A Cybersecurity Assessment, also known as an audit, is a holistic look at an organization’s current defenses against hackers, malware, and other disasters. They’ve been used for years by enterprises and large government agencies, but businesses of all shapes and sizes should be considering a cybersecurity assessment. Here’s why:
1. You ARE a target.
Some small business owners believe they’re too small to be targeted by hackers and thieves, but that simply is not the case. According to Verizon’s 2019 Data Breach Investigations Report, nearly half of data breaches involved small to midsized businesses. To understand why, put yourself in the shoes of an attacker for just a moment: would you rather go after an Enterprise level target with dedicated security teams and InfoSec budgets, or a smaller target with limited defenses?
In the last 12 months alone, ransomware authors have targeted cities, schools, states, dentists, TV stations, nonprofits, managed service providers, hospitals and manufacturers, just to name a few. Even if your business doesn’t store any sensitive data, criminals can use your network and devices to launch attacks against other entities or use ransomware to lock you out of your ability to process transactions. The reality is that no target is too small to be safe.
2. Your Weak Spots Are in Places You’ve Never Thought Of
What do printers, vending machines, fish tanks, and security cameras have in common? They’ve all been successfully leveraged by hackers as the initial point of entry into a company network. As technology permeates more and more aspects of our business and personal lives, threats can be hiding in places you’ve never thought of. Every piece of software on every device that your business uses is potentially a digital patient zero, acting as an initial point of infection from which bad actors can spread throughout your network or exfiltrate sensitive data. Vendors, contractors, and customers can be equally dangerous.
3. Your Business Probably Won’t Survive a Breach
The infamous Target breach of 2013 directly cost the retailer over $200 million. The Equifax breach in 2017 has so far racked up a tab of $1.4 billion. Both companies have survived due to their global scale and significant assets, but the sad reality is that most smaller businesses can’t survive a significant cybersecurity incident. In their 2019 Cost of a Data Breach study, IBM found that the direct and indirect costs of a data breach in the United States average over $8 million. With those kinds of costs, it’s no wonder that the National Cyber Security Alliance found a quarter of small businesses hit by a data breach in 2019 filed for bankruptcy.
And even if you survive an attack, you may find that many of your customers don’t come back. In another 2019 report commissioned by Bank of America Merchant Services, nearly 30% of consumers surveyed said they would never go back to a small business that had a data breach.
4. Your “Guy” May Not Be A Security Expert
I recently heard a small business owner say they weren’t worried about ransomware because they “had a guy for that”. There’s a natural assumption among many who outsource their I.T. needs that security is also being taken care of, but that’s sadly not always the case. In fact, Managed Service Providers (MSPs) are becoming targets in their own right, as attackers can demand a higher ransom knowing that dozens or even hundreds of companies may depend on the MSP. Recent high-profile incidents involving MSPs have crippled Spanish broadcasters, dozens of non-profits, and a string of dental offices in the midwestern United States. Just as a general contractor may not be a great plumber, you can’t assume that a great system administrator or network technician is an expert in security.
This is doubly true for small businesses that maintain their own systems and infrastructure. Large enterprises have dedicated teams for networking, systems administration, and security, but if you’re like most smaller businesses, your IT staff is likely already wearing multiple hats. A thorough cybersecurity assessment not only finds weaknesses, but helps your staff prioritize and fix the most critical issues first.
5. You Have a Legal Obligation to Secure Data and Report Breaches
The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
-California Attorney General Kamala Harris, 2016
Industries like healthcare and financial services are covered by federal legislation, but California’s privacy and information security laws go far beyond this and apply to nearly all businesses operating in the state. A business not using “reasonable security procedures and practices” to safeguard data can be considered negligent, and may be subject to lawsuits and fines. California’s Data Breach Notification laws require any entity that stores or uses personal information – even individuals – to report a breach to the Office of the Attorney General.
Industry and trade groups can be equally aggressive in dealing with businesses that don’t live up to expectations. Whether you’re a registered financial advisor, content producer in the entertainment industry, restaurant that accepts credit cards, healthcare practitioner, or educational institution, you could be subject to additional requirements that go above and beyond state and federal regulations.
6. Documentation Makes a Difference
Your business may have excellent Cybersecurity practices, but without proper documentation to back it up, you may still find yourself ending up with the short end of the stick. Insurance companies often use a lack of documentation to deny or reduce payouts on cybersecurity or data breach policies. In a worst-case scenario, documentation also mitigates some of the damage, helping demonstrate due diligence to regulators and potentially helping defend against civil lawsuits. In some states, demonstrating that you follow best practices as they relate to cybersecurity can even remove the possibility of a civil action entirely.
A well-executed Cybersecurity Assessment can even be useful in a worst-case scenario, providing a starting point for investigators and incident response teams to work from. With an accurate inventory of systems and applications, along with their relative weaknesses and vulnerabilities, it’s easier to track down the likely entry point and see how an attacker might have moved throughout the network.
While there is no guaranteed way to prevent a data breach, the findings and recommendations of a Cybersecurity Assessment can go a long way towards mitigating the danger. With a proactive blueprint of your organization’s current security posture, you can prepare for an breach and implement defenses that can deny an attacker any useful information.
If you’re interested in a Cybersecurity Assessment for your business or non-profit, please don’t hesitate to contact us!