Cybersecurity Wake-Up Call: The Hidden Risks Facing Businesses Today

Why a Mid-Sized Business’ Cybersecurity Plan Must Be Solid!

When it comes to cybersecurity attacks, threat actors are frighteningly impartial. Every organization, regardless of size, is a target. Every piece of data is invaluable. The numbers, particularly for mid-sized businesses, though, speak for themselves. According to Verizon’s 2023 Data Breach Investigations Report, 43% of all data breaches involve these sizes of businesses. In fact, over 48% of medium-size enterprises reported a cybersecurity incident last year, according to StationX. More tellingly, Verizon further stated that of 699 cybersecurity incidents impacting these entities investigated in the last year, 381 involved confirmed data disclosures. In comparison, the total number of incidents for large companies was 496, with 227 of them involving confirmed data breaches. Clearly, these companies are more vulnerable, likely because they provide a “balance” between two worlds, experts believe. On one hand, they maintain valuable information, such as employee and customer records and the organization’s financials. On the other, their digital infrastructure may have less resources dedicated to cybersecurity and more dated security infrastructure and practices than larger organizations. Not to mention, they often have under-trained or under-skilled personnel managing and responding to threats. Given these circumstances, it’s not surprising that Verizon believes only 14% of mid-sized businesses are prepared to defend themselves.

So, how should these organizations approach the cybersecurity challenge?

Building a Defensive Posture

The first step is, arguably, letting go of the belief that “this won’t happen to us.” It can and it does! It doesn’t matter if their data is not ’on the level’ of large enterprises. The threat actors are usually just looking for an easy payout. All in all, they often consider it as a low-risk, low-effort undertaking!

The second step is to understand that investing in cybersecurity is not a one-size-fits all exercise. It is critical to understand and implement not just a sound cybersecurity program, but foster a culture of cybersecurity awareness, as well. But, where to begin?

Step I: Understand the Threat Landscape

The Key Challenges

• Limited Budgets – Mid-sized organizations often follow a “make the best of what’s available” approach to cybersecurity. The most prevalent scenario is integrating end-point security, using low-cost, or free consumer-grade technologies. Case in point, according to StationX, a third of mid-sized enterprises rely on such solutions to secure their networks today!
• Limited Manpower Resources – With limited budgets in place, mid-sized organizations may be unable to hire highly trained or skilled specialists. As a result, their defense teams may lack the expertise, certifications, abilities, and experience that large enterprises may have. In fact, StationX reports that 40% of these companies have cited lack of skilled staff as a barrier to investing in security.
• Wading Through a Technology Swamp – As cloud becomes the norm, these companies must navigate the challenges of operating in this often new and unknown environment. This leaves room for a larger attack surface for threat actors. The challenge is real – 77% of mid-sized enterprises cite complexity and lack of knowledge as factors preventing them from improving their cybersecurity stance!
• Threats Evolve in Scope and Severity – Threats like ransomware and malware have evolved over time, becoming more complicated and difficult to detect. Similarly, phishing attacks have found new ways to exploit human vulnerabilities and can cause financial losses. The payouts are anything but insignificant. Covenware estimates that the average ransomware payout in the second quarter of 2023 was $1.54 million!

What Not Focusing on Cybersecurity Can Cost Your Business

So, how much does a cyberattack cost a business? IBM’s Cost of a Data Breach report provided an intriguing, yet startling, perspective.

Overall, companies with less than 5,000 employees registered a significant increase in the average cost of a data breach. The report highlights that organizations with fewer than 500 employees reported that the average impact of a data breach increased from $2.92 million to $ 3.31 million – a 13.4% hike. Those with 500–1,000 employees saw an increase of 21.4%, from $2.71 million to $3.29 million.

Monetary losses aside, organizations also stand to lose their customers’ trust. When customers become aware that their data is compromised, they are more than likely to switch brand loyalties overnight.

The bottom line is simple, a cyberattack can cost you more than just operational downtimes and financial losses. The bigger picture is recovering from compromises, with your brand integrity intact. After all, industry reports cite that 60% of these mid-sized enterprises that experience a successful cyberattack closes its doors within six months!

The cybersecurity challenge clearly weighs heavy on the minds of all business leaders. How best can the issue be addressed?

Step II: Fortify the Business’ Digital Defenses

According to Reveal Risk, the easiest place to start is to ensure that time and money are invested in a balanced manner across people, processes and technology. To get a clearer picture, in fact, these mid-sized enterprises may do best to collaborate with an experienced outsourced service partner (like Quatrro) to not just improve their overall cybersecurity stance, but to maximize their ROI value, as well! They can help you identify the best strategy and use of the resources to bring you the strongest defense.

