Cybersecurity is like fire prevention: Sure, your house is probably not going to catch on fire this year, but you install smoke detectors and pay your insurance premiums anyway. In fact, these days, it’s much more likely you’ll wake up to find your business has been shut down by hackers than arriving home to a pile of smoldering embers where your house used to be.
And yet, I still encounter many business leaders who are resistant to investing in systems and training to protect against cyberattacks. There are all kinds of justifications, from “We’re too small to be a target” to “We spent a lot of money on this a few years ago and haven’t been hacked yet.” Lots of CEOs and CIOs I talk to think they’re safe because they don’t have anything worth stealing.
They’re wrong. And the risks they’re taking are growing by the minute. The reality for any business leader is (and this is where the comparison to a house fire departs) that a cyberattack isn’t a possibility — it’s an eventuality. You will never have enough money to prevent an attack, and there aren’t enough systems or humans in the world to detect them all. Therefore, you need to invest just as much time and energy in being able to respond and recover.
We know of one company that got hit with a ransomware attack where the hackers demanded about a $100,000 worth of Bitcoin to release the company’s data. The company didn’t pay, and rightfully so, but fixing the breach left the firm unable to do business for two weeks and ultimately cost it over $1 million to recover. And this particular company was lucky: A lot of companies simply couldn’t survive being dead in the water for two weeks without a functioning website, online ordering system or email.
Your business is not immune. Hackers cast a wide net in their search for vulnerable targets. Whether your company generates $10 million or $10 billion, chances are hackers have identified your point in the financial value chain and are trying to penetrate your defenses right now.
• Prevention: The combination of systems and procedures designed to keep cybercriminals from accessing your networks. Think of it like the hazmat suits workers wear to protect themselves against biohazards. They are very effective at keeping out dangerous bugs but are far from foolproof.
• Detection: The last line of protection — or, what your organization does to quickly identify when something or someone has penetrated your defenses.
• Response: A well-rehearsed and carefully coordinated action that takes preparation.
• Recovery: The ability to resume normal operations. The speed at which you can recover is what determines the business impact.
Some security measures are easy to install and nearly invisible, such as next-generation firewalls and intrusion prevention systems. They work in the background and block phishing attempts from sketchy IP addresses, malware and hackers who probe your networks looking for a way in. Others, like two-factor authentication, are more cumbersome and place burdens on your employees that they may resist.
Prevention technology can be purchased, of course, but you also can’t neglect the people and processes that are part of the equation — intrusion detection, response and recovery. That requires training, including tabletop exercises to drill into employees exactly how to respond when there is an attack. And I’m not talking about the IT team sitting around running simulations by themselves. The CEO has to be involved in the exercise — after all, there are few events that can cost an executive’s job faster than a debilitating cyberattack.
It’s also important to secure participation from all stakeholders in cybersecurity — before an event occurs. That means human resources, legal, corporate communications and outside partners like IT vendors and public relations firms. Specific responsibilities for each group must be established from the beginning, as well as setting up lines of communication to outside entities like regulators, customers and the media.