The reality is that the cyber threats facing private businesses are no different from any other type of organisation. Cyber criminals are essentially opportunistic and will look to attack wherever they see vulnerabilities, according to PwC.
Digital and physical security are becoming indivisible and everything we do online has consequences in the real world. From critical business systems to social events, virtually every aspect of work and life is exposed to the all-seeing gaze of the internet – and thereby to cybercriminals. And when they come knocking, private businesses need to be ready.
Recent research indicates that 47% of respondents from privately-owned businesses rated cyberattacks as the top threat to their organisation’s growth.
Things have been tough recently in the cyber insurance industry. Businesses have a difficult time finding affordable policies with the right limits that don’t exclude ransomware (see Top Cybercrime Predictions).
Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.
However, private businesses have some distinctive characteristics that create specific cyber security risks and which need to be addressed.
These are the 5 areas that private businesses should address now to make themselves more cyber secure.
Following recent cyber attacks, organizations worldwide are beginning to see the crucial need for lifesaving protections that warn when risk is there. They understand that they need “risk sensors” to prevent dangerous scenarios from occurring and prevent inevitable cybercrime from becoming tragic when it appears (see Cybersecurity and the Cyber Insurance Market).
Educate family members on the importance of online security
Your teenagers will roll their eyes but it’s important to remember that in a family business, all of the family are the faces of the company.
Apart from reputational damage and personal safety, unguarded use of social media can create many risks.
If you’re the principal in the family business, you’re probably fairly careful with your online activities. But what about the rest of the family? For example, do you know what photos your children are posting on social media? What locations, properties or people are showing in the background? Are location services enabled that show exactly where the photo was taken?
Educating family members about acceptable use of social media may help mitigate some of these risks.
Make cyber security an embedded part of the business culture
Private business owners often feel (erroneously) that they’re not big enough to be attractive targets. This mindset can lead to an unwillingness to spend money on cyber security until a threat actually materialises.
However cyber attackers don’t generally chase specific targets but focus on opportunities to gain entry.
Rather than being an afterthought, cyber security needs to be baked in at all levels of the business – owners, executives, employees – through regular awareness training and practical guidance. Security is everyone’s responsibility, and everyone has to be alert to the risks. This applies to members of the owner’s family too.
Those were the areas where people needed to focus because they were so important at that time. Get your shield up, understand what types of things to look for and identify the tell-tale signs of danger (see 5 Most Important Cybersecurity Controls). The risk is real and you are holding the risk.
Implement a mobile device management tool
According to Statista over 6 billion people globally have a mobile phone. The problem is that many people use the same handset and apps for their personal and work activities.
So if a device is compromised or lost it can impact the business’ data and systems and possibly offer attackers an access point.
The solution is to implement a Mobile Device Management (MDM) tool on everyone’s handset that segregates the work and personal data, ensuring it’s properly managed, protected and backed up.
As we discovered that we are holding the risk, savvy businesses sought to transfer all or part of that risk (see about Global Cyber Market).
And that wasn’t a hurdle – until it was. As the age-old violence of “ransom” regained popularity through the ease at which attackers could execute and benefit from ransomware attacks, the increased transference of that risk caught the insurance industry off guard.
Control access to all company data: both virtual and physical
Data is the lifeblood of any business and the main target for cyber attacks. As a minimum, make sure that your company is applying tools like multi-factor authentication, strong passwords that are updated regularly and the latest security patches.
In smaller companies it can be common practice for people to share passwords and accounts, because it makes things easier. Don’t do this: if an incident occurs, it makes it much harder to tell who was involved or responsible.
It’s not just a company’s front-line data but also any backups that are exposed to the internet. So you should not only back up your important or sensitive data, but also ensure the backup is segregated from access via the internet so attackers can’t reach it.
Finally, don’t forget the physical aspects too: many cybercriminals still rely on getting someone into the office to breach systems, so it’s vital to have proper physical access controls and logs.
It’s equally important to perform due diligence on anyone who has remote access to the systems, such as suppliers or contractors.
Have a plan – and know who you’re going to call
If a cyber incident does occur, it’s imperative to have a plan already in place for what to do. While most private businesses have IT support, they often lack the forensic information security skills they’ll need once a breach occurs.
You should determine in advance what steps you’ll take and which cyber security expert you’ll call to investigate and help.
One option to consider is taking out cyber insurance: as well as potentially covering costs like systems remediation and business interruption, insurers will often have lists of approved experts.
Now the purpose of that intelligence is not just to maintain a shield. It can help drive an organization forward (see Biggest Cyber Unicorn Startups in the World).
Companies that receive transferred cyber risk provide fertile ground to sow new ideas around risk-related data and information as cyber business intelligence. The purpose of cyber business intelligence is to always be there to illuminate and guide leaders toward achieving more efficient and smarter business performance.
Endpoint detection and response
Endpoints like laptops, tablets and smartphones are popular targets for cyberattacks because they frequently offer a pathway to an organization’s networks.
Endpoint detection and response (EDR) continuously monitors these devices to detect, alert and respond automatically to incidents.
EDR’s focus is on the continuous monitoring of real-time endpoint activity, in-depth analysis of suspicious processes and response to incidents and breaches. For example, EDR helps security teams spot anomalies that might otherwise go unnoticed and blocks threats before they can spread.
Many ransomware attacks target backup data, and a top reason for paying a ransom is a lack of recoverable backups.
No wonder many underwriters are demanding that businesses implement immutable backups that cannot be encrypted, modified or deleted. Even better is an immutable backup scheme that is also isolated (air-gapped/offline) from the local network.
Cyber Security, Insurance & Cyber Business Intelligence
Cyber risk has undergone several episodes of change in its relatively short history, but escalating ransomware frequency and severity was unlike anything experienced previously.
The accompanying retrenchment of insurance capacity, coupled with a wave of demand globally, caused a supply and demand imbalance of such extremity that the average cost of cover more than doubled (see 5 Key Benefits of Ransomware Insurance).
Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.
While concepts like cyber threat intelligence and risk assessments focus on preventing loss, cyber business intelligence aligns with concepts already utilized elsewhere in a business environment.
“What pieces of knowledge and trends can I follow – that by following them I can be more profitable?” This is a different mindset. This is one anchored on the idea that “you’ve got to spend money to make money.” This drives a culture and enthusiasm that can foster better innovation, better results and faster progress.
…………………
AUTHOR: John Boles – Principal, Cybersecurity and Privacy, PwC United States
