This post first appeared on the Infrascale website.
Cyber awareness is something that every company knows they should be doing, but the extent to which they implement it varies widely. This is great news to hackers and other malevolent actors who have the knowledge and tools to take advantage of lax policies and hole-filled – or nonexistent – cybersecurity solution deployments.
While there are many reasons to improve your company’s cyber awareness game, here are some of the most urgent to address:
Data loss and compromise. Losing data in 2020 can be an existential problem for your business. Whether it’s financial, operational, employee, customer, supplier or all of the above, protecting and backing up your data should be among your most important operational priorities.
Costs related to damages and data recovery. Beyond the operational, trust and embarrassment factors of having your data lost and/or compromised, there are the financial costs to consider. While costs vary depending on the type of data breach and how it is ultimately recovered – IF it’s recovered – they can be onerous, especially for a small or medium-sized business (SMB). One example is a ransomware attack, which is quite common according to a survey we published in April showing that close to half of SMBs have been ransomware targets. Payouts have been significant, with 43% paying in the $10,000 – $50,000 range and 13% paying more than $100,000. And that’s just one type of cybersecurity breach!
Business downtime. Downtime is a common result of a cyber attack, and one which brings serious consequences. In fact, a survey we commissioned in May reported that 37% of SMBs have lost customers and 17% have lost revenue due to downtime.
Loss of external party trust (customers/partners/suppliers). When there’s a security breach and data is lost or stolen, companies adhering to GDPR or other privacy doctrines have to alert those affected. That typically means your customers, partners and suppliers. Their immediate question: “Why didn’t you do enough to protect me?” Depending on the extent of the breach, you could find yourself with fewer of all of them. Even those who don’t immediately depart will have had their trust in your company broken. And trust is a very difficult thing to get back.
Loss of employee trust. Think about how you would feel if your personal/employee information was breached. After all, your employer has your name, address, Social Security number, salary, reviews, and other confidential and potentially compromising information. And, even if a data breach does not expose employees’ personal information, the fact that the company’s data was not sufficiently protected is a failure on the part of management and their duty to protect the company’s reputation and assets.
Loss of business viability. In conjunction with the scenarios described above is the real possibility of going out of business due to a cybersecurity breach. There are many potential ways for this to happen – with some of the most common described below – and, according to a Zogby Analytics report from October, 2019, 28% of SMBs had experienced a data breach in the previous year. Of that cohort, 37% reported a financial loss, 25% filed for bankruptcy, and 10% went out of business.
The tens of thousands, hundreds of thousands, million, billion, or even multi-billion dollar question here is: why would you not do everything you could to prevent cyber security incidents from taking place? Yet, according to a study commissioned by BullGuard, one in three SMBs use free consumer cybersecurity solutions and one in five don’t even use no endpoint security!
Threats to guard against
So, how do the undesirable scenarios manifest? It’s in hackers’ best interests to know how to exploit the most common and insufficiently protected security gaps. And, without the proper data protection solutions in place, they can exploit the vulnerabilities and do massive amounts of damage.
Some of the cyber threats SMBs in particular are facing include:
- Phishing: Like most people, you’ve probably been the target of a phishing attack where you receive an unsolicited email promising or asking for something with a call-to-action of clicking a link that often leads to malware or ransomware, and/or providing personal information.
- Malware: This is an all-encompassing category of threat that includes usual suspects like the ones described here. It describes any type of software built with malicious intent in mind. Sometimes it inserts a virus into your computer. Other times it’s intent is to disable, take over, or cause some other type of damage.
- Ransomware: A growing and particularly insidious threat – to businesses and individuals – is ransomware. This type of attack involves a malevolent actor accessing your data and/or hardware and threatening to lock it, expose it or delete it unless a ransom is paid. We’ve covered ransomware from just about every angle you can imagine, including multiple surveys.
- Infrastructure and application hacks. Beyond data loss and compromise are cyber attacks that target tech infrastructure (such as servers and other hardware) and software applications. There’s a lot of complexity involved in detailing such attacks since the variables are numerous, but suffice to say that the consequences match those described above.
To be clear, there are many more potential threats. These are among the most important for SMBs to be aware of and implement purpose-built solutions to prevent, mitigate and fix the data-related damages.
Here’s what you can do to protect your business
So, those are just some of the negative outcomes and threats your business is up against every day. At this point you might be wondering you will ever stay on ahead of them. Here is some battle-tested advice on doing just that:
Educate employees. With cyber awareness, it all starts with education. When you train your employees (and other end users, for that matter) to identify, avoid and report threats, you make it more difficult for hackers to access and compromise your data. Part of this education process includes patching and updating your software applications.
