It seems like cyber threats and attacks only happen to larger companies and organizations (due to the fact the media outlets report these large-scale breaches and outbreaks). The truth is the most frequent threat(s) actually occur in small to medium sized businesses (we actually saw this first hand with a client recently, where they were down for 3 days, result of virus similar to what impacted The Weather Channel recently!).
A recent research study conducted by the National Cyber Security Alliance found that:
1. Almost 50 percent of small businesses have experienced a cyber-attack.
2. More than 70 percent of attacks target small businesses.
3. As much as 60 percent of hacked small and medium-sized businesses go out of business after six months.
First step – need a plan for action (different than an action plan)
A plan for action is different than “an action plan” in that is lays out in great detail HOW your team/organization will adapt when the actual cyber attack occurs (as compared to most that have action plans, but do not lay out HOW to execute the plan once an attack occurs (and it will occur).
In many cases you will have all of the right defenses/proactive steps in place (anti-virus, malware detection, encryption, and firewalls, etc.) BUT did not have in place the right systems to deal with an actual attack and the aftermath.
In business terms, this can mean you did not have a fully redundant system for accessing their applications and data, both live and online as well as regular offline backups stored in multiple onsite/offsite locations.
QUESTION – If your system was down because of an attack, HOW LONG would it take for you to be up and running (minutes, hours, days or not at all)?
SO how do you get your teams and organization prepared?
1) Training
Most companies provide some training during onboarding of new employees, but it is not adequate nor followed up with subsequent iterations. This is critical because the single greatest cyber risk is social engineering (i.e. hackers using people to open up emails with malware, viruses, spear-phishing tools, etc.).
a) How often do you train your employees on the threat of cyber risk and basic ways to avoid it?
b) Do you utilize an outside subject matter expert or internal resources?
c) Do you have a program dedicated to individuals that work remote or travel for business?
2) Cyber Simulation Testing
You first thought here maybe “What is Cyber Simulation Testing?”, exactly!!
The high-level description is to utilize outside resources (experts in this area) to come in and perform, random, unannounced tests such as; sending out phishing emails to all employees and track how they are handled.
Simulations do not have to be sophisticated or costly, but they are proven to be very, very effective in changing one from a defensive posture to one of “thinking more like the hacker/attacker. There is nothing more real, than letting someone experience and live through the implications of an attack (in simulated fashion).
The purpose of this post is to highlight a very real and serious problem that can and will have a significant impact on many companies/organizations (i.e. insolvency/bankruptcy, lawsuits about as serious as it gets).
This is a real problem/challenge for many companies, so be careful who you seek out for advice and guidance.
Victory Strategies has the world class resources and methods to help your company implement the steps outlined in this post.
“No enemy is worse than bad advice” – Sophocles
Do not roll the dice, seek out experts who will help you with this and any challenge your business faces daily.
Authored By: David Phillips, President of Victory Strategies
Have questions, comments, or suggestions for the Victory Strategies Team or Author? Leave them below.