In the first half of 2017, we have seen plenty of cybersecurity headlines—from the recent WannaCry attack to hacks on Gmail and Chipotle, as well as hundreds of Twitter accounts like CNN, it seems that cyberattacks are increasingly becoming the “norm.” These cybersecurity breaches aren’t to be taken lightly either. Companies can suffer huge financial losses and as importantly, reputational damage that has lasting negative effects on businesses.
Despite high-profile hacks and attacks happening on a more frequent basis, enterprises and small to medium-sized businesses (SMBs) are surprisingly confident in their cybersecurity preparedness. Companies are maintaining that their cybersecurity defence is continually being ramped up, and more investment is being made each year to maintain that level of confidence. There also seems to be a common belief that “it won’t happen to us.” Unfortunately, this belief simply doesn’t hold true.
The Stark Reality
According to research conducted on 400 SMBs and enterprises in the UK and US, almost all businesses – 87 percent – have complete trust in their security techniques and technology. More than half even believe they are less vulnerable than they were 12 months ago. And given that 61 percent said they were about to receive a substantial boost to their cybersecurity budgets, it’s easy to see why businesses are confident in their preparedness.
It’s not just high-level assurance either. When asked, businesses were confident in their ability to tackle very specific threats. For instance, half were certain that if a mobile device was stolen, they would know exactly what data was on that device and the level of risk to the business. Fifty-seven percent were also sure of the measures they have in place to protect clients’ and employees’ personally identifiable information (PII).
For all the self-assuredness, 71 percent still admitted they had been breached in the last year. And with only 29 percent reporting a breach in 2016, businesses’ overconfidence in cybersecurity is somewhat alarming. It’s even more alarming when you consider that 77 percent reported a tangible loss, such as the loss of a customer or partner, monetary loss, or operational impact such as downtime.
The Cost Of Cyber Attacks
In hard commercial terms, what does a cyber-attack cost a typical SMB or enterprise? Beyond the readily identifiable impacts of a lost customer or downtime leading to lost opportunity, what are the wider implications?
When taking into consideration the average number of records held for SMBs (5,000) and enterprises (6,000), along with the standard cost of a stolen record calculated by IBM and Ponemon as £122/$157 (which factors direct and indirect costs, as well as brand damage, and the impact on future customer acquisition), the typical cost of a breach to an SMB is £59,000/$76,000. For a larger enterprise, the average cost is £724,000/$939,000.
No company can afford this degree of liability. So why does the vulnerability exist? And what can businesses do to prevent such attacks taking place?
The Seven Pitfalls Of Cybersecurity
It seems there are seven pitfalls that are opening UK and US businesses to cyberattacks and huge financial liabilities.
The first is inconsistency in enforcing security policies. A security policy is only helpful to businesses if it is enforced and its suitability is regularly checked, but businesses aren’t enforcing their security policies. Only a third can claim their security policies are reliably applied and regularly audited. The rest either only enforce them occasionally, fail to audit them, or have no policies in place at all!
The second pitfall is negligence in the approach to user security awareness training. Training plays a huge role in cybersecurity preparedness, but only 16 percent consider it a priority. A massive 71 percent pay lip service to security awareness as a one-off event at employee on-boarding, or at best are only reinforcing it once a year.
The third, is that businesses also appear to be short-sighted when it comes to the application of cybersecurity technologies. Six out of nine of the top cybersecurity technologies were deployed by fewer than a third of businesses. Web protection, email scanning, and anti-malware had each been rolled out by only 50-61 percent of businesses, but the remaining six (including firewall rules, and patch management) had been deployed by only 33 percent at the most (SIEM), or 25 percent at the lowest (intrusion systems).
The fourth is complacency when it comes to vulnerability reporting. Fewer than a third (29 percent) say their reporting is robust. Surprisingly, 19 percent have no reporting, and a further 11 percent have no plans to investigate the usefulness of vulnerability reporting.
But it’s not just a lack of reporting on vulnerabilities—the fifth pitfall is inflexibility when it comes to adapting processes and technologies after experiencing a breach. After a breach, only 44 percent implemented new technology, and only 41 percent changed their processes.
The sixth is that businesses are stagnant when it comes to applying key prevention techniques, with the majority of businesses failing to adopt the leading prevention techniques. While the most prevalent technique was full disk encryption on mobile and portable endpoints, this was only performed by 43 percent of businesses.
The seventh and final cybersecurity pitfall is lethargy around detection and response. In fact, detection, response, and resolution times have all increased compared to 2016.
Business Best Practice
While it is overwhelmingly clear that SMBs and enterprises are overconfident in their cybersecurity preparedness, this confidence does create an opportunity for managed service providers (MSPs). First, MSPs can offer cybersecurity training to customers. Training can make a huge difference in your clients’ security. Whether it’s offered as a service to build revenue, or it’s given for free to provide retention, training can cut down on the number of security incidents. That translates to fewer emergency calls and, ultimately, happier clients.
MSPs can also prepare their customers with disaster drills—just like marketing teams practice their responses to PR crises, financial services organisations stress test their portfolios, and logistics teams plan for transportation hubs closing down unexpectedly. MSPs can practice disaster events with clients, both in terms of technology and processes, to discover weak points and make improvements. Are the lines of communication and equipment sufficiently robust? Are expectations and metrics reasonable? MSPs are also likely to find a few upsell opportunities while doing so.
But the onus isn’t just on the customer. MSPs also need to make sure that their own security practices are up to scratch. MSPs should review practices and their security technology stack not only for current best practices, but with an eye to the future too. Does security meet the current and future needs of the typical SMB or enterprise? Does it work well across on-premises, cloud, and hybrid environments? Can clients in highly-regulated verticals be served?
Finally, MSPs should determine the partnerships or skills they will need to deal with cyber-attacks. Many security incidents require specialists to handle—so whether it’s warding off DDoS attacks, protecting IoT at an architectural level, or implementing digital forensics incident response, MSPs need to either hire expertise in-house, or partner with someone that can handle these. You never want to have to build new skills in the middle of a crisis.
Preparing For The Worst
Businesses need a stark reality check. While they are confident in the processes they have in place, the truth of the matter is that businesses are failing to implement the technology and techniques that could save them hundreds of thousands of pounds. And businesses are naïve to think that cybercriminals won’t capitalise on this overconfidence. But all is not lost. With the right approach, relationships and tools, businesses can help to ensure that they don’t fall victim, and aren’t yet another headline.