All Posts By

jaco grobbelaar

Mitigate Your Organization's Cybersecurity Risk

Tech Talk: 20 Things You Must Do to Mitigate Your Organization’s Cybersecurity Risk

By | Security

Is your organization equipped with at least cybersecurity basics? If you don’t know the answer to that question, the following information will help you learn the essentials that can create a starting point for reducing your organization’s security risk.

The 20 most critical elements of cybersecurity basics can be broken into the following five key categories:

  • Asset Tracking
  • Access Management
  • Risk Management
  • Security Controls
  • Incident Response and Recovery

Asset Tracking

  1. Create an asset inventory.

What should be included in the inventory? IT departments typically focus on assets that are most critical to the organization and that are connected to the network. That makes sense (and we’ll discuss those next). However, any asset within the organization that stores or processes information about the organization can be used by cybercriminals. There are numerous asset discovery and logging tools available to help you ensure that you have listed all assets in the organization. In addition to technology assets (hardware, software, and data), you should also include people.

 

  1. Determine the most critical assets in your organization.

Once you’ve created an asset inventory, you then need to determine which assets are considered the most critical. In addition to highlighting this group in your asset inventory, make sure you add important information about the asset such as location, employee who uses it, and technical details (i.e., date of last software update).

 

  1. Analyze the details about the assets in your organization.

You should now have a good picture of the assets in your organization. This basic information can help you start thinking about the level of security and security measures you need to implement. For example, if a large percentage of the organization works from a remote location, it’s probably a good idea to invest in security controls that provide protection for assets in such an environment.

 

  1. Continually update your asset inventory list.

Keeping your asset inventory list current will help you keep track of important information about your assets, such as when software updates are required. One of the most common sources of a data breach is neglecting to apply a software patch. The consequences of this neglect can be exorbitant. The Equifax data breach that occurred in 2017 is an example. Nearly 150 million records were compromised during the breach, and the organization was still dealing with the impact three years later. Equifax eventually had to pay a $425 million global settlement.

 

Access Control

 

  1. Determine the employees in the organization that have access to the critical assets.

The first step of implementing access control to your assets is to learn which employees in the organization have access to the most critical assets and how they access them. It’s also a good idea to determine how access to your critical assets is monitored. The First American Financial data breach of 2019 is a good example of why this step is important. The data breach, which resulted in nearly a billion sensitive records being exposed online, was linked to a website for privileged users that was not designed to verify the identity of the user.

 

  1. Implement strong authentication and authorization controls.

Multi-factor authentication and password encryption are examples of advanced access controls that have been considered the basics for protecting critical assets. In the summer of 2020, we learned that they too can be compromised. Twitter announced on their blog that they were subjected to a social engineering attack. The social media company divulged that the attack was driven by the criminals being able to bypass multi-factor authentication, reset passwords, successfully log in to “high-profile accounts” and send unauthorized Tweets.

 

  1. Use privileged access management (PAM) solution to protect your organization’s critical assets.

A PAM solution enables you to securely control and monitor your organization’s privileged accounts, which are targets for cybercriminals. However, access control isn’t just for preventing people outside your organization from gaining unauthorized access to your organization’s critical assets. According to The Cost of Insider Threats (2020) benchmark study performed by Ponemon Institute, the negligence of insiders in an organization was the top cause of 63% of incident reports and cost organizations nearly $5 million.

 

  1. Consider implementing a Zero Trust access security model.

Microsoft defines a Zero Trust access security model as one that “assumes breach and verifies each request as though it originates from an open network”. By assuming everything in the organization is at risk and must be verified, the process of identifying and granting access to critical assets is much stronger. Implementing a Zero Trust access security model will require that you modify your infrastructure and security policies.

 

Risk Management

  1. Develop a comprehensive cybersecurity plan that is specific to your organization.

There is no one-size-fits-all cybersecurity strategy. You must analyze your situation and determine the threats that your organization are most vulnerable to, and then create a plan that mitigates your risk.