Perform a risk assessment. When was the last time you performed an in-depth cyber security risk assessment? Unless it was within the last six months, you are courting disaster. Risk assessments come in many forms and angles: internal or external, vulnerability and/or penetration testing. Specific to data protection, you need to know the Who, What, When, Where, and How:
- Who has access to your data and what kind of access do they have?
- What data do you have? Is it PII (personally identifiable information)? Is it subject to higher protections (e.g. health data)?
- When was the last time a risk assessment was performed?
- Where is your data located? (e.g., on premises, public cloud, private cloud, endpoints such as laptops and mobile devices)
- How is the data used? How does it flow?
Create a data protection plan and stick to it. There’s a well-known aphorism attributed to Benjamin Franklin: “Failing to plan is planning to fail.” It’s certainly true in the case of data protection. Without a potent data protection plan in place, none of the cyber security tools on the market will reach their potential. The most effective plans function as a playbook that includes key elements such as backup, disaster recovery, risk assessment, education and covering the main “‘tions” such as Prevention, Detection, Mitigation and Encryption. Other important elements beyond those already listed here include tactical pieces such as firewalls, encryption for data a rest (especially PII) and to meet compliance requirements and antivirus (AV) software.
Implement a cloud backup and disaster recovery (BDR) solution for infrastructure and endpoints. The goal here is to eliminate downtime and data loss during cyber attacks or natural disasters (e.g., hurricanes, earthquakes, power outages) and recover in minutes – not hours, days, weeks, or longer. Just relying on onsite and offsite data backup is not enough. To keep your business running, the critical servers and business processes that manage your data must also be recovered. The same goes for other endpoints such as laptops, mobile phones and desktop computers. Examples of solutions that cover the BDR bases include:
- Infrascale Cloud Application Backup (ICAB): ICAB provides unlimited SaaS data backup history and mitigates the risk of data loss covering SaaS solutions like Microsoft 365, Google G Suite, Salesforce, Box, and Dropbox..
- Infrascale Cloud Backup (ICB): ICB is a direct-to-cloud endpoint backup solution that protects business devices such as laptops, mobile phones, desktop computers and servers.
- Infrascale Disaster Recovery (IDR): IDR is a hybrid cloud based disaster-recovery-as-a-service (DRaaS) solution that helps mitigate the downtime caused by server crashes, ransomware attacks, or natural disasters.
Ensure that every piece of your tech stack that has to do with your data is current. In a nutshell, install all software patches as soon as they become available, update all AV definitions and application versions – including backup software.
Go global, or at least national. Keep your data distributed to protect against a disaster in one location. Even backed-up data can be lost if it’s not located in a different geography. The cloud is an effective place to back up your data. You can rely entirely on the cloud for disaster recovery, or you can keep your spin-up capabilities local and the backup only in the cloud. Also, leveraging DRaaS offerings from a managed service provider (MSP) can remove the burden of handling disaster recovery on your own.
Test, test, test. A disaster recovery plan is great only when it’s been tested consistently and any weaknesses addressed. Like any plan, no matter how good it looks on paper or in a Word doc, it’s got to be tested to be of any real worth. Conduct regular, random tests in which you simulate an event that would call for data disaster recovery and access your on-premises backup or data protection online backup. It’s important to not leave out endpoint data detection as part of your testing protocol. Solutions like Infrascale Cloud Backup (ICB) safeguard the most critical data while fulfilling backup and retention requirements.
The only way to “win” the cyber awareness game is to keep fighting
The cyber security threats to your data and business as a whole are only increasing and becoming more complex. Adding to this dynamic was the sudden, dramatic shift to working from home for businesses large and small in the wake of the COVID-19 pandemic, which expanded the security holes and lax enforcement by an order of magnitude. Hackers took note and attacked accordingly – and continue to do so in more sophisticated and covert ways.
That’s the bad news.
The good news? Despite all the bad outcomes that can manifest from a lack – or disregard – of cyber awareness, there are proven strategies, tactics and solutions available to make it a strength, and not a weakness to be exploited. Some of the best are listed in this blog post.
You can’t just rely on the Nortons and Kasperskys of the world to stop every threat and maximize your overall cyber awareness. Your business also needs a safety net of backup disaster recovery and other security tooling, too.
The last piece of advice to keep your company cyber aware and solvent: plan for the worst and take steps like those outlined above to prevent threats from happening. And when they do happen, fight them with the best possible solutions and vendors at your side.
