Are You Gambling with Your Business Continuity?

As security professionals, we’ve been saying this so long that it’s become a bit cliché:  Users are your biggest threat to security and therefore business continuity.  Nevertheless, it remains true.  Sometimes, an employee’s desire to prove helpful is exactly what a malicious actor will use to gain access to sensitive information.  Other times, the gullibility of users provides useful.  Then again, the desire to keep security simple and convenient (remembering passwords) can lead to an opportunity to exploit.  All this being the case, why is it then that so few companies choose to invest in educating their users on what’s at stake and how to reduce the odds of becoming a cybersecurity victim?

There are many reasons for this, but most commonly it’s the business owner’s ignorance of the threats posed and what’s at stake for their business.  According to Inc Magazine, nearly 60% of all small businesses close within 6 months of falling victim to a cyberattack.  Yes, cybersecurity poses an existential threat to small and medium sized businesses. 

One cliché that proves false regarding cybersecurity is “If it isn’t broke, don’t fix it.”  Many businesses are playing digital roulette with their cybersecurity stature.  Business owners think that since they haven’t been attacked yet, they aren’t at risk of falling pray to an attack.  The truth is, though, that every company is one click away from a successful attack.  All it takes is an errant click on one email attachment or malicious banner ad on a website to open the gates for a successful attack. 

Some business owners think they have a firewall and other protections in place, so they are covered.  What makes the user so critical in securing the network, is that users are easier to “hack” than networks. Users are now the front line of digital security – they are the target, because the malicious actors know that the internal user is a trusted agent on networks and Cloud platforms.  By default, and generally for good reason, actions that originate from an internal user within the boundary of a network or application platform are trusted actions.  Thus, if a malicious actor can get behind that trusted perimeter, they will generally have free reign to launch their attack.  Most companies don’t even have the ability to perform a post-mortem on an attack, because they don’t have audit trail capabilities enabled.

What happens next?  Often, once behind the secured perimeter, the attacker lays low and surveils.  They will often siphon sensitive data, disable data protections, and plan out their attack to have the greatest negative impact upon your business.  They realize that you must be desperate if you are going to pay a lot of money to regain access to your information or to avoid public embarrassment.  Even if you can get your information back, many times the reputation hit your company takes from getting breached is enough to pose an existential threat to a company.  The bad actors know this, and they will look to exploit every way possible in order to get paid.

So what can you do to protect your business?

1. Invest in security awareness training for your users.

This is a very simple and first step to take.  You can vary your tactics to ensure you get the best coverage across all employees/users.  You can use written forms of training and documentation, video training, or even simulations that will give feedback on which users are most susceptible to posing a security threat to the company.  Speak with your trusted security adviser for details on how best to engage your employees with security training.

2. Invest in products and services that can mitigate the impact of a successful attack.

So many times, we have seen or studied instances where companies had a backup system, but their backup was not ransomware proof (for a variety of reasons).  Due to this, they were forced to pay thousands of dollars to recover their data from ransomware, either by paying for technical labor to find a way to decrypt it or by paying the bad actors to get their data back.  Discuss your backup plan with your trusted security adviser to ensure you are completely protected, and that you have everything in place to mitigate the loss of data in a ransomware attack scenario.  Also, verify with your security advisers that you have tools in place to identify and mitigate attacks as quickly as possible, as well as provide an audit trail for permissions use.  Your business needs vary depending on your attack surface, which differs from company to company.  There’s no good one-size-fits-all approach to security.

3. Start writing policies and procedures for responding to an attack.

Just like anything else in business, whenever you invest the time to plan ahead for a security event, you’ll be more prepared to cope with a security incident.  Even if the plan isn’t perfect, you will fair better than those who are “winging it” with no plan at all.  The race to the South Pole between Roald Amundsen and Robert Falcon Scott, about which numerous books have been written, highlights the necessity of planning even when reality plays out differently, which inevitably it will. 

The reason we use language like “start writing” is because as quickly as technology is evolving and changing, there will always be a need to refine and expand your policies/processes.  It is imperative to commit to maintaining an updated plan for how to respond to a security event within your organization.

4. Build protections in your finance department and bank for any transaction above a specified amount.

Your banking or trusted financial institution can put policies in place to authorize the transfer of funds above certain amounts.  This can protect you from unauthorized wire transfers and other large payouts of funds, should a hacker gain access to your financial accounts.  Your banking institution wants you to avoid losing money as much as you do, as their reputation is at stake in such an instance.  Be sure to discuss best practices with your trusted finance adviser for how to avoid such scenarios.

5. Discuss cybersecurity insurance options with your trusted insurance provider.

Cybersecurity insurance is fairly new in the insurance industry, so it is still evolving and adjusting to ensure viability and sustainability.  Many insurance providers now require a security audit and other protections are in place to mitigate risk on their end.  Nevertheless, if you put too much stock in your insurance plan over against taking actions to embolden security in your organization, you could find yourself in a situation where the insurance provider claims willful negligence and decides not to pay out in a security breach.  In order to protect yourself from such a claim, you must be able to demonstrate good faith efforts to protect yourself from security incidents.

6. Finally, make your security mandates as convenient for the user as possible. 

If your security measures are too inconvenient for the end user, they will find ways to circumvent them and expose your company to unnecessary risk. For instance, there are much easier ways to enforce multi-factor authentication for users today.  A lot of users were frustrated by the cumbersomeness of multi-factor authentication in its early phases.  Today, with authentication apps and the coming technologies surrounding password-less authentication, it is easier than ever to ensure the identity of your users and protect your organization from the vast majority of attacks. Again, users will find creative ways to circumvent annoying security requirements and expose the company to risk, so this is a vital component in today’s marketplace.

In conclusion, don’t gamble with your company’s existence.  There are ways to protect your business from these bad actors that won’t break the bank.  Most industries require less than 5% of gross revenue to ensure their business is protected against the malicious hackers of the world.  While there is no silver bullet that will protect you completely, you can mitigate the effects and ensure business continuity despite a successful attack.  If you need some assistance with knowing where to start with business security and continuity planning, feel free to reach out to TCS for assistance.  We can assess where you are, where you need to be, and roadmap a plan to get there over a timeframe that works best for your organization.