 

  1. Monitor, analyze, and monitor your organization’s network for potential threats.

There are many threat monitoring, detection, and analysis tools and services available on the market. Many of these allow you to pick and choose the services your organization requires. There are some services available that monitor security threats for you. For example, the Department of Homeland Security’s (DHS) Enhanced Cybersecurity Services (ECS) program provides an intrusion prevention capability service to both public and private entities. If your organization is a government entity, you may be able to sign up for the service with little or no cost.

 

  1. Maximize the cybersecurity IQ of all IT security professionals in the organization.

Cybersecurity is an advanced technical practice that requires a specialized set of skills. The individuals in your organization that are responsible for cybersecurity may manage that task alone or function as IT professionals with a myriad of technical responsibilities. Cybersecurity certification isn’t required, but these individuals should know more than cybersecurity basics. Cybersecurity has become an important aspect of doing business. Your cybersecurity staff can easily enroll in training courses in person or online. The training should be ongoing to ensure the security staff is prepared for the ever-changing cybersecurity landscape.

 

  1. Educate all employees in the organization about cybersecurity awareness.

Security awareness training is also important for non-IT employees in your organization. This training teaches employees about security threats and how to avoid them. Your analysis of your organization’s threat landscape will help you determine the most significant information to include in your security training program.

The following are the basics of a security awareness training program:

  • Types of cybersecurity threats and the danger they pose to the organization
  • Policies regarding use of company equipment and networks, bring-your-own-device (BYOD), and remote work
  • Handling sensitive data
  • Communicating with people outside the organization
  • Social media interactions
  • The importance of strong passwords

Employee security awareness training should be a continual event. The goal is to create a culture of security awareness.

Security Controls

  1. Implement controls that protect the organization’s network infrastructure.

The network in your organization is responsible for the transmission of data and one, if not the most, critical assets in your organization. The network is the main entry point that you want to protect.

Here are the most common types of basic network security controls:

  • Firewall
  • Anti-virus solutions
  • Intrusion detection systems

 

  1. Implement security controls that protect data (onsite and in the cloud).

The security controls mentioned in the previous section are measures designed to keep the perimeter of your infrastructure safe. Your protection shouldn’t stop there. You should also take steps to protect the data that is inside the organization or that is managed by a third-party cloud solution.

 

  1. Implement security controls that protect remote connections.

Using a virtual private network (VPN) is the most common method of protecting remote connections to corporate networks. Alternative solutions include permission-based strategies such as identity and access management (IAM) platforms and VPN-like encryption-based strategies such as The Onion Router (Tor).

 

  1. Adopt an adaptive security model.

The cybercriminals in the Twitter breach mentioned previously were able to bypass common access controls. Technology is constantly changing and, unfortunately, cybercriminals are modifying their tactics to keep up with the changes. Implementing a security model that is adaptive to the changes in the threat landscape for your organization is essential.

 

Incident Response and Recovery

  1. Develop a security incident response plan.

Your incident response plan should be specific to your organization and outline how the organization will respond after an attack.

Here are the basic steps of creating a security incident response plan:

  1. Create an incident response team and assign responsibilities.
  2. Identify critical assets and alternate storage solutions.
  3. Determine the procedure for handling compromised assets.
  4. Determine data backup strategy.
  5. Outline the internal and external communication plan.
  6. Document the details from the steps above and have it approved by top-level executives in the organization.

 

  1. Create detailed logs of all security incidents.

Incident logs can help you uncover weaknesses in your security solutions and prevent future incidents. Your organization may also be required by compliance regulations to log all security incidents. The basics of a security incident log answer the when, what, and who questions: When did the incident occur? What was the incident? Who discovered the incident? Make sure you include as much information as possible about the security incident.

 

  1. Consider purchasing insurance to lessen the effects of a cybersecurity issue.

A security incident such as a data breach can have a significant impact on your organization’s reputation and revenue. Cybersecurity insurance can help your organization recover more smoothly from an incident. In addition to mitigating some of your financial losses, cybersecurity insurance may provide security consultants to assist with the recovery process.

