As we approach a new year, we have another chance to resolve to improve our health – our cyber health. In 2021 alone, over 40% of businesses have had data breaches. Some have paid multi-million dollar ransomware demands and 35% who of those who paid ransomware demands have not gotten all their encrypted data back. It is clear that it’s not if, but when, a cyberattack may cripple your organization. It is easy to be overwhelmed and to sit on your couch and fast forward over the daily stream of stories of data breaches, including Robinhood, SolarWinds, JBS, and Colonial Pipeline, to name a few. More than ever, now is the time to exercise good judgment by getting up off that couch and fulfilling your resolution to be stronger and more resilient against cyberattacks. Remember that the bad guys only need to get it right once to have a successful cyberattack while your organization must get it right every time to prevent data breach damage. To help you stick to your cyber health resolution, here are concrete steps that you can take now and in the coming months that will make a big difference.
Do a risk assessment evaluation of your cyber readiness. You can’t protect what you don’t know. It is very important to be able to understand and inventory your sensitive data, who has access to it, why they have access to it, for what purpose and do they really need it after a project is completed. Having that analysis will put you in great position to be able to get on a scale, calculate your cyber BMI, and benchmark yourself against others in terms of your cyber maturity. Indeed, the regulators are demanding that annual risk assessments be done and federal agencies have made valuable resources publicly available to help you with those risk assessments and questionnaires.
Build your team of skilled professionals. Getting your team ready now will help execute the remediation plan you produced from the risk assessment, align against common objectives, and respond to incidents. Assemble a diverse team from information security, human resources, outside counsel, crisis communication, legal, and risk management. Do a tabletop exercise and spend time better understanding each role that these team members play within that incident response team. Exchange mobile numbers, develop a game plan checklist and do a dry-run of a cyber incident so a response can be efficiently executed on holidays and weekends when the bad guys love to take advantage.
Conduct annual awareness training. Awareness training must be done annually from the top-down to the bottom-up in the entire organization to create a culture of cyber security. Over 80% of data breaches are not executed by nation states but rather by the authorized users of those systems. People, not technology, are to blame for phishing being up over 600% in the Covid-19 era. People need to work smart especially remotely and scrutinize with whom they are sharing sensitive data and why and be able to understand as the bad guys get more sophisticated how they are being lured into some weakness and vulnerability that will lead to massive damage in data breach. Authorized users are your employees as well as your vendors and other third parties which have credentials to your network which can put your company at great risk. Manage those third parties to make sure they are taking the right steps, just as your own organization is doing, to strengthen your cyber hygiene.
Prioritize strategic technology investments. Find the technology investments that will make a difference in your organization and invest in them. Given the uptick of ransomware with over 40% of companies compromised and extortion amounts increasing by 400% in 2021, it is an excellent idea to have a data backup to replicate your files if they get encrypted in ransomware. Those data backups should be with a different vendor than your main data repository to allow redundancy. In addition, with sophisticated phishing attacks succeeding against 75% of businesses, ,multi-factor authentication can help prevent and make it harder for the bad guys to get into your email and other accounts that would cause data leakage. Setting up an intrusion detection system that alerts you of anomalies before a breach happens is critical. Remember you need software and the people who understand how to interpret the alerts so that you can be proactive to stop intrusions.
Purchase cyber insurance (if you don’t have it already). If you are not already insured for cyber risk it, look into it. Insurance will not only provide your company some coverage for the data breach lawsuits but also provide proactive expertise and resources on data breach forensic investigators, attorneys, communication professionals, credit monitoring, and data restoration. Talk with your broker about the likely risk scenarios and what and how insurance policies will respond to damages from cyberattacks.
As in all exercise regimens, you must start the journey to reduce your cyber risk appetite and build up your cyber muscle. The regulators are not looking for perfection; but they are expecting a good effort and a plan to ensure your business is not the weak link in the cyber chain. The steps listed above can allow you to stick to, and fulfill, your cyber health resolution of protecting your business from future cyberattacks.