Hamid Farooqui is a serial entrepreneur, cofounder and CEO of experience management company Sogolytics and CTO of K12 Insight.
I have a friend in the Middle East who’s a cybersecurity guru and senior consultant. A few months ago, he got a call from the head of a major company in the region. Apparently, their systems were under ransomware attack and the business was completely shut down. Before reaching out to my friend for help, the owner had frantically called the chief of the country’s cybersecurity agency. When he explained the problem, the chief just laughed and shook his head. “That? Our systems got hacked, too—and we had to pay.”
Even for major companies and institutions, ransomware is a major problem. From huge payments to bankruptcy, the results can be devastating. The takeaway? Act before you’re hacked.
Scope Of The Cybersecurity Problem
In 2022, according to IBM’s Cost of a Data Breach Report, the global average cost of a data breach was $4.35 million—an increase of 12.7% since 2020. In the U.S., the average cost per breach was $9.44 million—the highest of any country studied. The average 2022 cost of a ransomware attack was $4.54 million—not including the cost of the ransom itself.
Sadly, small companies are often the most vulnerable. In 2021, 70% of cyberattacks hit companies with under 500 employees. In the best cases, they’re able to recover some data and continue to operate. In the worst cases, the lost data is gone forever, along with their revenue and reputation.
Most importantly, even in circumstances where you’ve done everything right, there’s a chance that you work with partners and vendors without your high level of dedication. Hoping for the best isn’t a strategy.
Preventative Measures
You can’t control everything, but you can take proactive steps to protect yourself and your organization. Here are a few important steps that my company takes:
1. Start by allocating a budget to dedicate to cybersecurity. Put your money where your priorities are. Consider the size of your company, the systems you use and the current state of affairs. At Sogolytics, we have a dedicated cybersecurity function, headed by our CISO, with clearly defined budgets and objectives, including governance, risk, compliance, security operations, incident management and cyber recovery.
2. Get your house in order. Do you know where everything is? With remote and hybrid workforces now the norm, managing data has become more complex, but you can’t defend what you can’t find or keep track of. We ensure our cybersecurity architecture is designed with Zero Trust and a layered security model, access to sensitive systems and data is authenticated through multi-factor authentication, and cyberthreats are inspected using multilayer threat inspection, including web, network, database and endpoint. Threat events are integrated with SIEM and are monitored by our security operation for detection and response.
3. Get a good firm or specialist to conduct a full audit for you. They’ll prepare a complete report that will identify gaps you need to address. Ensure frequent internal and external security engagement, covering compliance with industry standards for security and privacy (ISO 27001, GDPR, HIPAA), security testing, red team exercises, secure code reviews, phishing simulations and cyber recovery capabilities.
4. Review the list and define priorities. From there, set a timeline and budget you’ll follow to resolve everything from the big gaps to the small cracks. Our team performs periodic gap and risk assessments, with identified issues prioritized for closure considering the severity of risks and effectiveness of controls. Further, the implementations of controls are tracked with clearly defined timelines and budget expectations.
5. Make improvements, then repeat the same cycle. Forever. Cybersecurity efficiency is measured for maturity with clearly defined KPIs, which are reviewed by management on a periodic basis to promote continuous improvement.
Back-up And Recovery
Even with the best of preparation, your data is still at risk. If you’ve backed it up, you’ve built in an added layer of security.
Have a back-up that can’t be hacked in a location that can’t be accessed. Whether you’re hosted by a major web service provider or you’re self-hosting your data, you need a very clear understanding of where and how your back-up data is stored.
How many data back-ups do you need? More than you might expect. Some follow the 3-2-1 rule, some prefer 4-3-2, and others recommend 3-2-1-1-0:
• Maintain at least three copies of your business data.
• Store data on at least two different types of storage media.
• Keep one copy in an off-site location.
• Keep one copy offline or air gapped.
• Ensure all recoverability solutions have zero errors.
Maintenance And Training
Once you have systems in place, you’re on the right track, but that doesn’t mean you can relax.
You still need to build a rigorous schedule for regular maintenance and testing—both for your systems and your people. Automated testing is on the rise, but human involvement in the processes can be a critical variable. In the event of an attack, will your team maintain composure and take the right actions, or will they have a meltdown as they scramble for a speedy resolution?
Plus, even surviving one attack doesn’t mean you’re safe. Unfortunately, this kind of lightning can strike twice: 83% of organizations studied in IBM’s 2022 report had more than one data breach. If you’re still in business after one attack, make it your business to be better prepared for the next.
Never Stop Learning
Ransomware means big business for cybercriminals. Big payoffs incentivize hackers’ innovation. They’ll never stop looking for ways to crack the vault of your secure data—which means you can never stop looking for ways to keep it safe. Hire professionals, work with trustworthy firms and consultants and build your own skill set. This is an area to which you must dedicate time and money.
If you’ve been making excuses and thinking that you’re too small (or big) to be attacked, this is your wake-up call: If you can’t afford to protect your data, you can’t afford to be in business.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here