 

  1. Test your security incident response plan.

Determining the effectiveness of your security incident response plan is a critical task to perform once your plan is created. The common practice is to replicate a specific type of cyberattack that is realistic as possible for your organization and walk through your plan. Make sure you make notes about any flaws or weaknesses you discover.

 

Next Step

Learning cybersecurity basics can be an eye-opening experience for security professionals. If you realize that your organization has not yet met the baseline of IT security, your next step is to work toward that goal. If you require assistance with performing an in-depth analysis of your business needs, BACS can help.

BACS is an IT services firm of security professionals that specializes in working one-on-one with organizations to first understand what their IT security needs are, and then determine the most robust, flexible, and cost-effective solution.  BACS consultants are also experienced with assisting organizations with strengthening their security foundation.

Malware Threats

Safeguarding Assets from Evolving Malware Threats

By | Security

The digital age has greatly expanded the range of opportunities and avenues of attack for hackers to penetrate your IT security defenses and gain access to critical business systems and applications. Many of these breaches are the result of weak security defenses and poor email usage practices.

 

Malware infections can be particularly devastating for businesses. By interrupting critical workflows and stealing or encrypting crucial data, malware can cause serious financial and reputation damage.

 

According to one report, 66 percent of malware enters enterprise networks through email attachments.

Therefore, the importance of implementing solid email security defenses and best practice measure can’t be overstated, particularly considering the extensive use of email for day-to-day business communications.

 

At the same time, today’s threats are becoming increasingly more sophisticated as cyber criminals create more dangerous variants of ransomware and malware, along with more devious phishing schemes. Whether caused by software failure or human error, a single malware attack can prove catastrophic for businesses of any size.

 

While there is no silver bullet method for preventing all malware attacks, there are reliable, best practice measures to detect and block threats. These baseline methods provide a solid framework for helping to protect sensitive business systems from unwanted intrusions without hampering productivity.

 

Install anti-virus software.

Anti-virus and spam filtering tools offer an effective front-line defense in helping to prevent malicious malware, ransomware and other viruses from sneaking into your network and infecting your applications and systems. These programs scan your email and attachments, checking for vulnerabilities as they enter your inbox. If malicious content is identified, the software will alert users of the suspicious content and typically will quarantine the affected email to prevent it from being inadvertently released. It is your responsibility to check your security settings on your spam filter and enable the specific options you need. You can often change the settings to block out any emails that contain specific words or phrases, which can be helpful in guarding against specific types of scams or email phishing schemes. To help defend against the latest threats and vulnerabilities, make sure your anti-malware software is consistently updated with the latest definitions.

Use secure authentication.

Once an access point is compromised, attackers will often reuse the password to gain access to other systems. Authentication will help obstruct these attempts no matter how the hacker gains access to the password. Options within your email client typically give you a range of authentication capabilities. While the concept is simple, authentication offers a highly effective data loss prevention technique. For a more streamlined security approach, consider consolidating your authentication, encryption, and advanced threat protection into a single security suite. Compared with point tools, these integrated systems require a fraction of the IT resources required to maintain effective threat protection.

 

Keep software updated.

While no system or application is completely safe against malware attacks, software providers regularly provide patches and updates to close any new vulnerability that may emerge. As a best practice, validate and install all new software patches and check for signs of malware in log reports. Be sure to implement routine maintenance including updating your operating systems, software tools, browsers and plug-ins. Make backups of all your data and software on a storage device that is not attached to your network or computer. Confirm that all your backups are operating properly and test them on a regular basis to make sure they will perform when you need them. Also, don’t overlook your email servers, which are a frequent target of hackers. Make sure your IT team has all the necessary tools and information to effectively secure your email servers.

Safeguard email with encryption.

Popular email platforms like Gmail and Outlook typically don’t have sufficient enterprise-level encryption capabilities to fully protect applications and systems against all cyber threats. Third-party add-in encryption services can close these corporate email security gaps, helping to safeguard information in transit and on endpoint devices. For even greater protection, consider full-disk encryption, which encrypts the complete hard drive, safeguarding the data as well as the applications and operating system. Keep in mind that some encryption services can add friction to the user experience. Any encryption tool is only effective if users can easily make it a part of their regular workflow. Carefully weigh your options by testing trial versions before making a final decision.

