Business leaders have had no shortage of challenges to contend with in recent years. From adapting to a global pandemic to macro-economic pressures, keeping businesses operational has been no mean feat. But there is one global threat that, despite constantly making the headlines, small to medium businesses are continually unprepared for: cyber attacks.
Earlier this year, KNP Logistics Group made headlines when it was forced to close after an attack by the Akira ransomware group, and they are not alone. In a recent report from global insurer Hiscox, over one fifth of businesses that suffered a cyber incident in the last year reported that the impact was enough to threaten the viability of the business.
Of course, not all cyber incidents have such catastrophic consequences, but when the stakes are so high, even small businesses should seriously consider the business risk of being caught out by cybercriminals. To make matters worse, recent threat analysis has found that ransomware groups are increasingly going after smaller organisations, no doubt taking advantage of their limited security capabilities whilst relying on a susceptibility to closure to push victims to pay the ransom. Lawrence Perret-Hall, Chief Operating Officer at CYFOR Secure discusses how for these new and lucrative targets, now is the time to reassess whether the existing security protocols are enough to protect the whole business against closure.
Embracing insurance
In this complex environment, transferring a proportion of business risk through a well-considered cyber insurance policy becomes a no-brainer. Although it can be easy for businesses to underestimate their value in the eyes of a cybercriminal, taking steps to ensure cover before an incident can strike could be the safety net that ensures the survival of an organisation.
There are multiple costly outcomes from a cyber incident. First, targeted businesses must contend with the losses that come with a downtime; the immediate costs of an escalated security and incident response effort; the medium-term losses that can come with losing a good reputation; and in some cases, the extensive legal costs that can come from civil action and regulatory fines. Cyber insurers offer organisations financial security in the wake of these incidents, but they can also mitigate the damage before an attack even occurs. In fact, the industry as a whole has been a crucial driver for improving security standards, promoting a basic, robust security posture through audits and incentivisation through lower premiums.
When an incident does strike, these same insurers can support businesses in their incident response efforts, from remediation to reporting. Despite cyber attacks becoming more prevalent, most organisations are – thankfully – inexperienced in recovering from a sophisticated attack. Insured organisations have access to panels of experienced incident response professionals who can ensure that businesses bounce back as quickly, and securely, as possible.
Understand security is everyone’s responsibility
The success of a security strategy does not just come down to those chosen to lead it. Educating all employees in how to identify and report phishing and social engineering tactics is a proactive measure that significantly reduces the risk of a breach.
Frequent and comprehensive training sessions are essential to instill a culture of security throughout an organisation, bridging the knowledge gap from entry-level employees to top-tier executives. Phishing has long been a threat in our working and private lives, but new technologies and fast-evolving tactics make each social engineering campaign harder to spot than the last.
The popularisation of generative AI has made the process of drafting phishing emails quicker, easier, and more convincing. In seconds, hackers can now create scam emails without poor spelling and grammatical errors (previously tell-tale signs of phishing), in any language, and in the style of any executive they like. For employees, this creates a minefield of security risk.
Worse still, as email security software gets better at identifying malicious links, hackers continue to find loopholes, embedding malicious links within meeting invites and even QR codes. Staying ahead requires businesses to look beyond tooling by fostering continuous cyber awareness training within their workforce. When successful, education programs like this empower employees to become guardians of their workplace security and support wider security efforts.
Practicing defence in depth
While prevention and education are vital, in today’s landscape, all robust security strategies accept that a breach is inevitable. When it comes to safeguarding against cyber threats, business leaders should now look to achieve ‘defence in depth’.
Any defence in depth strategy must start with a security audit. Audits offer business leaders clarity on a business’ true security posture. Rather than waiting for a bad actor to pinpoint unknown security gaps, auditing is the first step to proactively improving security protocols at the perimeter and within an organisation. Take patching, for example. The Ponemon Institute found that 57% of cyberattack victims could have prevented the breach by installing an available patch, and yet regular patching is easy to let slide in smaller businesses. Once businesses understand the risk this poses, implementing a protocol that all critical or emergency patches must be updated within two weeks can go a long way towards avoiding opportunistic hackers.
When a bad actor does find a foothold into a network, a business that has implemented rigorous credential and access management protocols significantly reduces its risk exposure. Multi-Factor Authentication (MFA) is a popular way of controlling user access to sensitive files, platforms and networks, particularly when combined with security processes that limit administrative rights based on individual employee needs. With these protocols in place, businesses build a strong foundation for Zero Trust and place significant obstacles in the path of hackers, affording security teams the time to detect and counteract threats effectively.
When bad actors are taking advantage of loopholes, resource gaps, and exploiting smaller businesses to secure ransoms, all organisations need to step up their game. By proactively investing in bolstering defences both at the perimeter and through Zero Trust principles, educating employees about the role they play, and transferring risk through cyber insurers, business leaders can prioritise resiliency for long-term success.