There is always some risk involved in a business. But there is one risk which can destroy your business if you ignore it. And that risk is almost certain to encounter your business. But most people are not prepared for it.
The risk we are talking about is “cyber-attack”.
Cyber-attack can put 60% of businesses out of business. That’s how dangerous it is. You might have heard in the news – cyber-attacks on companies such as Target, JP Morgan, and Netflix or nation-state attacks such as the Sony/North Korea email breach or the alleged Russian attacks meant to compromise the US election system.
But, the most frequent threat is faced by small and medium-sized businesses. And in the case of an innovative small company, the risk of cyber attack is much higher. This is because it’s very likely that your innovations are tapping the power of technology and the Internet which leads to an increase in your attack surface.
If you’re thinking that just because you have got firewalls, VPNs, up-to-date anti-virus software, malware detection, trustworthy employees and the that you’ve not been attacked yet, so you’re safe. Well, not really.
Just because your business hasn’t suffered a cyber-attack yet, it doesn’t mean it won’t happen. So, it is better to be prepared for it rather than thinking that it won’t happen. What is most frightening is the lack of awareness about the scale of cyber threat and the lack of proactive approach in managing the risk, especially among small businesses.
Research conducted by the National Cyber Security Alliance found that:
- Almost 50 percent of small businesses have experienced a cyber-attack.
- More than 70 percent of attacks target small businesses.
- As much as 60 percent of hacked small and medium-sized businesses go out of business after six months.
Symantec, which is the global leader in cybersecurity, discovered more than 375 million new unique malware variants in 2016, 98 million bots, 1.1 billion identities compromised through breaches, and an overwhelming 76% of all scanned websites having vulnerabilities that make them targets for attacks.
According to Symantec, “Cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”
So, what can businesses do to prevent cyber-attacks? Here are some of the things you should consider.
A Plan for Action
Your plan should be flexible so that it can adapt to the actual threat. It’s critical to have the right defenses in place to address viruses and malware that represents only about 5% of the threats. However, it is even more important to have a plan to counter a cyber-attack that includes unknown attacks.
The cyber-attacks which cause major damage is due to an inability of the party being attacked to respond because they have not planned or practiced a cyber response strategy. This is where your brand is most vulnerable to long-term or potentially irrecoverable damage.
The reason why 60% of small to medium-sized businesses that suffer a significant cyber-attack never recover is because they didn’t deem it necessary to have a plan in place.
In most cases, these businesses went out of business as while they had all the right defenses, such as anti-virus, malware detection, encryption, and firewalls but they didn’t have in place the right systems and processes to deal with an actual attack and its aftermath.
Most companies do not conduct adequate cybersecurity training for their employees. The single greatest cyber risk is social engineering which is using people to voluntarily but unknowingly allow an attack to occur.
Hence, it is essential to put every employee through a boot camp on how to avoid and recognize cyber threats.
One such example is a bogus spear-phishing email, which is what compromised and provided access to Hillary Clinton’s campaign chairman John Podesta’s Gmail account during the last election cycle.
Email has become the overwhelming weapon of choice for attackers. A more nefarious way would be using a personal relationship with someone to gain access to sensitive data. You’d be amazed to know that 95% of all attacks involve some form of social engineering.
So how do employees avoid the threat of cyber risk? A simple thing like better adherence to better password protocols is enough to avoid the most cyber-attacks. Secondly, don’t ever leave your computer unsecured. On average we each get one email containing malware each day! Therefore, it is imperative that you train your employees on the risks of email threats.
The most important and underutilized defense is conducting simulations of a cyber-attack, or cybersims. This can be as simple an exercise as sending out phishing emails to employees to see who clicks on a bogus link or an attached zip file.
There are other sophisticated ways to do this but anything that gives you an opportunity to expose vulnerabilities and to then have the opportunity to respond will give you an edge to deal with an attack while it is going on.
Your simulations need not be very sophisticated as the only purpose is to give people a visceral experience that creates the sort of anxiety, chaos, and damage of a real attack. Don’t undervalue this. Simulations have a deep effect on how we think about a problem.
Simulations also have one other advantage. It shifts your mindset from a defensive posture to that of an attacker. When you think like an attacker, it allows you to better understand the possible threats and how you’d react to them ahead of time.