.

Monitor for suspicious activity

Proactive email scanning can identify vulnerabilities and provide reports on detected gaps in security and recommendations for security patches or vendor updates. These reports describe the types of risks found and a potential cause for each area of vulnerability. Many of today’s leading email monitoring solutions will monitor all user accountsfor suspicious activity and provide an alert if there is any reason for concern. Core capabilities typically include: logging all incoming and outgoing traffic; baselining normal user activity and proactively looking for aberrations; and promptly investigating unusual actions. Network monitoring can also be used to confirm the health of software and firmware throughout system startup, operation and during sensitive upgrade periods.

 

Educate end-users

While implementing the right technology is important, it’s not the entire solution. The users who interface with your business systems must also be educated on how to perform their tasks. Work with your internal team to define and implement policies and practices based on your usage preferences and requirements or mandates specific to your particular market. Create a culture in which people talk about security, and make security a clear priority. Teach users about secure online practices such as how to recognize potential threats and phishing attempts.

 

Continue to build awareness of malware risk attacks and check user awareness with in-house hacking attempts and interactive security activities.  Make sure policies and procedures are consistently enforced.

  • Keep users informed on the latest cybersecurity threats and best practice security techniques.
  • Educate users on how to identify phishing schemes and what to do if a hidden threat is uncovered.
  • Empower and encourage users to be proactive in reporting suspicious behavior.
  • Instruct users on how to use secure networks and follow best practice processes when working remotely.

 

Staying ahead of today’s advancing threats

Safeguarding your vital IT and enterprise infrastructure is not just a security concern; it is a fundamental business issue. It requires an intelligent investment in resources to meet an increasingly complex threat landscape.

While building an effective email security framework is a long-term process, you cannot afford to hesitate. Cybercriminals are constantly looking for new ways to break through your defenses, which is why you need a solid technology foundation, combined a strong culture of awareness and responsiveness to today’s evolving threats.

 

 

 

 

 

 

 

 

 

it planning

Benefits Of Smart IT Planning

By | Networking, Strategy, Technology

In today’s fast-moving business environment, short-sighted IT decisions can lead to costly, inefficient investments and subpar performance. This is especially true in the area of technology and infrastructure. As applications and platforms proliferate and age, problems can emerge, including redundancies, inefficiencies, security gaps, and unplanned information silos.

Businesses will often look to the latest technologies that will deliver the fastest return on investment. This approach can work in the short term, but without proper planning IT teams find themselves struggling to manage an unwieldy IT infrastructure.

Adding to the complexity, many organizations are running on outdated systems and platforms that are not readily adaptable to today’s rapidly changing business demands. Technology modernization efforts not only require upgrading physical equipment and infrastructure, but also the processes and tools that support them.

Understanding what technology your business needs to reach its goals is essential. Knowing how to get it done—how and when to invest, map, plan, coordinate, and engage the enterprise around your technology initiatives—is equally important. That’s where a carefully planned, smartly executed technology strategy can deliver substantial value.

 

Creating a solid technology foundation

Effective technology planning begins with a detailed assessment of your IT environment to determine how well your current infrastructure is performing and how best to leverage existing resources. The assessment will help determine what technologies are being optimized, how they are used, and how well they align with your business needs.

The detailed evaluation will reveal insights into your IT strengths and weaknesses, uncover opportunities for cost optimization, and provide greater clarity for making difficult technology investment decisions. As part of the assessment, technologies and workflows are analyzed, tracking performance to uncover weaknesses, inefficiencies and vulnerabilities.

Data gathered from the assessment is then used to create a plan for performance improvement including actionable implementation steps, timelines, roadmaps, cost estimates, options, and alternatives.

