In 2019, U.S. companies lost over 3.5 billion dollars to cybercrime. These attacks included phishing, ransomware, and distributed denial of service attacks among many others. Unfortunately, cyberattacks and crime have increased every year since 2008. There are ample examples in recent history of well-known companies that have been breached and suffered significant losses, including the following instances:
- Adobe: Lost tens of millions of user records including user IDs and passwords. Was forced to pay out over $1,000,000 to consumers.
- Equifax: The 2017 Equifax breach may be one of the most well-known in U.S. history. Over one hundred million records were lost.
- Yahoo: Lost over 3 billion records in what is widely regarded as the largest data breach in history. At the time of the breach, Yahoo was being acquired by Verizon and lost over three hundred million of its selling price.
It is a fact of life that you are at risk if your business is using internet-connected devices in any way. Breaches can cost companies millions of dollars. In many cases, a successful breach will lead to a company closing down in a matter of months if not weeks. Cybersecurity is critical because without it you are gambling every minute of every day that an attacker won’t compromise your business and trigger catastrophic losses.
In this article, we outline several critical reasons you need a cybersecurity program and how you can get started.
Cybersecurity Is Important for Risk
Malicious actors are increasingly targeting small and medium-sized businesses. Fortune 100 companies often have entire teams of dedicated security professionals equipped with state of the art software to monitor for and respond to potential incidents. Small and medium-sized businesses have none of these advantages. Most SMBs are struggling to stay afloat right now, especially in light of the global pandemic. It’s easy for cybersecurity to become an afterthought. Unfortunately, cyberattacks are actually increasing during COVID-19, leaving businesses that recently transitioned to a fully remote workforce particularly vulnerable.
43% of cyberattacks target small businesses, and the average cost of a breach is over $200,000. Many companies are out of business within 6 months of a breach, and even those that don’t close may struggle to regain the confidence of customers. “But wait,” you might say, “my company barely uses the internet, why should we invest in cybersecurity?” You have to ask yourself, what data do you store or transmit on your computers? Personal data from customers? This can be names, birthdays, addresses. Financial information? The debit and credit cards your customers use each day. Proprietary information? Your clients’ business and marketing strategies? Almost every business in the 21st century has data that can’t afford to fall into the wrong hands, and almost every business is vulnerable to attack.
Cybersecurity Is Important for Compliance
Getting a handle on compliance can be a headache for many business owners. Unfortunately, compliance is also one of the myriad of reasons why cybersecurity is important. In the United States, every business falls under breach notification laws. This means that if they suffer a leak of customer information they must notify either individual customers or all customers, depending on the state. But breach notification laws are just the beginning. Depending on what type of data your company deals with and where you are located, you also may fall under one of the following laws or regulations:
HIPAA stands for the Health Insurance Portability and Accountability Act, which mandates that any company dealing with Personal Health Information (PHI) take numerous actions to safeguard that data. Penalties for failure to comply with HIPAA (either the cybersecurity rule or overall regulation) are steep, costing a company tens of thousands of dollars per violation. In specific circumstances, criminal charges can be brought. A HIPAA violation can cost your company time, money, and may destroy the years of trust you’ve built between you and the clients you serve.
CMMC stands for the Cybersecurity Maturity Model Certification and applies to companies that hold contracts dealing with CUI (Controlled Unclassified Information). In previous years, federal contractors dealing with CUI were permitted to self-certify that they met the requirements. Under new guidelines, the DoD requires a third-party audit to ensure that your contracting business is in compliance with guidelines set by the National Institute of Standards and Technology (NIST) by October of this year. CMMC has five stages that increase security maturity depending on the type of data the contractor is dealing with. Failure to comply can result in a revocation of federal contracts.
In addition to federal regulations, businesses are also subject to state-level regulations that vary depending on what type of data your company uses and where you are located. For example, if your company is a financial institution operating in New York State, you may also be subject to the NYDFS Cybersecurity Regulation (We wrote a primer on it here) . This regulation was created to help shore up the cybersecurity of financial institutions operating in the state of New York. The NYDFS Cybersecurity Regulation is based on the NIST Cybersecurity Framework, which provides a set of best practices and standards for a company’s cybersecurity measures. Penalties for non-compliance with NYDFS are not entirely clear and will likely be set forth in the coming months and years.
