Is there really a cyber threat?
Cybersecurity experts agree on (at least) one thing: it's not a question of IF your company will be attacked, but WHEN.
For the record:
- The number of incidents has increased by +40% in the last two years.
- 67% of companies have experienced more than forty incidents in a year
- Worldwide, cybersecurity investments have increased by 22%.
Yes, this is a real and serious threat.
What are the costs of a cyber attack?
Containing an internal incident can take several months. Not to mention the potential loss of productivity, but the day-to-day costs are still significant.
The costs associated with an attack vary according to the size of the company.
In very large companies (+7,500 people) they have risen to +22 million dollars. According to Desjardins themselves, the data leak they suffered cost them 53 million USD. A straw.
For large companies (-500 people) we are talking about 8 million. Not all of them can pay.
And then you say to yourself, my organization is an SME, or even a very small company, it's a small fish that will not interest any hacker. Bad reflex: for hackers everything is good. That's why they often launch large-scale operations, which aim to pick up everything in sight. In terms of volume, the amount of profit made is significant.
The right question to ask is: what would be the consequences of an attack on my business, however small?
The price in dollars
First, there are the purely financial costs of a business slowdown. If a hacker blocks you, even if only for a few hours or days, during which time you cannot work... this represents a significant loss of earnings. Other costs to consider include possible fines if you are not in compliance with regulations (watch out for the upcoming law 64), or your insurance premiums that will go up if your insurer thinks you are not protected enough (or if you have already suffered damages following an attack), or legal fees if you take legal action or need help to assert your rights.
The price of trust
Then there are the "ricochet" costs: when the attack on your company becomes known to your customers, partners, suppliers... it can tarnish the trust and business relationship they have with your organization. Because the first question they will ask is whether your lack of security has put them at risk. Simply put: is it still a good idea to continue working with you? The reduction or loss of contracts as a result, that is also quantified.
The price of survival
Finally, there is the competitive technical cost: an attack does not always aim to destroy or block your data. It may allow a competitor to retrieve data on an industrial process or the components of a product that your company has designed over many years of research and development (and the investments that go with it...). No ransomware here, no data loss, and yet the result is worse. The company that has discreetly siphoned your data will be able to build a commercial offer identical to yours, with lower development costs and at a fraction of the selling price. This is nothing less than the announced bankruptcy of your company.
On average, in 2020, cybersecurity expenses represented 11 to 14% of the IT budget.
All this is just to underline the importance for companies, whatever their size, to prepare themselves, according to their needs and their budgets. As elsewhere, investing in prevention is much less expensive than spending money on repair. Especially since the protections are sometimes simple and affordable. Before discussing the options available in this area, let's start by seeing if your company is "mature".
What are the warning signs that a company is poorly protected against IT risk?
If you are a manager or in a position of influence on the subject, you can establish an initial diagnosis by asking a few simple questions:
- Do employees know what to do, who to refer to if they detect suspicious activity?
- Do employees know what to do (or not to do) to avoid a security incident (sending unencrypted documents, using applications or add-ons not validated by IT, etc.)? Are they regularly trained?
- Is there a security policy in place? If so, do employees follow it or do they ignore it because they find it too restrictive?
- Is the IT team overworked (or about to be)? Is there a high turnover rate? Are security issues high on the backlog (or not)? Are data leaks on the rise? Is the security budget following an inflationary curve that seems out of control?
- Has the company grown significantly recently? Have IT teams grown in the same way, or has staffing remained flat while needs have increased?
- When IT implements security changes, are the rest of the staff made aware of them? Or have there been counterproductive situations where staff could no longer operate effectively because they were not informed of the new processes?
These are just a few of the questions whose answers can help you get an idea of your organization's level of preparedness and, therefore, risk of attack.
What are the avenues of prevention against a cyber attack?
Several actions can be taken to limit the risk of an attack.
First, if possible, have a dedicated team and budget. If you don't have an internal team, at least plan a budget to call upon an external specialized firm, which will be able to :
- Conduct a thorough audit
- Propose recommendations accordingly
- Implement the proposed solutions
- Ensure a follow-up
Then, train the people. There is no need to turn every employee into an IT expert, but it is possible to train them on some good practices to adopt. Cybersecurity is the responsibility of IT, but it is everyone's business. To do so, sharing relevant articles on the subject can help, such as the annual list of the most common passwords (and therefore to avoid). It is also possible to test the level of response of employees with simulated phishing attacks. This allows you to identify at-risk populations and take appropriate corrective action.
Ensure that continuous improvement is in place (for both humans and machines), so that both stay current with the evolution of attacks.
Have in place reactive measures and preventive measures.
By reactive measures we mean measures in place that will react in case of an attack (firewalls, etc.).
By proactive measures we mean penetration tests with the help of ethical hackers (for example). The advantage is the anticipation, which makes it possible to limit the damage, or rather the inactivity or its slowdown on D-Day. These security tests also promote a faster recovery after a real attack.
Establish a business continuity plan (i.e., a disaster recovery plan and an incident response plan): it helps companies of all sizes determine how to detect and respond to security breaches, and then what steps to take to recover what has been lost.
Implement tight and serious password management (unique, renewed, strong...), establish a clear and strict update management plan. And more generally, have a set of clear policies for employees and suppliers, adapted to your company. They should not be too many or too complicated, but strict enough: acceptable use policy, privacy policy, data governance policy, social media policy, BYOD (Bring Your Own Device, increasingly common with organizations that encourage the use of personal cell phones for example), etc.
Have data backups on media that are independent of any network access.
Favour stable and resistant operating systems (Linux...).
When browsing, encourage the use of a VPN and have popup blockers in browsers. Especially on mobile devices.
Have virus protection software.
This list is not exhaustive...
Conclusion
IT incidents are part of the economic landscape, but they should not be an inevitable fate. When they occur, their origin comes, generally, from 4 poles on which it is possible to act
- Poorly informed or poorly trained employees who are negligent (56% of cases).
- The absence of security policies in the company
- A policy in place but not followed: delays in updates or patches.
- Malicious employees (25% of cases)
For each of these areas, countermeasures exist.
If 100% security cannot be guaranteed, it is possible to prepare adequately for the day the incident occurs... and limit its impact. This preparation is often the difference between a company surviving and one closing.
For more information:
Cybersecurity: diagnose to better protect the companyContact us
To learn more about our new services or to talk to us about your skills development needs, contact Cyrielle Renard at 514-380-8237 or by email: crenard@technologia.ca.