To better assess your IT strengths and capabilities, consider applying similar processes and management techniques used by other organizations to identify areas for improvement and better understand how your business compares to industry benchmarks. Once metrics have been established, recurring checks help ensure the technologies and processes are aligned with the benchmarks.

A results-focused approach to IT assessment and evaluation relies on collaboration between the business and the IT consultant. Make sure your technology partner uses the latest analysis and reporting tools to gather information and determine the health status of each area under review. This will provide a deeper understanding of how well your IT is performing and whether your business strategy is supported by your technology.

With an objective IT evaluation, you’ll better understand the complexities and challenges of technology integration and deployment and gain the insight needed to help ensure your IT solutions align with your priorities and will scale appropriately. The assessment will also help determine if your IT security measure are sufficient for your business needs and allow you to identify opportunities to streamline your operations, optimize resources, minimize risk, and create a competitive advantage.

A comprehensive IT assessment will help your business:

  • Stay current with the latest technologies and security defenses
  • Identify opportunities for cost optimization
  • Meet compliance standards for security, uptime and data governance
  • Improve the reliability and availability of applications and resources
  • Plan for new capabilities based on defined business goals

 

Contact Us for a FREE Security Assessment

 

Reaping the benefits of sound IT planning

 

Technology is advancing rapidly, and your business should focus on leveraging these advances to propel growth, not hinder it. That’s where strategic IT planning can deliver substantial value―providing the expert guidance and optimum internal resources needed to improve efficiency, drive productivity, safeguard assets, and maximize ROI.

A well-designed technology plan has several core functions:

  • Evaluate the capabilities and skills of your in-house IT staff
  • Create a custom, prioritized list of projects and initiatives you need to complete to ensure your technology will support business goals
  • Examine your IT environment, systems, and applications for adherence to best practice standards
  • Conduct an analysis to identify gaps between your business’s needs and the mix and performance of IT infrastructure
  • Understand the timelines, milestones, and estimated costs for each proposed project

A proactive strategy gives you a better chance of preventing major disruptions that can impact your bottom line. The plan prioritizes your management activities to take full advantage of the opportunities enabled by a smooth-running IT operation, whether it’s growing revenue, capturing market share or digital transformation.

Expert analysis and technology roadmap planning help ensure the best approach to migrating your platforms and applications to deliver optimum performance and maximum return on investment. The roadmap includes all of the recommendations and actionable work outlined in the assessment, including a timeline and estimate of the cost of each project and the resources required from both IT and business unit perspective.

With a defined plan and roadmap, technology investments become much more transparent, as milestones and improvements are achieved and tracked along the way. The roadmap will also provide you with a structured framework for planning and managing changes to business and technology priorities as they evolve.

A carefully planned technology strategy will help you:

  • Identify the business capabilities that will be needed over a defined period as outlined in your business plan
  • Establish an overarching technology vision that defines the core elements or features of the technology needed to support your business strategy
  • Agree on the execution timeline outlined in the technology plan
  • Determine the business needs that will take priority and assess the gaps between current and required capabilities
  • Identify and prioritize top technology goals as defined through the needs assessment
  • Develop a roadmap detailing the initiatives that will be delivered during the established planning period

 

Keeping pace with the speed of business

Innovation can transform your business and elevate your performance, but navigating technology and managing complexity isn’t always easy. As your business needs change and grow, more focus is needed to ensure that technical delivery functions and IT services are designed, implemented, managed and controlled in a consistent manner.

Changing business dynamics continue to shift the role of IT―from managing and supporting technology to the broader, more strategic objective of driving business value. In this era of rapid change, strategic IT planning takes on greater importance. To position IT as an enabler of success, you need an IT strategy that aligns with your business and will take you where you want to go.

 



 

network design

Best Practices for Effective Network Design

By | Networking

Navigating the complexity of network design and deployment can be a daunting task, particularly in today’s era of more distributed, interconnected IT environments. Hurried, poorly planned decisions can result in costly, ineffective designs and inferior performance.

With the multitude of different ways to configure an enterprise network, it can be difficult to know where to begin. Adding to the challenge is the task of streamlining network management and monitoring capabilities across disparate, multi-vendor environments that include both wired and wireless infrastructure.