There are many other compliance requirements including FERPA, GLBA, GDPR, and CCPA. Touchstone highly recommends that you consult with a qualified attorney to understand your company’s compliance requirements. Compliance can be difficult, and each case must be evaluated on its individual merits. Failure to comply with the requirements that govern your business can result in monetary losses, loss of trust, and in some cases, legal repercussions.
Cybersecurity Is Important for Trust
In all business, trust is absolutely critical. Having a cybersecurity incident or being forced to disclose a breach can devastate the trust that customers or other businesses have in your business. Many companies have suffered significant blows to their reputation due to a data breach. In fact, some businesses suffer more from reputation loss than the breach itself. According to a study by Varonis, 93% of consumers would be reluctant to use a rideshare company after a data breach. Other issues might arise when trying to work with large companies dependent on massive intricate supply chains. Many companies have begun asking smaller companies for proof that they are in compliance with applicable regulations and have a competent security posture before doing business with them.
Building a coherent, streamlined, and functional cybersecurity program can increase business opportunities and build trust with consumers. It can also open up new opportunities for deals with government agencies, large enterprises, and other companies. Even in a worst-case scenario in which your company is breached, being able to outline how your company protected its data and mitigated the breach can be extremely useful to alleviate reputation loss.
So, you’re convinced that you need cybersecurity, but now what? If you have compliance requirements to meet, or if you store significant amounts of sensitive data on IT systems, we highly recommend you request a consultation so we can help you design a comprehensive and effective cybersecurity program. In the meantime, here are some quick wins that can leave you significantly safer at an extremely low investment:
1. Enable 2FA
2FA stands for two-factor authentication. Two-factor authentication requires both a password and a second factor (unique identifier) to ensure that the person logging into your account really is you. It is one of the simplest and most effective ways to reduce the risk of suffering a catastrophic incident. Usually, 2FA works by sending a unique code or SMS message to your cell-phone which expires after 30 seconds. Enabling two-factor authentication for most services is extremely easy, and provides an effective extra layer of security for free. Here are some common companies that allow for 2FA:
- G Suite
- Wells Fargo
- Capital One
2. Train Employees
Employee training is another excellent opportunity to substantially improve your cybersecurity posture without breaking the bank. End-User training is one of the most effective ways to prevent incidents and improve response when an incident does occur. Employees should be trained on how to avoid common cyberattacks such as phishing, malware, watering-hole attacks, and other common ways in which businesses are compromised.
3. Document Everything
Every company no matter how small should have a full set of information security policies and procedures. Every single business in the United States deals with sensitive data of some sort (credit card data, health data, employee information, banking information). Setting clear standards and expectations for employees regarding information security from the beginning makes it clear to employees that you take your policies seriously. Documentation can also help you in the event of an audit.
4. Keep Software Updated
A massive number of cyberattacks occur every year simply because companies fail to update critical software that they use. Microsoft has a monthly “patch Tuesday” in which they release a full set of fixes for vulnerabilities and exploits that have been discovered. In fact, when WannaCry Ransomware occurred in 2017, Microsoft had already released a patch a few weeks prior fixing the exploit. The problem was that vast numbers of computers hadn’t been recently updated and were still vulnerable. Regular updates are an easy and cost-effective way to reduce risk and ensure that you are getting the optimal performance out of your IT assets.
5. Engage a Managed Security Services Provider
Managed Security Services can help take the pain and difficulty out of managing a competent and effective cybersecurity program. An MSSP can help evaluate what compliance requirements you need to meet, identify what your biggest security needs are, and design a custom program that cost-effectively meets your company’s individual needs.
If you’re still unsure about cybersecurity or would like to learn more about how you could leverage our services to support your security needs, please feel free to send us an email. We would be glad to work with you!