We’ve been hearing about Equifax ad nauseam.
We’ve learned that the Yahoo hack was even worse than we had thought, and that all 3 billion accounts were compromised in their 2013 breach.
If I asked you to, I’m sure you could rattle off at least half a dozen other big-name companies (or government bodies) that have fallen victim to a cyberattack in the past few years.
And yet, still, I hear executives asking over and over again if their business is “safe” from an attack. My answer to this question will always be “no.”
Safeguarding as Step 1
I’ve written tons of articles about how your business can lower your risk of experiencing a cyberattack. Best practices include:
- Technical defenses like centralized anti-virus, regular patching, trained spam filters, and current firewalls
- Ongoing security assessments to uncover any weaknesses and map out a remediation plan
- Security awareness training to educate your staff about threats like spear-phishing
- Written policies to address your company’s standards for data privacy, mobile device use, passwords, and so forth
Combined, all these initiatives will make your business safer.
Your spam filter will catch some malicious emails before they make it to your inbox. Your risk assessment will catch missing patches so you can shore up vulnerabilities in your Operating System. Your security education will empower your staff to identify and avoid fraudulent wire transfer requests. Your passcode requirement will prevent a bad actor from stealing sensitive information off of a lost company smartphone.
But no combination of safeguards will ever make you bulletproof.
Response Planning as Step 2
If we’re approaching cybersecurity from a practical standpoint, we need to look beyond prevention and plan for what happens when (not if) we do eventually get hit.
Because, as we’ve seen with the Equifax fiasco, a poor response can be just as damaging to your business as the breach itself.
To be truly prepared for a security incident, we need to consider:
- A powerful backup and disaster recovery solution that you test regularly (your only saving grace if you get hit with ransomware)
- A written incident response plan that includes elements like technical forensics, how you’ll inform your clients of the breach, and how to report any compliance violations
- Cyber liability insurance – as your business deems appropriate – to help cover the costs of recovery
It’s an unfortunate reality, but it’s one we need to accept if we intend to weather the storm that is today’s cybersecurity landscape.
We can’t keep the bad guys out, but we can make sure they don’t take us down.