To optimize the value of your network environment, you need a network management strategy that aligns with your business priorities, taking into consideration core infrastructure needs, risk elements, performance demands, and lifecycle costs. As your business needs change and become more complex, more focus is needed to ensure that your network is designed, implemented, and managed in an efficient and consistent manner.

Reactive measures and unplanned upgrades can’t be completely avoided, but you can improve your planning and management approach. A key element of effective network design is creating an environment that will grow with your business. To accurately visualize current infrastructure and future needs, you need a concrete plan and structural map that defines any new hardware and software you plan to add.

You’ll also need to consider how each new component you deploy will impact network performance. As you continue to upgrade infrastructure to support leading-edge technologies like big data, cloud, and the IoT, network bandwidth demand will continue to grow.

While your business strategy needs to be flexible to accommodate changes in priorities and direction, your network design strategy also needs to be agile and adaptable.

A carefully planned, strategic approach to network design and management can help you:

  • Optimize assets and resources, enabling you to redirect in-house talent to more strategic initiatives
  • Minimize risks and protect data through enhanced security and carefully-crafted backup and recovery processes
  • Improve availability and reliability of applications and services and applications for increased productivity
  • Enhance data sharing through better connectivity and tighter integration of resources and systems
  • increase efficiency and reduce costs through automated systems and best practice management processes

To keep pace with the speed of business and technology change, you need a network that is fast, efficient, reliable and secure. At the center of an effective network strategy are several core components.

 

Strategic Network Management

Assessment:

The planning process begins with a detailed assessment of your IT environment to determine how well your network is performing and how best to leverage existing resources. The assessment will reveal insights into your network strengths and weaknesses, uncover opportunities for cost optimization, and provide greater clarity for making difficult IT investment decisions.

 

The assessment can help you:

  • Gain a clear picture of your network capabilities, strengths, weaknesses, and how well your technology plans align with business goals
  • Identify potential vulnerabilities and lapses in system backup, power disruptions, and data recovery processes
  • Create a defined action plan to bolster your network defenses against growing security threats
  • Improve network speed and efficiency while cutting costs through well-timed, strategic technology upgrades

 

 

Monitoring:

Monitoring is the first line of defense against unstable or unforeseen events that affect your network performance. New cloud technologies are assisting in this effort by enabling remote network monitoring without the need for constant onsite support. Proactive monitoring, automated alerts, and continuous insight into usage and performance metrics help quickly identify issues and drive resolution, helping to avoid unnecessary and costly downtime.

  • Network specialists can analyze trends, detect potential threats, and compare performance to industry benchmarks or pre-defined metrics.
  • Expert recommendations on design and configuration improvements help ensure your network is reliable, available and secure
  • Analysis of real-time performance data and usage trends gives managers greater insight into future infrastructure investment needs and ongoing technology recommendations

Security:

Rather than considered as an afterthought, network security should be embedded into your design. Data access and protective measures should include clear policies and procedures for how security is enforced. Additional tools and techniques can provide an extra layer of security to protect against unauthorized access.

 

  • Deploy updated anti-malware to help prevent malicious software such as ransomware and viruses from sneaking into your network, and make sure your anti-malware software is consistently updated with the latest definitions.
  • Keep patches current―make sure your practices include automated patching to help enforce policies and keep systems up to date and enforced with the latest software patching.
  • Make backups of all your data and software on a storage device that is not attached to your network or computer. Confirm that all your backups are operating properly and test them on a regular basis to make sure they will perform when you need them.

New call-to-action

Maintenance:

Network management isn’t only about keeping your operations up and running and maintaining the status quo. It’s also about improving network performance and optimizing efficiency. Preventative maintenance and responsive support capabilities are essential to helping to ensure reliable, secure performance. Advanced analysis, bandwidth optimization, and reporting tools play a vital role in helping network managers:

 

  • Gather information and determine the health status of your network infrastructure
  • Track performance against industry standard benchmarks
  • Identify network components and provide an up to date inventory of connected devices and users
  • Ensure optimum capacity and coverage while extracting maximum value from legacy systems

 

Expertise and support:

Routine network management tasks are vital to helping to ensure maximum uptime and reliability, but they can distract IT from more important priorities. Without sufficient expertise and support resources, your IT team can become quickly overwhelmed, exposing your critical infrastructure to chronic inefficiencies, breakdowns, and hidden vulnerabilities.

