6 critical ways to cut cybersecurity risk

What are you hearing?

We hear about the Fortune 500 companies who have been breached. We hear about hospitals. We hear about governments. So how come we rarely hear about a machine shop or accountant or smaller non-profit suffering cyberattacks?

Some people are left to wonder ‘does this really concern me?’ regarding cyber-attackers targeting smaller organizations. Sometimes it may seem the only one’s speaking warnings, are those who profit by defending smaller organizations¹.

But all good relationships contain a reciprocity element – and it’s possible nobody would tell you to check your car’s brakes but a mechanic’s sign.

And shorthand-kind-of-thinking – dismissing warnings from interested parties – is a convenient way to help our overloaded minds. But the truth is that convenience doesn’t get you to the logic of what’s going on.

So where is the logic?

The nonprofit Cyber Readiness Institute offers: [Smaller organizations] are highly vulnerable to the threat of cyber intrusion while often ill-equipped and unaware of how to defend themselves. This vulnerability inadvertently places their customers, business partners, and global supply chains at greater risk. The majority of SMBs [small- to medium-sized businesses] lack the knowledge to take action or even where to start. Limited budgets, inadequate expertise, time and resource constraints, a general misunderstanding of the evolving cyber threat landscape, and the misconception that their size makes them unlikely targets all contribute to the risk.

And there are several reasons why smaller organizations may not be talked about.

Fewer people are interested in an organization most people have never heard of. But also there is a stigma to having been breached – sometimes warranted (like when client data has been lost), oftentimes not (a lapse of judgment that gets corrected before anything bad happens). But people are reluctant to admit that their business has been victimized. Also with larger organizations breach-reporting is usually mandated. That may or may not be the case with smaller organizations.

What if I look the other way?

Cybersecurity vulnerabilities can expose an organization to a variety of risks. One unaddressed gap may lead to data loss, service disruption or a compliance violation. Here’s a quick look at the impact of not addressing these vulnerabilities²:

• Operational Disruption Attackers that exploit network vulnerabilities or obtain credentials can halt production lines, disrupting sales and customer service. Recovery forces you to spend resources that could have been spent otherwise.
• Financial Losses Cyber-risks can lead to financial damage through theft, fraud and recovery costs. If you lose customer confidence, that has an impact on future business.
• Losing Customer Confidence Breaches drive customers away. When loyalty is lost there are usually other options for clients. Public disclosures – sometimes required by compliance obligations – can amplify the damage.
• Regulatory Penalties Regulated industries face sometimes severe consequences for data protection failures, including increased scrutiny and potential loss of certifications.

These are among the serious consequences of doing nothing or an inadequate job of it. Maybe others have occurred to you.

The good news is that there are steps that are within your reach. That’s because addressing vulnerabilities is fundamentally a way of thinking. Only this way of thinking is challenged every day – like by software that more and more swaps out security for ease-of-use (for instance email programs that hide the sender’s email address from plain view, so you have to click to verify who it’s really from [ex. john@verizon.com and not john@vericon.con]).

I’m not sure how to start

How to mitigate the consequences of cybersecurity vulnerabilities:

1. Don’t let criminals have easy footholds to begin with. This means, for example, keeping software patched, avoiding crummy passwords, using multifactor authentication, training people to recognize phishing emails, limiting employees’ access to only what they need to do their work.
2. Know your as-is state. Do you have a clear document of every device on your network/cloud? Do you have the software licenses documented? Do you know who has access to what? You can’t secure what you don’t know you have.
3. Document what’s valuable that you store digitally. And document why it matters, so everyone can be on the same page.
4. Look honestly at the paradox of knowing security matters and not sufficiently investing in protecting what’s valuable. In many areas of business we are just at the mercy of other people’s rates, but business managers are at their own mercy when it comes to deciding whether they will and what steps to take to safe-guard their digital assets. Steps 2 and 3, above, will give you a clearer picture of how involved security will be and how much of a priority it is to secure these assets.
5. And should the bad guys get in, have the ability to shut them down before real damage is done. As an example, a criminal incursion in a laptop (or any endpoint) generally wants to move laterally – meaning the criminal’s malware wants to elevate its privileges to advance beyond the single device. A recent study shows this movement happens within an average of forty-eight minutes. This number is an oversimplification – the range can be less than a minute (if credentials are easily had by the criminals) to criminals spying unobserved for months. The point is that there may be ways to halt an incursion if addressed in a timely way. AIs are suited for this kind of real-time behavioral analysis, and can alert if unusual activity is happening on a device or network.
6. Last and far from least resilience is the key way to think about cybersecurity. Bad things happen. People make mistakes. That is why good backups – that you can be certain will have you up-and-running in short order – are always going to be fundamental.

Follow the logic

Like you’d consult with an insurance agent so your policy adequately covers your assets, the logical thing is to have a cybersecurity advisor guide you concerning your organization’s specific digital footprint. And, yes, Bryley does this kind of work, and the people here would like to learn if we can help you protect your organization.

But all that off to one side, the main idea is that you make yourself the kind of target criminals would rather just skip having to deal with – not worth the trouble. And this is honestly just making yourself a hardened target compared to other organizations. The above six steps will make a significant contribution to that end. In this way you are passed over in favor of easier pickings.

That’s not easy to write as I wish it was no one getting hit by these devastating crimes. No one benefits except criminals. And the losses affect us all. Small businesspeople in our community lose their businesses. Our neighbors are out of work. Their customers may suffer subsequent attacks if data has leaked. The pain radiates out from the spot of attack.

To mount a credible defense against such losses is Bryley’s work with hundreds of New England clients. Bryley’s done this work since 1987. So if you feel it’s right to discuss your IT defense needs, please call 978•562•6077 or email Bryley’s Roy Pacitto or complete the form, below.

1 This is not actually the case, there are many governmental and industry sources that say the same. Here are a few: https://www.sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity , https://www.cisa.gov/cyber-guidance-small-businesses , https://www.ftc.gov/business-guidance/small-businesses/cybersecurity , https://www.pcisecuritystandards.org/wp-content/uploads/2022/05/Small_Merchant_Guide_to_Safe_Payments.pdf , https://cyberreadinessinstitute.org/wp-content/uploads/CRI-State-of-SMBs-Report_4.25.24.pdf
2 Adapted from SentinelOne’s Cybersecurity 101 document: https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-vulnerabilities/