Updated March 01, 2023
There’s no question that cybersecurity is one of the most serious issues your organization faces today. With the average total cost of a data breach at $4.35 million and news headlines regularly announcing the latest organizations to fall prey to cyberattacks, it behooves finance, risk management and IT leaders to be up to speed with current cyber threats.
This article highlights some of the top cyber risks that large and small businesses face and offers specific steps you can take to create more robust defenses.
Below are some of the most prevalent cybersecurity threats that pose significant risks to your organization. (For the latest information on threats, visit the Cybersecurity & Infrastructure Security Agency.)
Phishing and social engineering attacks: Social engineering is when cybercriminals manipulate people into taking an action — such as clicking a link or wiring money — that gives the criminals access to sensitive information or assets. The most common form of social engineering is email phishing, which is when a cybercriminal poses as one of your contacts or as a well-known organization and tricks you into clicking a malicious link or opening an attachment. Cybercriminals can also use email phishing to steal an employee’s account credentials (credential stuffing) and access user accounts.
Verizon's 2022 Data Breach Investigations Report found that 82% of breaches involved the human element, so fortifying your employees through continuous education is essential for preventing a breach.
Ransomware: When deployed, ransomware interrupts a company’s operations and withholds access to company systems until a ransom is paid to the attacker. Victims of ransomware often don’t regain access to their files after paying the ransom. (Don’t rely on criminals to hold up their end of the bargain.) Whether victims pay or not, they often end up spending millions of dollars to rebuild their data. Verizon’s report found that ransomware remains in the top five system intrusion incidents for businesses.
You should know what defenses your organization has in place to prevent a ransomware attack, what the company’s plan is for responding to a ransom demand if an attack takes place, and how often and where your company’s data is backed up — so that you are not beholden to the criminals and have a way to recover your business.
Malware: Short for malicious software, malware damages or destroys computer systems or collects sensitive data. It typically spreads via a phishing email or when a user downloads an infected file. If data is stolen in a malware attack, it may be sold on the black market, where each private record could bring anywhere from a few cents to hundreds of dollars, depending on what it contains and how the buyer can use it. In addition to antivirus protection, employee vigilance is vital for protecting against malware attacks.
Cloud service vulnerabilities: While using cloud-based services provides the benefit of regular software updates deployed by the vendor, any internet-based service can be at risk for digital attacks. Cloud providers typically have various safeguards in place to protect your data, including requirements for strong passwords, data encryption and limited access based on user accounts. But not all service providers are alike.
Be sure to understand the measures your current cloud solution providers have in place to protect your data and infrastructure. If you’re planning to onboard a new solution, ask more questions about the platform’s safety and security than you do about its features.
To protect your business’s most sensitive data, it is wise to have regular conversations with stakeholders to understand cyber threats and how they are evolving. The good news is there is a lot you can do to safeguard your data, without making large expenditures on technology.
Your organization can greatly mitigate risk, often within weeks, by taking these cybersecurity steps:
These include vulnerabilities related to your industry, your people, your technology and your business partners. Vendor/supplier security is critical, so in addition to assessing your internal risks, you need to determine what data these outside parties can access, and what their controls and safeguards are.
You need to know how sensitive various information is, so that you can prioritize your security efforts and apply your resources where they are needed most. Protecting your data also requires that you understand how it is flowing through your organization. For example, are you using the cloud to send proprietary information to a manufacturer?
These are simply the processes that you put in place to mitigate risks. For example, you can implement multifactor authentication (MFA/DFA), email filters, hold regular data security trainings for your workforce, encrypt your laptops and require your vendors to have service organization control (SOC) audits.
Once your processes are in place, run periodic tests on select controls to validate that they are working as intended.
Treat cyber incidents the same way you do disaster recovery or business continuity. Have a plan for how you will evaluate the damage, and how you will communicate and manage it internally and externally. Then test and refine your plan, by regularly sitting down with key personnel to run through your response to various hypothetical scenarios.
Preventive maintenance is essential for a secure and safe environment against malware. Stable machines will also reduce the overall operation cost in the long run.
Maintain at least one copy offline and encrypt your files. Remote environments may take longer to be reached but are less vulnerable. Be sure to regularly test your backups.
Cybersecurity insurance is a good tool for helping to manage IT risk at your business. Be aware that when you apply for cyber insurance, you'll have to fill out a questionnaire about your current IT security practices. Questions may include whether you provide regular employee security training or if you have up-to-date email security features. Your answers will determine whether or not you’ll be eligible for coverage and what your premium will be. It’s best to review and make improvements to your IT program before applying for insurance so that you’ll be a stronger candidate.
As your business changes, your risks change, so you should reassess your situation annually. If you have an existing enterprise risk management program, you can leverage it and fold in your cybersecurity processes.
Ongoing board involvement and oversight is also important to your cybersecurity efforts. Evaluate your board composition and update it, if necessary, to add someone with data security expertise, and redefine your board committees to include cybersecurity responsibilities. You also need to establish proper governance and board oversight of your cybersecurity processes and strategy.
Cyberattacks — whether it be email phishing, ransomware or malware attacks — can do great damage to your company’s reputation, customers and overall bottom line. Although there is no way to completely prevent a breach, a strong cybersecurity program can help you navigate disruption by mitigating your organization’s risks and better preparing you to respond to an attack. As the old saying goes, an ounce of prevention is worth a pound of cure.
Contact our cybersecurity team to learn more about strengthening your defenses against cyberattacks or to take the first step with a cybersecurity evaluation.