That’s where expert planning and insight from an experienced network consultant can provide immense value. Your network consultant will work with you to create a personalized network management and support solution, assist with implementation and training, as well as provide ongoing support through the entire design and installation process.

Whether you are upgrading your existing infrastructure or starting from scratch, with careful planning and the right approach you’ll benefit from:

  • A defined action plan to address any network performance, efficiency, and compliance issues
  • Lower operating costs through more efficient network management and well-timed and targeted infrastructure improvements
  • A plan that will optimize your legacy network systems and better control technology expenses
  • Increased productivity through faster, more reliable network performance
  • Enhance IT security through best practices, intelligent planning, and better awareness of network vulnerabilities and weaknesses
  • A solid foundation to address potential network outages and business continuity and recovery

 

In the age of digital proliferation and widely distributed network connections, maintaining an efficient, responsive network infrastructure t is more critical than ever. It requires a holistic approach that effectively blends proven practices with cutting-edge technologies to create a network that delivers efficient, reliable performance and easy scalability to meet shifting business needs.

Related content

it planning

Benefits Of Smart IT Planning

| Networking, Strategy, Technology | No Comments
In today’s fast-moving business environment, short-sighted IT decisions can lead to costly, inefficient investments and subpar performance. This is especially true in the area of technology and infrastructure. As applications…
network design

Best Practices for Effective Network Design

| Networking | No Comments
Navigating the complexity of network design and deployment can be a daunting task, particularly in today’s era of more distributed, interconnected IT environments. Hurried, poorly planned decisions can result in…
Cybercrime Can Damage Your Business During and After a Security Breach

Five Significant Ways Cybercrime Can Damage Your Business During and After a Security Breach

By | Security

It Won’t Happen To Me

If you think the size of your business keeps it safe from being a target of cybercrime, think again. Twenty percent of small businesses were victims of cybercrime in the last year with that number only including reported cases, according to The National Cyber Security Alliance. Because most small business owners are afraid to report security breaches, it’s safe to assume that the number is much, much higher. Why do cybercriminals target small businesses? Precisely because believing that cybercrime won’t happen to you makes you easy prey with zero protections in place or grossly inadequate ones.

There are 82,000 new malware threats released every single day, with half of the cyber-attacks aimed at small businesses. You don’t hear about it because the news wants to report on more massive breaches. Plus, many violations are kept quiet by the company for fear of attracting bad publicity, fines, lawsuits, and even for fear of embarrassment.

Adding to this, “it won’t happen to me” mindset is the fact that owners of small businesses also think that because their businesses are indeed small, the consequences of a security breach will also be minor.

Here are five significant ways cybercrime can damage your business during and after a security breach, regardless of the size of your business.

 

  1. A Damaged Reputation

When your clients discover that cybercriminals hacked your data, do you think they will rally around you, or have sympathy for your situation? What if your clients are patients worried about their very personal data? What if you manage their financial information? Will they understand that you could have been more responsible, but instead, you didn’t believe it could happen to you or you didn’t want to spend the money? Will they understand that you could have done better, but you decided to take the risk instead?

News of cybercrime will travel fast on social media, and your clients will demand answers. Will your explanations pacify them? Even though there aren’t protection measures with a 100% guarantee, your clients expect you to put in place as many as are adequate for your type of business. If they find out you don’t, their trust in you will start to erode, damaging your reputation and leading to loss of business over the long-term.

