Image Above: What Type is Your Organization with Cybersecurity Commitment? 1, 2 or 3?
Organizations are not blind, but many struggle with cybersecurity as a net benefit to their company, ignoring cyber risk. In my opinion, they simply haven’t gone through the exercise of wanting to evaluate their risk posture. More directly, they don’t see a reason to justify the cost. A belief that the data on their network is of little value to outsiders; in addition to the misunderstanding of how their physical network can be used to launch attacks on other entities leads to a lack of controls and a very soft target.
As a result, these companies have the highest risk of a cybersecurity incident as both the impact of the attack and the likelihood of an occurrence is elevated. More importantly, if they are a service provider, this elevation of risk is shouldered by their clients. 70% of attacks are suffered by these organizations, which are often small to medium sized businesses. They often are led by individuals who honestly believe they are protected, that believe certain controls are working and are, in fact, in place.
As the size of the organization grows, so does the cost of an incident and response.
With little done to identify the assets that give their business its value, the minimal level of attention applied to basic network controls increases the probability that a threat will not only be successful but will take hold very fast (onset speed) with targeted access to as much of the internal network as needed.
This is unfortunate, and avoidable, as over 90% of breaches are the result of a simple failure to employ proper controls.
The length of time a threat can live undetected in this type of environment can be measured in months, even years. The length of time a threat is present is directly proportional to the time and expense to understand what was done during the period of exposure. In a response event (e.g. ransomware, data loss) a smaller, 10 PC office can see a $25,000 bill just to install and run forensic software on each machine, and another $250/hr to evaluate the pc that is eventually found to be the victim/host. Over a single week, this small office can see a direct expense between $30-40,000. In fact, the average cost for a simple breach at a small business is approximately $36,0001.
If you were to evaluate yourself in a few moments, would you find yourself in the red or the green areas of each section? Are you good in some and have opportunities in others? Don’t worry. Much like everything else in life, we all struggle. We all can improve.
Imagine an organization who employs the minimum level of IT security, likely only using basic practices prompted by their hardware or software (e.g. passwords) or by peer groups (e.g. backups, training).
On a Monday morning your client is preparing to process payroll files but a problem quickly arises: those files are unavailable. Ransomware has found its way into the network over the weekend. This isn’t surprising as industry statistics show this threat is the first step in many data loss incidents. Heads catch on fire and a lot of generals mount their horses to take their last ride.
No one is really in charge and no one is thinking through the issue in a critical, calm fashion.
“What do we do? Let’s call someone.” No one has decided what to do with the user’s computer where the attack was recognized. Left connected and powered on, the ransomware has migrated to a few network shares, a printer. A technical resource is finally found to help evaluate the scope of the incident. They find a cloud-based email system used for corporate email received a phishing message six days prior. The email used an old, forgotten vulnerability from years ago. A vacation interrupted discovery.
The unfortunate conversation goes something like this between the business owner and technical resource:
Somewhere, an IT Forensic professional is smiling and starts billing. This security incident happens more than it should.
A simple risk assessment performed by a security professional would have cost a few thousand dollars and likely addressed most of these issues before they were tangible problems. Instead, the expense of using outside services to help evaluate the extent of loss, the loss of equipment as the host machines are removed from the network for forensic interrogation, and the hard-to-quantify reputational loss are far greater.
Make no mistake, outside help may be required, but they can only deal with the environment given to them to triage the event. With no formal practices or controls, you have opened up your checkbook for these firms to find evidence and answers; and the door for your customers to exit.
Save the $36,000 and the weeks of angst. Spend $5,000 and a few days on a risk assessment performed by a professional and look for the CISA, CISSP, CRISC or similar certification designations in the individual/firm you select.
Risk Assessments are important for MSPs to use in efforts to proactively help customers put the proper IT solutions in place. Collabrance works with InfoGPS to help MSPs provide effective risk assessments to their customers. Learn more how you can better protect your SMB customers with InfoGPS and the Collabrance Managed Security Service Provider (MSSP) Offering.
InfoGPS Networks Inc. has the resources and experience to perform an Information Systems Risk Assessment, Data Risk Assessment, Cybersecurity Risk Assessment, or Privacy Assessment quickly and easily. Our cybersecurity software provides a better way to understand what information you have, of what type, who is using it, and where it goes.