Cybersecurity: we all know it’s important, we all tend to worry about it after something happens. ‘It won’t happen to me’ we tell ourselves. Then it does.
It doesn’t help that a victim-blaming mentality exists. With the offender anonymous, a victim blames themselves for the occurrence, or a provider blames the victim for not making their account secure enough. This can create a stigma around cybercrime, an air of shame, which only serves to shroud it in secrecy.
Sunlight, they say, is the best disinfectant. It’s high time that we bring cybersecurity issues out in the open, as by sharing our collective experiences we’ll be able to learn from them, reduce the likelihood of breaches happening, and mitigate the effects when they do.
Cybersecurity isn’t just something for the big banks and corporations to worry about. 20 years ago maybe, but not today.
“Unless you’re selling tacos on the back of your mom's Volvo, doing all-cash deals, you’ve got a digital company with cybersecurity risk,” says Dominic Vogel, expert, influencer, podcaster, and founder of Cyber.sc. “Even if you’re a sole proprietor, or a two, or three-person operation, there’s still cyber risk. That doesn’t mean that you need state of the art security, but you at least need to have the basics in place.”
There’s a temptation to think of cybersecurity as a zero-sum game – one in which bad security results in breaches, but good security ensures they don’t happen. But as always, the truth is less clear-cut.
No matter how great your cybersecurity investment, you can never think you’re bulletproof, as there’s no such thing as 100% security. It’s like saying ‘I’ll never get sick’. Sure, no one wants to get sick, and we all take steps to stay healthy, but some things are out of our control.
Cybersecurity is more of a sliding scale and your investment should reflect the risk of a security breach to your business and the potential consequences should one occur.
The main cybersecurity aim for any business is to prevent a breach from happening. While there are endless and endlessly complex ways to do this, there are three cyber hygiene boxes that every business, no matter its size, should be sure to tick. If you do these basics well, most of the battle will be won.
MFA/2FA is an absolute must. You should ensure there’s always another authentication step on top of your username and password, whether a fingerprint scan, a confirmation email or a code generated through an authenticator app.
The vast majority of people reuse the same weak password across all their accounts, so if a site with poor security is hacked, the threat can then use those same details to get into far more secure areas like bank accounts. This makes the likes of LastPass, Dashlane, and Google Password Manager incredibly important. These tools allow you to generate long, complex, and unique passwords for each of your accounts, holding them in a secure place so you never need to remember them.
There’s an understandable temptation to click ‘Maybe Later’ when a system update is offered. But doing so seriously increases your vulnerability to security breaches. Make sure you’re installing the monthly security updates, as in the ever-evolving world of cybercrime, an up-to-date computer is significantly less likely to be compromised than a computer that’s months behind.
Other key forms of cybersecurity preparation include:
A lot of small businesses will lull themselves into a false sense of security. With all these preventative measures in place, do we really need to plan for a security breach? The short answer: yes. When a security breach occurs – and it will – the response becomes every bit as important as the preparation.
Begin by contacting your service providers and notifying them of the breach. If they can’t solve the issue, reach out to a cybersecurity professional to get advice on your next steps. For small firms, a simple list of cybersecurity contacts can be your number one weapon in forming a response to a breach.
For larger businesses – those with 25 employees or more, a more formulated response is required. You should have a digital forensics company on retainer – an electronic CSI team that can figure out exactly what happened and how your business was and will be affected. The information these experts offer up will guide your response, and they can help you avoid situations where you tell your clients ‘we’ve been breached!’, only to find out your business wasn’t actually compromised.
Big digital forensics companies can charge $50,000 to be on retainer, which will be unaffordable for many businesses. But as cybercrime has begun to affect smaller and smaller organizations, boutique digital forensics companies have increasingly catered to this market with more affordable options. It can be tricky to know what a reasonable cost is, but the cybersecurity contacts mentioned earlier can help you to work that out.
An often overlooked part of cybersecurity is offline survivability. How long could your company survive without access to its most critical data? It’s a question that very few business leaders know the answer to; if you ask 10 different people, you’ll get 10 different – but often stammering and shoulder-shrugging – responses.
Is it half a day? Three days? Five? One thing’s for sure: you don’t want to find out what your breaking point is in the middle of a ransomware attack, data breach, or any other form of security incident that makes your data inaccessible.
While it’s great if you can lengthen your offline survivability period as much as possible, there’s no right or wrong answer. Organizations that have five days will simply approach cybersecurity differently from those that can only sustain half a day of downtime. If you find you only have a few hours to play with, at least you know the timeframe you need to work within.
From the technical response, we move to the relationship response. Post-breach, how do you communicate with your customers so that they feel safe doing business with you again?
“One of the worst possible things that can happen in a data breach is your clients finding out about it from someone else – that really shatters trust,” says Vogel. “Another bad response is saying, ‘We were the victim of a sophisticated hack, and we’ve engaged top tier cybersecurity experts to help us figure this out’.”
Does the second example sound familiar to you? That’s because this, for whatever reason, has become the almost customary response to cybersecurity incidents. But what is intended as reassuring is anything but: a customer is instead given a vague description of a very worrying situation, with no hint of a resolution.
“I’ve been studying data breaches for 15 years, and I can count on one hand the number of times I've seen a good, transparent response,” Vogel continues. “After a recent security breach at Equifax, the first thing the CEO did was throw an intern under the bus, blaming them for the breach. My question: how screwed up does your security need to be for it to rely on an intern to work? Once people learn the facts, they’ll lose trust.”
But according to Vogel, there are ways and means of coming out of a security breach with your reputation intact.
“One of the keywords I always circle back to is transparency. Be super transparent about what happened – stick to the facts and avoid the spin:
“Be consistent with messaging – tell clients when they can expect the next update, and deliver it on time. Integrity, accountability, transparency, leadership; these traits create and preserve trust.”
Cybersecurity isn't a tech issue. It's not an IT issue. It’s a business issue. If you’re a business owner, executive, or board member, cybersecurity and cyber risk management should always be top of mind and should command serious investment.
At the end of the day, cyber risk is no different than any other risk, whether operational, financial, or personnel-related. If anything, cybersecurity is forming an ever-greater part of your risk portfolio. If you truly care about the future of your organization, you need to take it seriously.