 

  1. Government Fines, Legal Fees, and Lawsuits

Did you know that breach-notification statutes remain one of the most active areas of the law? Data breaches and data privacy are areas of legislation where many senators continue to lobby for “massive and mandatory” rules and fines. If you expose client data to cybercriminals, the courts will not be in your favor. This situation does not only apply only to big corporations: any small business that collects customer information also has the essential obligation to its customers to tell them if they experience a breach. The District of Columbia and forty-seven states have their data breach laws – and they are getting tighter as we speak.

If you’re in financial services or health care, you have additional notification requirements under the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Health Insurance Portability and Accountability Act (HIPAA). Among other things, HIPAA stipulates that if a health care business experiences a breach involving more than 500 customers, it must notify a prominent media outlet about the incident. SEC and FINRA also require financial services businesses to contact them about breaches, as well as any state regulatory bodies.

You must ensure you are compliant, and that you remain so.

 

  1. Never-Ending Costs

One breach, one ransomware attack, one rogue employee you didn’t protect yourself against, can create hours of extra work for your already maxed-out staff. Add the cost of downtime due to business interruption and the cost of backlogged work. Then you have the loss of sales plus forensics costs to determine what kind of hack attack occurred and what part of your network and data got compromised. And don’t forget the emergency IT costs to restore you to normal if that’s even possible.

In some cases, you will even pay the ransom with zero guarantees you will get back your data. Add legal fees and the cost of legal counsel to help you respond to your clients and the media. You will disrupt cash flow and blow budgets. You will even be required to provide one year of credit-monitoring services to consumers affected by a data breach in some states.

Research conducted by the Ponemon Institute states that the average cost of a data breach is $225 per record compromised. This figure factors in downtime, lost revenue, recovery costs, fines, legal fees, etc. Do the math for your company. How many client records? How many employees? Multiply that number by $225, and you’ll start to get a sense of how much cybercrime can cost your business.

 

  1. Bank Fraud

If cybercriminals access your bank account and steal funds, your bank will not be held responsible for replacing such funds. Verne Harnish, CEO of Gazelles, Inc., and author of the best-selling book The Rockefeller Habits, found out the hard way.

Hackers accessed his computer and intercepted e-mails between him and his assistant. They used this access to instruct the assistant to wire $400,000 worth of funds to three different accounts. Because Harnish was at the time funding several real estate and investment ventures, this kind of instruction was not unusual to the assistant. With assurances from the hackers posing as Harnish, the assistant made the transfers. And, Harnish didn’t notice because the hackers deleted his daily bank alerts. Harnish never recovered that money, and the bank was not responsible for his loss.

Do you think that no one in your staff is capable of making a single mistake or have a single lapse in judgment?

 

  1. Infecting Your Clients Through You

Locking your data or stealing money from you are not the only motivations for hackers. Some want to use your server, website, or profile to spread viruses and compromise other computers. They can use you to relay spam, run malware, build web pages, or promote their religious or political ideals.

 

Which Protections Should You Have In Place Now?

Now that you understand the possible damages to your business from cybercrime, we recommend you have protections in place to significantly reduce the chances of these types of security breaches happening and to minimize the severity and impact if they do occur.

You should also know there is no way we, or anyone else, can 100% guarantee you won’t get compromised. You can only put smart protections in place to reduce the chances, to protect data, and to demonstrate to your employees, clients, and the lawyers that you were responsible and not careless.

We recommend all small businesses have the following protections in place ASAP.

  • QBRs Or Quarterly Business Reviews And Security Risk Assessments
  • Proactive Monitoring, Patching, and Security Updates
  • Relevant Insurance Policies Review
  • Data Breach And Cyber-Attack Response Plan
  • Ransomware Backup And Disaster Recovery Plan
  • Mobile And Remote Device Security Policy
  • More Aggressive Password Protocols
  • Advanced Endpoint Security
  • Multi-Factor Authentication
  • Web-Filtering Protection
  • Cyber Security Awareness Training
  • Protections For Sending/Receiving Confidential Information Via E-mail
  • Secure Remote Access Protocols
  • Dark Web/Deep Web ID Monitoring

Our preemptive Cyber Security Risk Assessment will give you the answers you want, and the certainty you need.