8 Simple Processes to Strengthen Your Cybersecurity
Article

8 Simple Processes to Strengthen Your Cybersecurity

by Mirena Taskova, Marcelo Cabus Masur
August 18, 2021

Ransomware attacks — a type of digital crime in which the hacker locks up a business’s systems and demands a ransom payment to restore access — are on the rise. Attacks on large corporations like Colonial Pipeline, Kaseya and JBS Meat Company have dominated recent headlines, but small and mid-sized businesses are also being targeted.

This article outlines the risks businesses face and some specific controls you can implement to create more robust defenses against ransomware and other cyberattacks.

The Cost of Cyberattacks

Cybercrime is a huge and profitable enterprise, and most hackers have a purely financial motivation. According to the Ponemon Institute’s 2021 Cost of a Data Breach Report, the average total cost of a data breach is now $4.24 million, with ransomware attacks averaging an even more painful $4.62 million.

Victims of ransomware often don’t regain access to their files after paying the ransom, and businesses that refuse to pay end up spending millions of dollars to rebuild their data. (To reduce the flood of business-disrupting cyberattacks, the federal Cybersecurity and Infrastructure Security Agency recently appointed a new director, Jen Easterly, to lead efforts to fight cybercrime. Easterly has extensive corporate and military experience in intelligence and cyber operations.)

Even a minor breach can carry a hefty price tag. According to Ponemon, the average cost per lost or stolen record was $161 across all data breaches. Some hourly expenses, such as legal fees, accrue regardless of the number of records that are affected. A breach can also damage your organization’s reputation and value.

Crimes of Opportunity

In most cases, breaches are crimes of opportunity, rather than targeted attacks on a specific company. The weak link in the security chain is usually a person. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element.

The most prevalent form of attack is phishing schemes, which infect a system with malware or ransomware when the user unwittingly opens a malicious attachment or clicks a link in a legitimate-looking email. Malware is used to steal data and then sell it on the black market, where each stolen record may bring anywhere from a few cents to hundreds of dollars, depending on what it contains and how the buyer can use it.

As the volume of available data continues to multiply and data becomes increasingly connected, the threat will only keep growing. On top of that, larger remote workforces have made businesses more susceptible to attacks, increasing both the cost of a breach and the time needed to identify and contain it.

The good news? There is a lot you can do to safeguard your data, without making large expenditures on technology.

Protect Your Business by Implementing Simple Controls

You can greatly mitigate your risk, often within weeks, by implementing these basic cybersecurity steps:

  1. Assess your risks. These include vulnerabilities related to your industry, your people, your technology and your business partners. Vendor/supplier security is critical, so in addition to assessing your internal risks, you need to determine what data these outside parties can access, and what their controls and safeguards are.
  2. Classify your data. You need to know how sensitive various information is, so that you can prioritize your security efforts and apply your resources where they are needed most. Protecting your data also requires that you understand how it is flowing through your organization. For example, are you using the cloud to send proprietary information to a manufacturer?
  3. Implement controls. These are simply the processes that you put in place to mitigate risks. For example, you can implement multifactor authentication (MFA/DFA), email filters, hold data security training for your workforce, encrypt your laptops and require your vendors to have service organization control (SOC) audits.
  4. Verify the controls. Once your processes are in place, run periodic tests on select controls, to validate that they are working as intended.
  5. Create a breach preparedness plan, and test it. Treat cyber incidents the same way you do disaster recovery or business continuity. Have a plan for how you will evaluate the damage, and how you will communicate and manage it internally and externally. Then test and refine your plan, by regularly sitting down with key personnel to run through your response to various hypothetical scenarios.
  6. Keep machines’ patches up to date. Preventive maintenance is essential for a secure and safe environment against malware. Stable machines will also reduce the overall operation cost in the long run.
  7. Make regular backups. Maintain at least one copy offline and encrypt your files. Remote environments may take longer to be reached but are less vulnerable. Be sure to regularly test your backups.
  8. Consider cyber insurance. You may want to use insurance instruments to transfer your risk to a third party. (If your organization has a cybersecurity program, and you are knowledgeable about your risks, you’ll also be a stronger candidate when you apply for an insurance policy.)

Reassess Annually and Involve Your Board

As your business changes, your risks change, so you should reassess your situation annually. If you have an existing enterprise risk management (ERM) program, you can leverage it and fold in your cybersecurity processes.

Ongoing board involvement and oversight is also important to your cybersecurity efforts. Evaluate your board composition and update it, if necessary, to add someone with data security expertise, and redefine your board committees to include cybersecurity responsibilities. You also need to establish proper governance and board oversight of your cybersecurity processes and strategy.

Ransomware and other cyberattacks can be detrimental to your company’s reputation, customers and overall bottom line. The consequences are usually severe, and there is no guarantee that your business will get its data back after the sum is paid.

Although there is no way to completely prevent a breach, a strong cybersecurity program can help you mitigate your risks and be better prepared to respond to an attack. As the old saying goes, an ounce of prevention is worth a pound of cure.

Contact our cybersecurity team to learn more about strengthening your defenses against cyberattacks or to take the first step with a cybersecurity evaluation.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Author
Mirena Taskova - Managing Director, Privacy & Cybersecurity - San Jose CA | Armanino
Managing Director, Head of Privacy and Cybersecurity
Marcelo Cabus Masur
Risk Assurance & Advisory
Resources
Related News & Insights
5 Privacy Misconceptions Hindering Health Tech Adoption
Article
Proper understanding of global privacy rules is essential for innovation in the healthcare industry.

September 14, 2021
How to Reduce the Risk of Fraud in Your Organization
Webinar
Protect your organization by learning how to prevent, assess and monitor for fraud.

September 9, 2021 | 10:00 AM - 11:00 AM PT
How Real Estate Technology Is Expanding Privacy and Data Protection Risks
Article
With the volume of customer and transaction data soaring, real estate companies need effective privacy practices.

August 19, 2021