It's no longer enough to be small or lucky. These days, cyberattacks affect businesses of all sizes and types. In fact, small and medium-sized businesses are now the target of 65 percent of cyberattacks.
What sets apart companies that fend off hackers isn't just technology — it's a mindset. Certain knowledge about your company, your industry, and what kinds of cyberattacks you can expect provides a foundation that guides technology choices and behaviors. Companies that understand these things stand a better chance of avoiding a costly breach.
Companies that successfully defend against cyberattacks give careful thought to what data they have that hackers might want, and how it would affect their business and reputation if that information were compromised.
The release or theft of trade secrets for tech and manufacturing firms, for instance, can mean the loss of a competitive advantage. Even small amounts of seemingly boring medical data can fetch a premium on the black market for use in insurance fraud — not to mention a major HIPAA violation. B2Bs often don't consider the private information they have about their clients and partners, and how a breach of that data could affect crucial relationships.
Companies also frequently fail to consider how valuable their information is to themselves. The most common type of cyberattack for businesses is ransomware in which hackers encrypt a company's data and demand a ransom to unlock it. In addition to the cost of the ransom — which about half of businesses in this situation pay — what would it cost your organization to lose a day of productivity while your data is locked? How about a week? What if you never got it back?
Most organizations don't have to worry about anyone hacking their servers to change grades or get answers to an exam. Yet, this is a major concern for educational institutions whose brands rely on their academic integrity.
An awareness of not just the common types of cyberattacks that affect all businesses, but also those specific to your industry, helps stay a step ahead of hackers. Healthcare organizations, for example, have only started to catch up on defending against internet-of-things attacks in which hackers can control or shut down networked medical equipment.
The primary way hackers gain access isn't brute force; it's deception. Even the best technology can't keep hackers out if you unwittingly let them in, and the trickery is evolving just as fast as the technology. "Phishing" attempts to glean passwords by impersonating personal contacts or trusted organizations. Hackers also venture into the real world, with schemes like leaving virus-infected flash drives near offices in hopes an employee will plug it in.
Companies that recognize the only way to achieve comprehensive cybersecurity is to train their employees regularly at all levels are much less likely to experience a breach.
Surprisingly, the average lapse between when a breach occurs and when it's detected is 100 to 200 days. Hackers use this lag to steal data over a period of time, or to learn about your organization to achieve broader access.
A worthwhile thought experiment is to assume a breach will happen and that you won't know it has happened. How would you put extra protection around your "crown jewels" — the most valuable data and systems — to make it harder for the bad guys to get to the good data?
For example, even if a hacker installs a key logger that captures IDs and passwords as they're entered on your computers, adding two-factor authentication to the most sensitive systems would make it much more difficult for the most important data to fall into the wrong hands.
While it's no secret that being hacked can cause major reputation damage, the reverse is also true: A proactive approach to cybersecurity can engender trust.
Jonathan Stone is chief technology officer and chief operating officer at Kelser Corp., a technology consulting firm in East Hartford.