When you encounter some risks within your business, how do you address these so that they don’t impact your business and cost you lots of money?
By 2025, the total global collective data is expected to reach 175 zettabytes, (the number 175 followed by 21 zeros). This data includes everything from streaming media, and social media to business data. Securing all this data is vital.
Addressing the threats to your business could involve cyber criminals, staff, suppliers, and customers, as well as your own staff.
The financial cost of cybercrime alone is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures “2022 Cybersecurity Almanac.”
It takes an average of 287 days for security teams to identify and contain a data breach, according to the “Cost of a Data Breach 2021” report released by IBM and Ponemon Institute.
A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.
So, how do you address these concerns?
How do you minimise the likelihood of a cybersecurity incident? How do you recover from a cyber incident?
Look at the risks that may impact your business and cause a cyber security incident.
But how do you know it’s coming? Cybercrime can have long-reaching effects, affecting your business, and your customers, depending on the extent of the attack.
What is the Cost of a cyber security incident?
The cost of a security incident is way more than you may think. The harm of a digital assault totally depends upon your business.
In case your business is adequately strong, then, at that point, you can expect a little damage. A good cyber risk mitigation strategy can likewise help you in lessening the harm of cyberattacks. Nonetheless, this isn’t the genuine expense of a digital assault.
The cyberattack will likewise influence your business reputation too. Some of the indirect costs of cyberattack are as follows –
Data Loss – The loss of information can expand your bills because you will have to invest resources in data recuperation. Likewise, you may also have to suffer expected fines and consequences.
Investor Perception – Normally, an organisation’s worth drops post-data breach. Negative media will affect your business esteem. On the off chance that you have a huge association, then, at that point, you may lose a large amount of money because of this. This is additionally appropriate to more modest organisations. Most SMBs need more frameworks to manage negative media.
Operational expenses – Sometimes, hackers may attempt to close your web-based activities. They will utilise DDoS assaults for assaulting your servers. This will prompt client misfortune. Your clients will move to different stages as your services are not working.
Reputation – You will lose your faithful clients because of the assault. It will likewise become hard to draw in new clients. Your brand name is connected with your whole business. If you want your customers to stay with you, assess your cyber risks and fix them ASAP. Now let’s find out how to mitigate cyber security risk in the below section.
Legal Implications – Regulatory requirements as set by federal, state and territory institutions, have significant legal and financial impact upon organisations conducting business. Some of these are:
- Australian Privacy Act 1988
- Security Legislation Amendment of Critical Infrastructure Protection 2022
- National Data Breach Scheme
- Security of Personal Identifiable Information and Financial Information
- Prudential Standard CPS234
Mitigating the Risk
Cyber risk mitigation is the method involved with assessing a company’s important assets and afterward ensuring them using risk strategy. Your association needs to decide its risk tolerance, so you can make a risk mitigation plan that will limit those dangers. Risk tolerance can be high, medium, or low. A risk alleviation system will shield your association’s resources from internal and external threats and save money in alternate ways.
Cyber risk mitigation is a critical thinking tool that assists you with making a cyber threat alleviation plan for unknown threats, so it tends to be managed more easily. A cyber risk mitigation plan is a chance for you to diminish and dispose of hazards. You can’t keep a catastrophe from occurring consistently, however you can generally diminish its effect. It implies having a decent danger alleviation procedure set up that will help you assume the most noticeably terrible ought to occur.
Conduct a risk assessment
The initial phase in any cybersecurity risk mitigation plan should be to conduct a risk assessment, which can assist with uncovering potential loopholes in your association’s security controls.
A cybersecurity risk assessment requires an organisation to determine its key business objectives and identify the information technology assets and processes that are essential to realising those objectives.
It’s then a case of identifying cyber-attacks that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have.
Ultimately, building a complete picture of the threats to the business objectives.
This allows executives and security teams to make informed decisions about how and where to implement security controls to reduce the overall risks with which the organisation is comfortable.
