Are You Prepared? Cybersecurity Protection Planning
It’s Time to Think of Cybersecurity as a Business Insurance Expense Cyberattacks
Key Takeaways:
- Gone are the days when owners of small and medium-sized businesses can place a low priority on devoting budget to cybersecurity and delay putting effective protective systems in place.
- The growing sophistication of cyberattacks and the massive growth in financial damages suggests that a meaningful shift in thinking needs to take place.
- Business owners must stop thinking of cybersecurity as an IT expense and start recognizing it as an insurance item.
The recent cyberattacks on the City of Wichita and Ascension Via Christi Hospital put into stark relief the importance of effective cybersecurity measures for every entity that relies on internet-based technology in its daily business operations. This would include just about every business, nonprofit and government agency operating today.
If your business uses email, it relies on internet-based communications, and every email account, every laptop or workstation creates an opportunity for a cyberattacker to get access to your confidential business data.
The cyberattacks that make headlines – such as Wichita and Ascension – are not representative of all cyberattacks in the U.S. The reality is that thousands of small and medium-sized businesses are hit by cyberattacks – most often starting with phishing emails – every year.
More than 42,000 cyberattacks hit U.S. businesses in 2023 alone.
‘Why Would They Want My Data?’ They Don’t
It is a mistake to think your business would not attract a cyberattack because of a mindset like, “Why would they want my data?” They may not want your data. They may want your customers’ data, which resides in your system. What kind of data? Credit card numbers, bank account numbers, social security numbers, email addresses and more.
Protecting your data and technology systems comes at a cost, and many business owners have made do for years by doing less than enough to protect their data. But gone are the days when owners of small and medium-sized businesses can place a low priority on devoting budget to cybersecurity and delay putting effective protective systems in place. Consider the following:
- 37% of companies hit by ransomware attacks in 2021 had fewer than 100 employees.
- 75% of small business owners report they could not continue operating if they were hit by a ransomware attack.
- 47% of businesses with fewer than 50 employees have no cybersecurity budget.
In 2023, three in four companies in the U.S. were at risk of a material cyberattack, according to cybersecurity professionals. Thus, cybercrime is one of the primary risks companies face.
Cybersecurity Cost: A Meaningful Shift in Thinking
Yet, many business owners delay implementing cybersecurity measures, or they implement the bare minimum, due to the cost involved. That is, in part, because business owners traditionally have thought of cybersecurity investment as an IT cost, and they have always associated IT budgets with making one-time purchases of computers and software. Cybersecurity tools, on the other hand, require a commitment to ongoing costs.
The growing sophistication of cyberattacks and the massive growth in financial damages suggests that a meaningful shift in thinking needs to take place. Business owners must stop thinking of cybersecurity as an IT expense and start recognizing it as an insurance item. Like all insurance programs, the costs associated with cybersecurity can be pegged to the level of protection you want and can afford.
Cybersecurity protection is a multi-layer strategy involving staff training, technology upgrades such as firewall protection, multifactor authentication and end-point security software on every workstation.
To manage the cost of cybersecurity protection, it helps to think of it in terms of layers.
Layer 1 – Cybersecurity for the Smallest Budgets
This layer is for the smallest businesses and represents the minimum or essential amount of security any company should have:
- Staff Training: Ongoing training in how to recognize and avoid being victimized by email scams such as phishing and social engineering emails. Many companies hold “Cyber Day” events that involve training and other activities to help build employee engagement.
- Commercial Secure Firewall: This should be installed at the entry point where the internet first enters your operation. All businesses tend to have some form of firewall, yet there are only a few that are equipped with the necessary sophistication to effectively handle the types of threats prevalent today. A firewall by design serves to protect your network from incursion typically by automated internet scanners, spambots, viruses and other types of malware.
- End-point Security Software: This software should be installed on each workstation. This can also be known as a “threat hunting” tool that searches the computer’s environment and detects unusual activity, sending a warning to the IT department or outside IT management company if something appears suspicious. The IT professionals can assess what’s happening and, if necessary, use automated tools to pull that workstation off the network and contain the attack surface. It may also take additional measures to secure the company’s data before a ransomware attack encrypts it and makes it inaccessible.
- Multifactor Authentication Software: Although many times considered inconvenient, MFA has become an essential tool that should be included even on an entry-level plan. Multifactor authentication requires users, after they input a password, to input a second identifying factor to gain access to their system.
Layer 2 – Cybersecurity for Middle-Market Businesses
Businesses at this level are a bit more mature and should have the budget for a more robust cybersecurity system. Their systems should include all of the items that smaller businesses would have, but should also include:
- Zero-trust Protection Layer: This involves installing software that white-lists applications and won’t allow anything to function at the end point without explicit approval from a user. This is a more sophisticated threat-hunting tool.
- Compliance Software & Staff Training: This applies to companies in regulated markets, such as healthcare, financial services and certain manufacturers that sell to the government marketplace. These entities often must have certain cybersecurity features on their systems to satisfy compliance rules in their industries or those imposed by their customers.
- Cyber Liability Insurance: There’s no way around it. This is costly. But it is really a necessity for all businesses. Ransomware attacks on small and medium-sized businesses can cost anywhere from a few thousand dollars to hundreds of thousands to restore their systems and retrieve stolen data.
Layer 3 – Cybersecurity for Large Businesses
At this level, businesses are often subject to compliance requirements and complex technology-based data exchanges with their customers. Among the protections that are commonly added in at this layer are:
- Staff Education & Training: This occurs at a deeper level and involves more sophisticated concepts.
- Regular Penetration Testing: IT professionals carry out a simulated attack on the company’s system, then identify and analyze the security gaps and vulnerable points of entry.
- Specialized Security Tools: There are many compliance tools, software tools and security tools that are specific to certain industries that become necessary for some larger companies. For instance, a company that wants to build large federal projects would likely be required to become CMMC certified – Cybersecurity Maturity Model Certification. This is a multi-layer certification that goes beyond technology and requires certain work processes.
- Increased Cyber Liability Insurance: Ransomware attacks on large corporations have resulted in ransom payments of $20 million and up. A certain level of insurance protection is essential.
In summary, think of your office computer network as you would your own home. For your home, you may first install a fence outside and good locks on all the doors for protection. Then you might add a security alarm. And a dog. All of these add a layer of security with the common goal of protecting your home.
By adding layers of cybersecurity to your office computer network, you can achieve a similar level of protection that is appropriate to your company’s needs and cost effective.
If you would like to discuss an evaluation of your company’s cybersecurity and managed IT needs, contact an Adams Brown technology specialist.