and medium sized businesses are escalating at a faster pace than those targeting the Fortune 500, and that everyone should be prepared and take cybersecurity seriously. The data suggests many small to midsize businesses are vastly unprepared for the inevitable attacks to come. Based on a study done by Vistage and Cisco, they found that 62% of respondents do not have an active cybersecurity strategy.
There are several primary ways cybersecurity issues can affect (or even destroy) an organization and its reputation. Because of that, effective security measures need to be a part of the cost of running any business today. There are no shortcuts when it comes to protecting employees, clients, and corporate image.
The 3 biggest risks of a cyber attack include:
- A hacker obtains sensitive information such as bank account or credit card details.
- A hacker obtains sensitive information about the organization and uses it to destroy the organization’s reputation.
- A hacker uses malware to infiltrate an organization and encrypt data and hold it for ransom, aka ransomware.
New threats continue to emerge and each organization needs to be sure it is equipped to deal with a dynamic threat landscape. Having a trusted MSP as a partner to help secure the systems, workstations, and networks is important, but also having internal accountability on your organization’s cybersecurity is critical.
The following are many of the critical system utilities and solutions that your MSP is using to help mitigate malicious attacks:
- Firewalls are software (and also hardware) designed to protect the system from attack from people accessing the organization’s systems via both internal and external communication links.
- Malware/spyware and web proxy protection solutions protect the system from software code that may be from pop-up windows or have more insidious intent, such as logging usernames and passwords for fraudulent purposes.
- Anti-spam software protects email inboxes from being clogged by unwanted broadcasted email.
- Anti-phishing software protects users visiting websites that are designed to trap user information that can then be used for fraudulent purposes.
- Maintenance of hardware like servers, switches, and backup technologies.
- Provide support, platforms, and software that assist an organization in creating, managing, and implementing internal security procedures and policies.
In addition to the steps taken by your IT MSP, it is necessary that a cybersecurity risk management program be established internally and all cybersecurity risks are considered significant business risks by every employee of the organization. This is why having a designated representative on site, in an IT security officer role, is important to implementing and managing your cybersecurity risk management program. This position can be full-time if needed or could simply be additional job duties for an existing employee. There are many criteria that an organization needs to adhere to in order to stay compliant with both insurance companies, for claim payouts in the event of a cyber attack, and to stay protected so that you do not fall victim to an attack. Many of the internal practices needed to be managed onsite include:
- Implementation of a formal risk assessment process and development of policies to ensure that systems are not misused.
- Continual review of all policies including updates to reflect the most current risks.
- Development of incident response policies and procedures to properly respond to, account for and help mitigate the cost of a potential breach.
- Ongoing education to all employees on technology risks
- Development and maintenance of IT policies, examples include but are not limited to:
- User Account Management
- Data Management
- IT Security and Risk Management
- Employee Sanction Policies
- Emergency Operations Plans
- Business Continuity Plans
- A system use policy, email use policy, internet use policy, and remote access policies.
In an approach that combines the security measures brought to you through your MSP and through the internal policies and procedures that are put in place by an organization, a business has the best chances of making it through a cyberattack, or avoiding one altogether. It is important to realize that all security efforts mentioned are mandatory for any well-managed system utilizing a defensive cyber strategy. The cost of an attack can be significant, involving loss of data, fraud, and the cost of rebuilding systems, as well as your reputation in the community and with your customers. All of these items should be analyzed against the cost to defend against such threats.