- Determine the scope of the risk assessment
- Identify assets and processes
- Identify the threats to these assets and processes
- Identify what are the consequences and likelihood of the threat occurring.
- Identify cybersecurity risks
- Determine and prioritise the risks
- Document the risks
- Risk scenario
- Identification date
- Existing security controls
- Current risk level
- Treatment plan, the planned activities, and timeline to bring the risk within an acceptable risk tolerance level
- Progress status, the status of implementing the treatment plan
- Residual risk, the risk level after the treatment plan is implemented
- Risk owner, the individual or group responsible for ensuring that the residual risks remain within the tolerance level
A cybersecurity risk assessment is a significant and ongoing undertaking, so the appropriate time and resources need to be allocated if it is going to improve the future security of the organisation.
It will need to be repeated as new threats arise, and new systems or activities are introduced, but if done well the first time around it will provide a repeatable process and template for future assessments, whilst reducing the chances of a cyber-attack adversely affecting business objectives.
Recovering from an event
There is nothing that can guarantee you won’t encounter a cyber security event.
All the technology, processes, controls, and human training won’t guarantee are great, but a simple unpatched system, human error or determined hacker can bring the best security systems down.
So, what can you do if you find yourself in when a security incident occurs? Back up, disaster recovery/business continuity planning and incident response plans are essential to ensuring that your business can continue to operate.
- Data Backup – Backup protects data from several risks, including hardware failures, human error, cyber-attacks, data corruption and natural disasters.
- Disaster Recovery (DR) or Business Continuity Plan (BCP) – Business continuity focuses on keeping business operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster.
- Incident Response – focuses on how to respond when a cyber security event/ breach occurs.
A backup is a digital copy of your business’s most important information e.g., Customer details and financial records. This can be saved to an external storage device or to the cloud.
An automatic backup should be set as default or ‘set and forget’ system that backs up your data automatically, without human intervention.
Backing up is a precautionary measure so that your data is accessible in case it is ever lost, stolen, or damaged
• Allows your business to recover from a cyber incident (such as ransomware) and minimises downtime
• Protects credibility of your business and helps to meet legal obligations
Disaster Recovery (DR) or Business Continuity Plan
Ultimately, both DR and BCP are plans that contain detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber-attacks, and any other disruptive events. The plan contains strategies on minimising the effects of a disaster, so an organisation will continue to operate, or quickly resume operations.
You should also consider implementing a cyber security incident response plan to guide your business and your staff in the event of a cyber incident and how to respond to such an event.
This will help you understand your critical devices and processes, as well as key contacts that you can use to respond and recover.
A cyber incident response plan should align with the organisation’s incident, emergency, crisis, and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements.
An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered. The incident response phases are:
- Lessons Learned
Staff training and behaviour – insiders, social engineering, remote working best practice
Security Awareness Training is designed to protect your staff and business against cyber threats. Teach yourself and your staff how to prevent, recognise and report cybercrime. Train your employees in cyber security basics, including updating their devices, securing their accounts, and identifying scam messages.
Employees can be the first and last line of defence against cyber security threats, Training can change the habits and behaviour of staff and create shared accountability in keeping your business safe.
Cyber security is everyone’s responsibility. Regular cyber security awareness and training as cyber security is continuously evolving.
Keeping everybody up to date on cyber security threats could be the difference between whether or not a criminal gains access to your money, accounts, or data.
Establish access controls – Passwords, MFA, Access Control, privileged user, and lowest privilege, remove admin, change default passwords
Access Control is managing who can access what within your business’ computing environment.
Access control is a way to limit access to a computing system. It helps protect your business by restricting access to:
- Files and folders
- Online accounts
To minimise the risk of unauthorised access to important information
Typically, staff do not require full access to all data, accounts, and systems in a business to perform their role.
This access should be restricted where possible so that employees and external providers do not accidentally or maliciously endanger your business.
Access control systems and procedures allow a business owner or operator to:
- Decide who should access certain files, databases, and mailboxes
- Control any access permitted to external providers e.g., Accountants, website hosting providers
- Restrict who has access to accounts such as supplier websites and social media
- Reduce potential damage if any accounts, devices, or systems are compromised
- Revoke access to systems and data when an employee changes roles or leaves the business
Principle of least privilege
Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses.