Your People Are Your Front Line of Defense

All organizations, regardless of size and complexity of security infrastructure, can still experience a cyberattack, owing to human error. Re-emphasizing this fact is the World Economic Forum, which has said that a staggering 95% of all cybersecurity incidents are a result of human error!

To address this, businesses must foster an organizational culture that promotes cybersecurity awareness and training.

A few useful tips and tricks from the Global Cybersecurity Association can help enhance an organization’s cybersecurity stance:

• Emphasize and re-emphasize how critical strong passwords are and how to recognize phishing attempts.
• Always authenticate via multi-factor authentication (MFA) to effectively protect user access.
• Update all software regularly to ensure all patches for identified vulnerabilities are in place.
• Keep your network secure with firewalls, intrusion detection systems, and encryption.
• Back up essential data and systems.
• Have a multi-faceted response plan handy and ready to execute.

It’s All in the Processes

So, when developing a cybersecurity strategy, what should be most important to keep in mind? According to experts, an ideal plan aims at continuously monitoring your system and assessing threats. This, coupled with a professional security risk assessment is what makes (or breaks) any cybersecurity program.

Risk Assessment

In a nutshell, a risk assessment is a systematic process of identifying, analyzing, and evaluating potential risks to these enterprises’ information assets and systems. It is a framework for assessing the likelihood and impact of threats. Per industry reports, effectively executing a risk assessment exercise entails highlighting the following components:

• Identifying critical assets, such as intellectual property, customer data, financial information, etc.
• Identifying potential threats and attack vectors.
• Assessing the potential impact of possible attacks.
• Prioritizing threats based on severity.

For more information about conducting an annual risk assessment, check out this recording of a webinar we conducted with a cybersecurity expert with 25+ years of experience, including 12 years at the White House Communications Agency.

The National Institute of Standards and Technology Framework

For mid-sized enterprises unsure of how to embark on their cybersecurity journey, the National Institute of Standards and Technology (NIST) offers a simple approach. The framework focuses on five core principles: Identify, Protect, Detect, Respond, and Recover. Any businesses can begin with a self-assessment, to identify their current cyber posture and their corporate assets. Thereafter, these organizations will have an educated and informed starting point for their cybersecurity plan.

Best Practices to Bulk up Your Cybersecurity Approach

Consider the following processes to ensure your cybersecurity program remains robust:

• Regularly conduct risk assessments and make adjustments where needed
• When creating a cybersecurity program, keep in mind all assets and all relevant risks, both now and taking into account any organizational changes that are planned to take place.
• Develop a robust framework of plans, policies, and procedures, then regularly review and update those as they can quickly become out of date as the business changes and grows
• Implement technical and administrative safeguards to ensure what you plan to happen does indeed happen.
• Keep testing and monitoring the entire network!

Leveraging Technology to Build Resilience

Cyber resilience, as ResilientX Security puts it, is about assembling the right strategy at the right place, to form a holistic defense.

They highlight that an enterprise can adopt two approaches to building (and maintaining) cyber resilience:

A Proactive Approach

This entails putting proactive security measures at the forefront, to ensure your cybersecurity defenses stay strong. Typically, these include:

• Attack surface management, by limiting system exposure to the internet
• Cybersecurity testing, including security audits, red teaming and blue teaming
• End-to-end vulnerability management in the system
• Penetration testing

A Reactive Approach

• Defensive measures, such as Endpoint Detection and Response (EDR) and Security Incident and Event Management (SIEM) systems.
• Security Operation Centers with round-the-clock support

Step III: Know What Lies Ahead

2024 is expected to be a busy year for cybersecurity – especially with AI and ransomware anticipated to take center stage! A few notable trends to look out for (and ramp up your defenses) include:

• Ransomware tactics are expected to become more complex and aggressive (Forbes)
• AI is anticipated to play a bigger role in cybersecurity, particularly around automated responses and predictive analytics.
• IoT will continue to connect more devices, thus increasing risk significantly (Splashtop)
• Remote working will necessitate a doubled focus on cybersecurity (Splashtop)
• Zero Trust frameworks will gain significant ground in 2024 (Splashtop)

In Closing

Creating (and maintaining) a strong cybersecurity infrastructure is a continuous process. Mid-sized enterprises will benefit from continuing to invest in this infrastructure while also ensuring ongoing update and evolution. After all, cyberthreats are only projected to become more malicious over time!