As a business owner, can you afford to potentially lose your data and the use of your computers to ransomware?
Could you stand to pay potentially millions of dollars in fines for a data breach?
Whether you’re a small company of only a few employees or a larger company, everyone is at risk.
In one example, bad actors successfully targeted a Microsoft Reseller and used delegated access, meant to allow the reseller to audit licenses for their customers, to compromise those customers’ Office 365 accounts. Compromised accounts are then used to collect business intelligence (how much can they pay in ransom, do they work with bigger/richer companies that can also be targeted) and install ransomware on the computers.
In another highly publicized incident, a well-known enterprise monitoring company SolarWinds suffered an attack against the update deployment mechanism of their SolarWinds Orion IT management software, compromising thousands of businesses that whose IT providers used and trusted the service. The effect of the resulting fallout is still being felt today.
The best defense is knowing how to prevent hacking before it happens. This guide will help you get started and spells out steps you can take right now to mitigate your risk of being hacked.
What’s at Stake
It doesn’t matter whether your business is on-site, or in the cloud, there are still risks if you’re not securing your data, applications, and access. According to IBM’s 2021 assessment of real-world data breaches, the average total cost of a data breach in the US is $9.23 million. And, after a ransomware attack in March of 2021, CNA Financial paid $40 million to the attackers to retrieve their data.
Although most ransomware operations are opportunistic, according to Crowdstrike’s 2021 Global Threat Report, CrowdStrike Intelligence identified the highest number of ransomware-associated data extortion operations this year in the industrial and engineering sector, closely followed by the manufacturing sector.
Countermeasures and Defenses
With many companies expanding into the cloud, or going fully cloud-native, it’s a ripe target for bad actors. Gartner states that 61% of over 2000 CIO’s state that cybersecurity is the top priority for new spending in the coming year. And the top segment, at 41% growth from 2020 to 2021, is Cloud Security. And while all of the large cloud providers offer comprehensive security, their offerings are only effective if they are implemented correctly.
As noted earlier, even if you’re not in the cloud, many of the same threats are present. Thankfully there are many tools and resources available to help secure your business. While some of these implementations aren’t free, it costs much less to have good governance and controls in place than it does to pay off a ransomware demand, a lawsuit, or a fine due to a data breach.
Steps to Take Right Now
A few of the basic precautions you should have on your radar are:
- Bake in best practices from the beginning of a project. Even if you can’t afford a Chief Information Security Officer, Cloud Architect, and a team of security personnel, having a Governing Board where best practices are defined up front will go a long way towards providing a solid security framework.
- Build a culture where security is encouraged. All of the tools and monitoring are ineffective if you have employees that are lax about security. 95% of cybersecurity breaches are caused by human error. Some common security scenarios are leaving their laptop unlocked at a coffee shop, or writing down passwords. If you need to outsource your IT Security, be sure they’re able to provide you with resources to train your employees on best practices.
- Research and understand your compliance responsibilities. Many companies have compliance requirements. Some of the more well-known regulations are HIPAA (Health Insurance Portability and Accountability Act), PIPEDA (Personal Information Protection and Electronic Documents Act) and CCPA (California Consumer Privacy Act), among others. Be aware if you have customers or clients from other parts of the world, as other regulations may impact how you handle and secure their data. If your data is stolen, and you didn’t have proper safeguards in place to meet regulatory requirements, you could face very large fines.
- Provide the tools to monitor and react to threats. There are many robust security solutions in the marketplace. Gartner.com is a reliable way to find the appropriate software for your business needs, if you choose not to outsource your IT Security to a 3rd party. One thing they should provide besides threat detection and hardening is user behavior analytics.
In addition, you should
- Keep current with technologies and threats
- Have a comprehensive disaster recovery plan
Some concrete actions to start with are:
- Implement multi-factor authentication (MFA)
- Invest in password security by way of a company-wide password manager
- Train your entire staff to become familiar with phishing attacks and other threat vectors
Need Help? Mission Critical Systems Is Here for You
In short, if you’re not proactive about your digital security, you could potentially lose your business through fines, loss of reputation, or inability to operate due to ransomware. It becomes more cost effective to be proactive about IT security, and to plan for the when, not the if.
Partner with us if you’re unable to hire a full-time internal staff. Overall, the culture of “Security First” and being mindful of threats needs to be baked into the corporate culture, and not seen as an afterthought.