Can Your Business Survive A Cyber Attack?

This article summarizes the board’s recommendations for integrating business and cybersecurity, improving risk management and governance, and updating incident management processes for businesses to build resilience amidst an evolving cyber threat landscape. It emphasizes the importance of these practices not just for large corporations, but also for small businesses that are increasingly becoming targets for cybercriminals. It also underscores the need for businesses to invest in cybersecurity resources such as firewalls, multi-factor authentication (MFA), and antivirus software to protect against cyber threats. Moreover, it highlights the importance of protecting sensitive information from cybersecurity threats, which can lead to significant financial and reputational damage.

October is Cybersecurity Awareness Month, an ideal time to examine your organization’s readiness in responding to an imminent cyber attack.

According to IBM Security’s 2023 Cost of a Data Breach Report, a cyberattack could cost a company an average of $4.45 million. This accounts for financial damage from theft of information, disruption of functions, ransomware demands, destruction of hardware and software, and corruption of data. The cost does not factor missed opportunities and reputational damage to the company’s brand, one of its greatest assets, from the loss of customer trust that can occur with cyber incidents. For a small business, these vulnerabilities can be devastating, as they often lack the resources to recover from such attacks. To mitigate these risks, small businesses should consider implementing a robust firewall and multi-factor authentication system, and ensuring that all endpoint devices, including laptops, are equipped with up-to-date antivirus software. Additionally, they should ensure that sensitive data is encrypted and stored securely to protect against malicious software and other cybersecurity risks.

Taking stock of the latest report by Deloitte’s Center for Board Effectiveness DCBE, this article summarizes the board’s recommendations for integrating business and cybersecurity, improving risk management and governance, and updating incident management processes for businesses to build resilience amidst an evolving cyber threat landscape. It highlights the vulnerabilities that small businesses face, including phishing, malware, and other forms of cybercrime. It also emphasizes the importance of securing all endpoints, including laptops, which are often targeted by cybercriminals. Furthermore, it stresses the need for businesses to keep their operating systems updated to protect against new cybersecurity threats.

Integrating Business & Cybersecurity

The mindset shouldn’t be “the IT people” are solely responsible for business cybersecurity. The National Association of Corporate Directors (NACD) suggests that leaders approach cybersecurity as the organization-wide issue that it is. Consider these cybersecurity principles to improve management oversight of cyber risk:

Approach cybersecurity as a risk management issue for the entire enterprise and not just a technology or IT issue. Cybersecurity may have begun as primarily a technology-centric risk, but it has evolved to become a multifaceted business issue. The ability to manage cyber risk is integral to every aspect of business operations. This is particularly true for small businesses, where a single cyberattack can compromise the entire business data and operations. Implementing a strong firewall and MFA system can significantly reduce these risks. Additionally, using strong passwords can help protect sensitive information from unauthorized access.
Understand the legal aspects of cyber risks that are relevant to the company’s own facts and circumstances. In addition to the business impacts of a breach, companies and directors may also face legal consequences that boards should consider as they set strategy and define risk appetite. Small businesses are not exempt from these legal implications, making it crucial for them to understand and mitigate their cyber vulnerabilities. Investing in cybersecurity resources, such as endpoint protection and antivirus software, can help small businesses protect themselves from legal repercussions associated with data breaches. Moreover, protecting sensitive data can help businesses comply with data protection laws and regulations.
Access cybersecurity expertise, from both internal and external sources, and discuss cyber risk management regularly in board meetings. Cyber risks should be communicated to the board frequently, with adequate discussion about the company’s threat landscape and risk mitigation strategies. In the case of small businesses, this could involve hiring external cybersecurity experts to identify potential threats and develop effective countermeasures. These experts can also provide guidance on the best cybersecurity resources for small businesses, including firewalls, MFA systems, and antivirus software. They can also advise on how to protect critical data from cybersecurity threats.
Establish an enterprise-wide risk management framework that is adequately resourced. Confirm that the framework is implemented across the organization at all levels and that it has adequate staffing and budget. For small businesses, this might mean allocating a larger proportion of their budget to cybersecurity measures and ensuring that all employees are trained in recognizing and responding to cyber threats. This includes training employees on how to use firewalls, MFA systems, and antivirus software effectively. It also involves training employees on how to handle sensitive information securely to protect against cybersecurity threats.
Discuss identified risks with management, including risk prioritization, appetite, and mitigation strategies. This discussion may include a review of options to transfer risks that cannot be practically mitigated using cyber risk insurance. Small businesses should also consider investing in cyber risk insurance as a part of their risk mitigation strategy. Additionally, investing in cybersecurity resources such as endpoint protection can provide an extra layer of security for business data. This is particularly important for protecting sensitive data, which can be a prime target for cybercriminals.

Improving Risk Management & Governance

Establish an effective alignment between risk management and the internal governance structure to address cybersecurity on an organization-wide basis. This includes defining clear ownership, authority and key performance indicators (KPIs) among all internal stakeholders for critical risk management and reporting responsibilities. In a small business setting, this might involve clearly defining the roles and responsibilities of each team member in relation to cybersecurity and ensuring that everyone understands the importance of their role in protecting the business from cyber threats. This includes understanding how to use cybersecurity resources such as firewalls, MFA systems, and antivirus software to protect the business’s data and systems. It also involves understanding how to protect sensitive information from cybersecurity threats.

