Three Steps to Make Cybersecurity a Business Imperative
The pandemic inspired many fundamental changes to the way companies operate, perhaps none more significant than the ramp up in digital adoption as millions of people began working from home. As a result, the same period also saw a steep increase in cyber-attacks, as bad actors began capitalizing on newly realized vulnerabilities in companies’ plans for digital transformation. Notable incidents such as the ransomware attacks on Colonial Pipeline and SolarWinds were captured in headlines, but as of late, we have witnessed a subtle shift in attacks, as ransomware groups have increasingly been targeting middle-market businesses — in particular, those backed by private equity or venture capital firms. The approach is employed to ensure a payout, without garnering the same media and law enforcement attention of a big-name attack.
In the years ahead, as mid-market leaders, investors, and board members continue to adopt more digital technologies to improve efficiencies for their companies, cybersecurity must remain a business imperative. They can start by taking these three steps:
1. Identify Holes and Gaps
The first step in assessing a business’ cybersecurity preparedness is to conduct an audit. This can be carried out by a qualified third-party company with the goal to garner a better understanding of the strengths and weaknesses of the business’ cybersecurity program and then create a robust improvement plan.
The following questions should be answered in an audit:
- Data: Is data encrypted in storage and in transit? Is data protected by software to prevent extraction to removable media devices? Is Personally Identifiable Information (PII) and other sensitive data secure and audited frequently for compliance? Are policies for data storage location in place, audited, and enforced?
- IT Infrastructure: Do IT organizations have a team member with cybersecurity certification (e.g., CISSP, CEH, CSX)? Is a Cybersecurity Improvement Program (CIP) in place and prioritized by risk assessment? Are security patches available and applied in a timely matter? Are network monitoring and intrusion detection in place? Is web filtering in place?
- Employee Support: Is phishing testing in place? Are mobile devices secured? Does the company support strong password management? Have users been trained on how to recognize social engineering threat vectors?
2. Confirm Insurance Policy
In accordance with the audit, businesses should review their cybersecurity insurance policy to ensure a sufficient policy is in place to mitigate the financial risk associated with an attack. Whether assessing an existing policy, or searching for a new one, confirm sufficient coverage is offered for typical events – in particular, data ransom and intellectual property theft. Cybersecurity Ventures expects global cybercrime costs to grow 15% per year over the course of the next five years, with the expectation that the cost incurred by businesses will be exponentially larger than that inflicted by natural disasters.
If a company has been denied for cyber insurance, it is typically seen as a red flag that the policies and procedures in place are not up to industry standards. Insurers look to the following factors when determining whether to offer a plan:
- Multi-Factor Authentication (MFA)
- Payment Card Industry Data Security Standard (PCI)
- Updated infrastructure hardware
- Updated end user machines
- Patch management
- Enforced cybersecurity policies
3. Create an Incident Response Plan
Cybersecurity is all about preparedness and expecting the unexpected. It is vital for investors, board members, and business leaders to push for creating an incident response plan, the basic premise of which should be to put clearly defined steps in place. This should plan should articulate clear details around communications (i.e., how and when to notify employees, customers, vendors and/or clients), as well as tactical steps to address the breach, which could include everything from resetting passwords to checking on what backups are in place.
Likewise, the costs associated with an attack should also be considered when creating a plan. Damages can include costs to fix the problem, lost revenue resulting from a potential business disruption, and a tarnished reputation (potentially), as well as fees pertaining to regulatory enforcement. As such, investors, board members, and business leaders can decide whether to sign a retainer with a remediation firm.
There is no one-size-fits-all approach to cybersecurity. But regardless of size, every company has a vested interest in ensuring they are prepared for a breach, particularly in a time when cyber-attacks are becoming more common. If these issues are not currently being discussed, investors, board members, and business leaders have a responsibility to shed light on the risks associated with not having a plan in place and initiate a discussion on how to establish meaningful cybersecurity protocols.