Below is part 5 of our 6-part series aimed at helping you Stabilize your business, where we focus on Business Continuity in this post. To read part 4 of the series, click here:
“What advice would you give me as my number one priority to consider immediately?”
Time and again, as IT consultants, this is the number one question we get asked. Without knowing anything about their business and without hesitation, the answer is unequivocal; secure your business. If their response is in the arena of “my business is already secured,” we like to retort with a rephrased question: “Would you say your business is invulnerable or impenetrable”? The typical result of the second question is a pregnant pause and an internal evaluation of what the first statement really meant.
While you might expect our first recommendation to be cutting-edge technology or some advice to help your business take off with a new tech strategy to outrun your competition, your number one priority should be to ensure you secure your business. It doesn’t matter if you’re a non-profit, a startup, or an established large organization with a dedicated IT team. Conducting a third-party security assessment is worth its weight in gold.
There has been a steady uptick in cyber attacks against businesses of all sizes. These attacks result in unprecedented breaches, ransomware, and malware exploits across every industry.
For some jaw-dropping statistics, take a peek at our free Cyber Attacks: Understanding the True Impact to Businesses ebook. It is packed with insights into the threat and aftermath of cyber attacks. It’s worse than you might think.
To place things into perspective, 60% of SMBs (Small or Medium-sized Businesses) go out of business within 6 months of a cyber attack.
On December 16th, 2022, CNBC quoted the FBI’s Internet Crime Complaint Center statistic that it had received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 Billion in losses, the majority of which targeted small businesses. Sadly, these cyberattacks are growing in reach, severity, and complexity year over year with no indication of slowing down.
Why small businesses are such a big target.
The answer is simple: Small businesses have almost no security budget and, therefore, no defense. In the ransomware world, small businesses will be more willing to shell out money to pay the ransom to get their data back, as they cannot typically afford to absorb these losses. Less experienced bad actors also go after the little guys to practice before they attempt to go for a bigger fish.
When this happens to a business firsthand, it’s quite the event to live through. The impact is real, and few can handle it. You’re hit by the psychological, emotional, and morale-crushing realization that your business is now held hostage to ransomware. Your data may be lost, some employees and customers may jump ship, your branding may be hurt, and your insurance policy may increase. It’s a scary process and not for the faint of heart. When a breach is detected, your world is turned upside down.
In larger organizations, experts are brought in to identify the source of the attack, while others are brought in to start fixing vulnerabilities, reviving systems from backups, resetting passwords, and adjusting permissions and access. Everyone fears that they were the ones that left the door ajar that let the bad guys in, or what if was that email with the strange attachment or link that did it? Paranoia starts to set in.
All this while your business comes to a screeching halt with systems going offline, sometimes for days or weeks. You can’t serve customers, and you can’t get access to the critical systems of infrastructure you need to just run operations. You bleed out money each minute this continues. At the same time, technical teams scour every corner of your business to try and solve the breach.
We know this firsthand and have been there many times, helping customers through these storms. We feel the pain as our customers go through what may be that business owner’s life’s work going up in smoke. This is why we are passionate about encouraging every one of our customers to undergo a Security Assessment. It’s time and money well spent.
Companies that have performed a security assessment in the last year are 60% less likely to experience a severe security breach.
What is a Security Assessment?
Security assessments are evaluations of an organization’s security posture conducted to identify vulnerabilities and risks and to determine the effectiveness of existing security controls. There are several types of security assessments. Here are the more common types:
Vulnerability Assessments.
These assessments identify and prioritize vulnerabilities in an organization’s systems, applications, network, and infrastructure. The assessments aim to identify security weaknesses that attackers could exploit to gain unauthorized access, steal data, or disrupt operations. The assessment should be comprehensive to see how potential bad actors can traverse deep into systems and across the organization.
Penetration Testing.
Also known as “pen testing,” this type of assessment simulates an attack on an organization’s systems to identify vulnerabilities and assess the effectiveness of security controls. These tests aim to identify and exploit vulnerabilities to determine if unauthorized access or control can be achieved. The output of these tests provides detail of how security can be hardened and improved to prevent bad actors from gaining access.
Risk Assessments.
These assessments identify and evaluate risks to an organization’s assets, including physical assets, data, and systems. In some regulated verticals and industries, you may be subject to vendor risk assessments being conducted to be within compliance and to pass audits. Risk assessments consider the people and process elements.
Compliance Assessments.
These assessments determine whether an organization complies with relevant laws, regulations, and standards, such as HIPAA, PCI DSS, and SOX. You may be required to abide by or conform to a security framework in some regulated industries or verticals. These tend to have more rigor, and third-party audits are conducted to ensure compliance.
Conducting a security assessment.
While security assessments can be conducted internally by an organization’s security team, and we still encourage that, we also recommend that an external third party conduct one. Our rationale is that internal teams have the tribal knowledge and know where the skeletons are hidden, and external teams will have the benefit of turning over more stones with additional questions with no assumptions.
In addition, this type of effort requires a specialized skill set with extensive training. Having your internal IT operations teams tackle this should be approached with caution.
The results of a security assessment are used to develop a security plan to improve existing security controls or introduce new security controls. Don’t worry about which type of assessment you may need. A creditable consultancy will evaluate your business needs and make recommendations or, better yet, conduct a comprehensive security assessment that covers the various layers without making it complicated or costly.
What do I do with the Security Assessment findings?
The output of a security assessment will give you a game plan of what areas require attention. While it is impossible to bulletproof every possible way a cyberattack can occur, you will want to have the information to help you understand your risk profile and tackle areas you should address to reduce your exposure footprint.
Often these results can seem complex, but there is a logical process for remediation, starting with the basics and moving progressively to the more advanced, complex, and larger resource investments.
The costs of remediation vs. not remediating.
When the assessment results come back, it is natural to see each line item and equate that to an expense. While this may be true, many essential items are equivalent to locking a door. Simple and cost-effective. However, others may incur a higher cost, like installing a security system in a home. With these more significant expenses, weighing the risk vs. the likelihood is good. This is a typical risk management framework.
As you can see from the diagram above, you can prioritize the critical elements over the others to help steer and mitigate risk and balance that with costs. It is also good to keep in mind that the typical breach of a business is hundreds of times more expensive than even the most in-depth security assessment and its remediations.
Summary
Pretending or ignoring the possibility that your business needs to invest in cybersecurity is a dangerous gamble, and the odds are not in your favor. Depending on your particular business needs and the existing tools you use to run it, chances are that a lot of what you need to secure is probably already in place. The need for additional investments to properly secure your business is a possibility. You should carefully consider options from the many trusted providers on the marketplace, many offering cost-effective solutions for businesses of any size and budget.
How StrataNorth can help.
Are you thinking about investing in the stabilization of your small or mid-sized business? Do you need help securing your business? Let us help you. If you are ready to conduct a Security Assessment and are looking for experts to guide you, StrataNorth has Security and Technology consultants with decades of experience. We can help you reach Operational Stability and deliver a Security Assessment Plan. Reach out for a no-cost, no-obligation chat with an IT Consultant or Security expert today.