Consider these strategies for integrating cybersecurity practices into how the business operates and makes decisions:

Review the organizational structure to ensure that the cybersecurity function is adequately represented across the business, internal groups and leadership. In a small business, this could mean assigning a dedicated team or individual to handle cybersecurity issues. This individual or team would be responsible for managing the company’s various cybersecurity resources. This includes protecting sensitive data from malicious software and other cybersecurity threats.
Understand the basis for, and challenge the assignment of, important roles and lines of accountability for cybersecurity strategy, policy and execution. In small businesses, it’s crucial to ensure that these roles are clearly defined and understood by all team members. This includes understanding who is responsible for managing the company’s cybersecurity resources. This includes understanding who is responsible for protecting sensitive information from cybersecurity threats.
Set expectations that cybersecurity and cyber-risk functions are to receive adequate staffing and funding and monitor the efficacy of these determinations. For small businesses, this might mean prioritizing cybersecurity in their budgeting and staffing decisions. This includes allocating resources for the purchase and maintenance of cybersecurity resources such as firewalls, MFA systems, and antivirus software. This also means allocating resources for protecting sensitive data from cybersecurity threats.
Inspire a cybersecurity culture and encourage collaboration between the cybersecurity function and all stakeholders relating to, and accountable for, cyber risk at various levels (e.g. compliance, privacy etc.). In a small business, fostering a culture of cybersecurity can be achieved by regularly educating staff about the risks of cybercrime and the importance of following cybersecurity protocols. This includes training staff on how to use the company’s cybersecurity resources effectively. This should include educating staff about the importance of protecting sensitive information from cybersecurity threats.

Ensure an accountable officer has the authority and responsibility necessary to coordinate a cybersecurity risk strategy throughout the organization and that the organization has a comprehensive plan for data governance. In a small business, this role could be filled by a dedicated cybersecurity officer or an existing team member with the necessary skills and knowledge. This individual would be responsible for managing the company’s cybersecurity resources, including its firewall, multi-factor authentication system, and antivirus software. This individual would also be responsible for protecting sensitive information from cybersecurity threats.

Updating Incident Management Processes

Cybersecurity response strategies should include answers to questions such as – What happens in the event of a ransomware attack? How do we respond and communicate the incident? In addition to these, some newer questions that may spark discussion on emerging issues. Such questions might include the following:

What is the company’s approach to access management throughout the business?
Who is responsible for determining access in each of the company’s functional areas?
Which function is requesting and granting the highest number of exceptions?

For small businesses, managing access to sensitive business data is crucial in protecting against cybercriminals. Implementing a robust firewall and MFA system can help secure access to business data. Additionally, using strong passwords can help protect sensitive information from unauthorized access.

What is the approach to incident response in the event of a ransomware attack? What is the recovery time for the company’s most important business operations? How has the company prioritized business operations based on possible impact? Has the response plan been practiced throughout the company up to the C-suite level? Businesses should have a clear plan in place for responding to cyberattacks, including identifying the key individuals responsible for managing the response and communicating with stakeholders. This plan should also include procedures for using the company’s cybersecurity resources to respond to and recover from cyberattacks. This includes procedures for protecting sensitive information from cybersecurity threats.

When was the most recent cyber risk assessment performed, and what has changed since that time? For small businesses, regular cyber risk assessments can help identify new vulnerabilities and ensure that their cybersecurity measures are up to date. These assessments should include a review of the company’s cybersecurity resources to ensure they are functioning effectively. These assessments should also include a review of the company’s procedures for protecting sensitive information from cybersecurity threats.

To what extent has the risk assessment considered risks related to operational technology, not just information technology? This is particularly relevant for small businesses that may rely heavily on specific operational technologies. For example, a small business might use laptops as a primary endpoint for accessing business data, making it crucial to secure these devices with robust antivirus software.

What is the cyber assessment process for mergers and acquisitions? How has the company considered cyber risk with respect to integrating an acquired business? For small businesses considering expansion through mergers or acquisitions, it’s important to consider the cyber risks associated with integrating new systems and data. This includes considering the cybersecurity resources of the acquired business and how these can be integrated into the existing cybersecurity framework.

Investing Is The Key To Survival

A cyberattack is clear and present danger to any organization regardless of its size. Use this guidance to assess your level of preparedness and resilience should one occur. Investing in robust cybersecurity measures is particularly crucial for small businesses, as they are often seen as easy targets by hackers. By understanding their vulnerabilities and taking proactive steps to address them, small businesses can significantly reduce their risk of falling victim to cybercrime. Investing in cybersecurity resources, such as firewalls, multi-factor authentication systems, and antivirus software, can provide an additional layer of protection against cyber threats.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Optimizing Operations and Management for 1:1 Device Programs in K12 Schools

Discover how to optimize operations and management for 1:1 device programs in K12 schools. Understand the role of device management in enhancing educational experiences.

Guide – How to Optimize Your School District’s Year-End Budget

The end of the academic year is fast approaching. Many school districts have leftover budget available to reinvest elsewhere—but time is running out. Download the guide and make the most of your ‘use-it-or-lose-it’ funds.

2024 Will Test Cybersecurity Leaders: Is Your Company Ready?

Experts say new AI-driven threats and an election year will spell trouble for companies.

K12 Budgeting: Planning Your 1:1 Device Refresh Program Cost

As K12 education evolves, managing 1:1 device programs effectively is crucial. These programs, providing each student with a personal computing device, play a pivotal role in modern education. Success demands strategic planning, communication, foresight, and a holistic approach to device management. With digital learning on the rise, these devices are more than just tools for accessing information; they are platforms for interactive, core learning experiences. However, funding remains a significant hurdle, making effective budgeting for your device refresh program essential for optimizing ROI and device longevity.

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.