This year Ransomware continued its upward trend with an almost 13% increase–a rise as big as the last five years combined. Cybercrime is a $6 trillion annual industry, affecting all businesses and individuals. Global cybercrime costs are expected to grow 15% per year over the next 5 years, reaching $10.5 trillion USD annually by 2025. For comparison, the cost was $3 trillion USD in 2015.

Although large corporations tend to make the headlines, the threat is everywhere. In 2021, 28% of breaches targeted small businesses. And with the average ransomware at $70,000, a breach can be catastrophic for small businesses who end up as the targets of cybercriminals. And with geopolitical tensions still heightened, potential cybersecurity impacts should still be on Americans’ radar.

The effect on your organization is real, and regardless of your industry or size, you need to be prepared for the eventuality of a cyberattack. Below are simple steps you can take today to help strengthen your organization’s cybersecurity.

Understanding Vulnerabilities

The 2022 Verizon Data Breach Investigations Report (DBIR) found 82% of breaches involved a human element, making it the key driver in cyberattacks. The most prevalent form of attack is phishing, a cyberattack that infects a system with malware when an internal user unknowingly opens a malicious attachment or link, often from someone pretending to be a coworker or client. With this malware, the actor will be able to steal your organization’s data, which may bring the cybercriminal anywhere from a few cents to hundreds of dollars per record, depending on what it contains and how the buyer can use it.

Additionally, compared to other functional areas in an organization (marketing, finance, operations, etc.), 30% of executives believe skills gaps are more prevalent in IT, and 93% of employers indicate there is a skills gap among their IT staff. Nearly 6 in 10 companies report being only moderately close or not even close to where they want to be with internal IT skills, making even organization with managed IT services anxious about the possibility of an attack.

To assess the risk of a cyberattack on your organization, ask yourself:

  • As a firm leader, do you feel like you are aware of the cyber risks your business faces?
  • Do you understand the impact a breach could have on your company?
  • Do you have some portion of your employee base that works or accesses data remotely?
  • Do you feel employees in your organization are properly trained in cybersecurity best practices?
  • Do you have a comprehensive incident response plan, and do you test or review it?

Take Action Today

By implementing these basic cybersecurity steps, you can greatly mitigate your risk—often within weeks:

  • Validate remote access to the organization’s network and ensure privileged or administrative access requires multi-factor authentication.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Even by reducing the potential of phishing emails reaching your employees, you can prevent a cyberattack from occurring.
    • Furthermore, you can educate your employees with cybersecurity awareness training.
  • Third party cybersecurity assessments can help you assess your risks, including the vulnerabilities related to your industry, your people, your technology, and your business partners. Vendor/supplier security is critical, so in addition to assessing your internal risks, you need to determine what data these outside parties can access—and what their controls and safeguards are.
  • Update and patch all software. One of the biggest vulnerabilities last year occurred when it was discovered an open-source Apache logging framework had a flaw that allowed hackers to exploit vulnerable systems. Fixing the problem required a hastily-made patch, but many companies continued to leave themselves vulnerable simply because they didn’t take that step. Preventive maintenance is essential for a secure and safe environment against malware.
  • Not only should you implement controls like multifactor authentication (MFA/DFA), email filters, hold data security training for your workforce, and encrypting your laptops, but you also need to verify those controls. Once your processes are in place, run periodic tests on select controls, to validate that they are working as intended.
  • Make regular backups and test backup procedures to ensure critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack. Additionally, make sure your backups are isolated from network connections.
  • If you can afford it, you should consider purchasing cyber insurance. Any business that deals with sensitive information—including credit card numbers, medical information, and Social Security numbers—should have cyber insurance in order to protect customer information, industry relations, and business reputation.

Addressing the Challenges

As your business changes, your risks change, so you should reassess your situation annually. If you already have an existing enterprise risk management (ERM) program, you can leverage it and fold in your cybersecurity processes.

Ransomware and other cyberattacks can be detrimental to your company’s reputation, customers, and profits. Not only are the consequences usually severe, but there is no guarantee that your business will get its data back after the sum is paid. Although there is no way to completely prevent a breach, a strong cybersecurity program can help you mitigate your risks and be better prepared to respond to an attack.

For those organizations with a strong compliance engine, the cost of a breach—if it occurred at all—was nearly 65% less than those without. As cybercriminals become more sophisticated, the ability to detect and remediate becomes more challenging. Protect your company by making technology and cybersecurity a critical piece of your overall business strategy.