When cyberattacks make the news, they usually are focused around large organizations, like Colonial Pipeline, Accenture, or JBS, the largest meatpacking company in the world. So midsize companies don't have as much to worry about, right? If only that were true. Cyber threats are on the rise, and organizations big, small, and midsize must find ways to combat the growing risk and cost of these attacks.
Cybersecurity threats increasing
The number of global ransomware attacks against businesses of every size rose 151% in the first half of 2021, according to SonicWall research. And in the U.S., the 2021 Verizon Data Breach Investigations Report found that ransomware was responsible for 30% of all cyberattacks in 2020, a number that’s probably even higher because many ransomware incidents go unreported. Organizations don't want to highlight any security vulnerabilities that affect their customers, patients, or investors.
Although the risk may not always make the news, it’s still there. The FBI warns that there are 100 strains of ransomware currently circling the globe. With ransomware payouts often in the millions, ransomware stands as a profitable crime – one likely to continue.
Cost from threats are complex and escalating
When companies are hit by ransomware attacks, they lose out financially, whether they pay the attacker or not. No matter how quickly an organization responds, they still experience downtime, which results in lost revenue and customers. Organizations may face penalties for failed contract obligations and governmental fines for noncompliance. Then, they may have to fight civil suits and try to repair a damaged reputation. Next, they need to recover the data lost and invest in more robust security infrastructure.
If the company pays a ransom, that quickly raises the debt and doesn’t address the security vulnerabilities the organization has in the first place. And, if the company doesn't pay and the attacker does not provide access to the ransomed data, the company faces a long period of rebuilding and recovering their information.
Add in the cost of ransomware incidents, which Cybersecurity Ventures predicts will exceed $265 billion by 2031, and it’s clear that all companies, no matter what size, must take cybersecurity seriously.
SMBs concerned, but not prepared to respond
While most companies are concerned about the security of their data, many need to do more. In our recent report, we found that midsize companies are feeling more vulnerable to attacks than in the past. The biggest threats were email fraud (53%), phishing (47%), cyberattacks (45%), and ransomware (35%). As a result of the increase in threats, only 11% of IT leaders surveyed feel more confident in their cybersecurity protection than 18 months ago.
Interestingly, despite the concern about attacks, only 35% completed a cyber risk assessment in the last year. This comes even though 60% of the respondents said they had a known breach or attack within that time.
Of the organizations that did suffer an attack, one in four responded that they lost customers and 31% indicated a loss of daily operations and productivity. Making matters worse, nearly 20% of midsize organizations said that it took between one and six months to fully recover their business with another 12% taking even longer.
How to minimize risk
To proactively protect customers, patients, data, and intellectual property from threats, midsize companies must go beyond basic security processes or government requirements to ensure the security of their IT infrastructure. Effective safeguards hinge on the following: Have the right technology to implement the policies needed; quickly assess the threat and understand its impact on the business; and have the right group of experts providing cross-industry experiences to guide the process.
As companies work to improve their cybersecurity, they should consider these five steps:
- Do an assessment. Assess the current state of the company’s cybersecurity program using an industry standard for measuring maturity such as NIST. As part of that assessment, ensure that it aligns with the company’s risk appetite since frameworks are merely a starting point. Understand that some companies are willing to take on more risk than others as part of their strategy and the cybersecurity program should support this. Once the team has an understanding of the company’s current maturity it can start addressing the gaps.
- Set priorities. Prioritize the cybersecurity gaps based on tactical and strategic risk reduction. There are tasks that the company can likely do immediately to reduce risk, such as updating technology controls, or segmenting the network, which many would consider tactical risk reduction. There are also items that are more program-based risk reduction activities, which are mid- to long-term initiatives, such as implementing an identity and access management program. Align reducing the organization’s risk to both tactics to see regular success and tackle the bigger risk items.
- Take a holistic view. Look at cybersecurity as a defense-in-depth problem and implement technologies that address protection, detection, and response. Overinvesting in technical security controls has become common over the past decade. It’s easy to fall into the mindset of implementing multiple tools that perform the same kinds of functions. While having more technology that protects, or detects seems like a sound plan, it can dramatically overcomplicate and even overwhelm a company’s ability to respond when the time comes. Think balance. What do we need to protect? What activities and behaviors should we detect? And how do we prepare ourselves for when the time comes to respond? Investing in the security program in this fashion will yield greater results.
- Focus on the data. Attackers either want data to sell, reuse in future attacks, or lock a company out to hold it ransom. So back up company data often and ensure that the disaster recovery plan keeps offline back-ups as well. Rebuilding after an attack is not a joy for any business, yet knowing that it’s possible to rebuild with data can at least offer some assurance that the company can recover. However, rebuild securely, test often, and continuously monitor for reoccurrence so that when the company recovers the issue has been eradicated.
- Conduct an annual review. Thoroughly review the cyber program at least annually to ensure that it continues to align with the company’s risk appetite and the external threat environment. An effective and successful cybersecurity program will evolve with the business and adapt as necessary.
Despite best efforts, no measures are 100% effective at stopping all cybersecurity threats. Also, cybersecurity isn’t a one-and-done situation. Stay vigilant in defending customers, employees, and data. Ransomware and other threats constantly evolve, so SMBs need to ensure their cybersecurity takes all of this into account.
Patrick Hayes, chief information security officer, UncommonX