It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.
- Transition your employees from ‘Administrator’ accounts to standard accounts on business devices
- Review access permissions on digital files and folders
- Do not share accounts or passphrases/ passwords between staff
- Remember to revoke access, delete accounts and/or change passphrases/passwords when an employee leaves, or if you change providers
A Passphrase is a more secure version of a password. Multi-factor authentication (MFA, see page 12) is one of the most effective ways to protect your accounts from cybercriminals. However, if MFA (Multi Factor Authentication) is not available, then you should use a passphrase to protect your account.
A passphrase uses four or more random words as your password. For example, ‘crystal onion clay pretzel’.
Why? Secure and easy to remember
Passphrases are hard for cybercriminals to crack, but easy for you to remember.
Create passphrases that are:
- Long: The longer your passphrase, the better. Make it at least 14 characters in length.
- Unpredictable: use a random mix of unrelated words. No famous phrases, quotes, or lyrics.
- Unique: Do not reuse passphrases on multiple accounts.
If a website or service requires a complex password including symbols, capital letters, or numbers, you can include these in your passphrase. Your passphrase should still be long, unpredictable, and unique for the best security.
Where? Your accounts and devices
If you are unable to use MFA on an account or device, it is important to use a passphrase to stay secure. In these situations, a secure passphrase may be the only barrier between adversaries and your valuable information.
Remember to make your passphrases unique, as reusing a password makes it easy for a cybercriminal to hack multiple accounts.
MFA, a security measure that requires two or more proofs of identity to grant you access
Multi-factor authentication (MFA) typically requires a combination of:
- something you know (password/passphrase, PIN, secret question)
- something you have (smartcard, physical token, authenticator app)
- something you are (fingerprint or other biometric).
MFA is one of the most effective ways to protect against unauthorised access to your valuable information and accounts.
The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity such as your password, but they still need to obtain and use the other proofs of identity to access your account.
Implement firewalls and antivirus software
Another significant cybersecurity risk methodology implies the establishment of safety solutions like firewalls and antivirus. These innovative protections offer an extra obstruction to your PC or organisation. Firewalls go about as a buffer between the rest of the world and your organisation and give your association more prominent command over incoming and outgoing traffic. Essentially, antivirus looks through your devices as well as the organisation to distinguish any possible cyber-attacks.
Create a patch management schedule
Numerous Software and application providers keep releasing patches consistently, and cybercriminals know about that very well. Therefore, they can rapidly decide how to take advantage of a patch. Organisations need to keep an eye on the patch release and create an effective management schedule that can help your association’s IT security group stay in front of Attackers.
An update is an improved version of software (programs, apps, and operating systems) you have installed on your servers, computers, and mobile devices. An automatic update is a default or ‘set and forget’ system that updates your software as soon as one is available.
- Keep your operating system and applications up to date is one of the best ways to protect yourself from a cyber security incident
- Regularly updating your software will reduce the chance of a cybercriminal using a known weakness to run malware or hack your device
- Saving you time and worry, automatic updates are an important part of keeping your devices and your data safe
- Turn on automatic updates, especially for operating systems
- Regularly check for updates if automatic updates are unavailable
- If you receive a prompt to update your operating system or other software, you should install the update as soon as possible
- Set a convenient time for automatic updates to avoid disruptions to business as usual
- If you use antivirus software, ensure automatic updates are turned on
Continuously monitor network traffic
Proactive activity is the best strategy for alleviating cyber-attacks. With approximately 2,200 assaults happening each day, the best way to genuinely remain ahead of cybercriminals is to continuously monitor network traffic. To genuinely empower real-time threat detection and network safety hazard moderation, consider tools and devices that permit you to acquire an exhaustive perspective on your whole IT ecosystem anytime. This will permit your IT security group to be more effectively distinguish new dangers and decide the ideal way to remediation.