Four Steps Before Your First (Or Next!) Cyber Attack: Small and Mid-Size Businesses Are Prime Targets

The Colonial Pipeline hack cost the company millions and sent drivers in the Southeast and Mid-Atlantic scurrying for fill-ups. Although it’s difficult to see a silver lining, it does mean that government, business and industry leaders are taking cyber protection more seriously.

Almost every day—or so it seems—another well-known brand and its customers suffer from a breach, ransomware, malware or phishing scheme, costing the brand hundreds of thousands of dollars or more in lost revenue, reputation and trust.

To be sure, we are paying more attention to the security of sensitive data. And the loss of intellectual property or financial information makes for great headlines, especially when it involves large name brands such as Capital One, Target or Marriott.

However, it is small and medium size businesses and organizations that are most at risk. Several factors are at play, but insufficient cyber preparedness is the leading culprit.

Some reports says that as much as 43% of cyber attacks target small businesses, yet only 14% of small businesses have taken steps to protect themselves, their employees and their customers. Likewise, more than 50% of chief executives at businesses around the world do not believe they have the needed defenses or are effectively prepared should a breach or hack occur.

Beyond small and mid-size businesses, the sectors most vulnerable to cyber attack are those in health, government, energy and higher education. Similarly, their vulnerability stems from a lack of preparation. If anything, the recent rash of attacks has taught us that precautions now—both in erecting defenses and preparing how to respond—make good business sense and lower the cost when information is compromised.

It is no surprise that the cost of insuring against cyber risk is increasing, as much as 30%, according to the U.S. Government Accounting Office. As cyberattacks grow more frequent and costly, the demand for insurance is rising along with the cost to insurers. In some cases, insurers are limiting what is covered, particularly in healthcare and education.

While these numbers paint a discouraging picture, now is the time for a proactive, strategic approach to protecting your business, non-profit or university from the cyber pandemic that has surged with the increasing popularity of remote work and the growing sophistication and boldness of cyber crooks. Regardless of your level of cyber security, here is a four-point plan for what you can do now to protect and prepare. 

• Determine how you are exposed to a cyber attack: Every business or organization has cyber vulnerabilities. Determine what they are by detailing the type and volume of sensitive information you have and where it is held. You should also determine the business, legal and reputational risks associated with each vulnerability and plan for the business and IT procedures to immediately activate should you discover sensitive information has been compromised. Among other benefits, knowing how you are exposed should guide your decisions on firewalls and other technology defenses.
• Conduct an information audit: It’s critical to talk with the right people with the right messages through the right channel. Mapping each audience forces you to think through everyone who needs to know if a hack, breach or data loss occurs—and it’s a big list. Internal audiences include employees and shareholders. However, external audiences include customers, regulators, vendors, distributors, partners and anyone else who intersects with your business or organization, even those two or three steps away.
• Create a media map: Similar to audience mapping, media mapping helps you engage quickly with media most likely to report on your cyber incident. How you respond in the aftermath of a breach, hack or attack carries reputational consequences that can last for years, and getting it right starts with knowing and understanding the media landscape. At minimum, a media map includes general, trade and technology reporters likely to pay attention along with an assessment on the attitude, stance and posture of their anticipated coverage. You should also list and assess competitors and other groups that may seek to exploit your misfortune.
• Develop a cyber communications playbook: Often overlooked until after a crisis erupts, a cyber communications playbook is a must. Its purpose is straight-forward – avoid turning a bad problem into a nightmare by either absent, misguided or tardy communication to stakeholders. A good playbook helps you avoid preventable mistakes with approved talking points, scenario planning and much more.

Cyber security preparedness does not generate headlines. However, the value of taking a few steps before your first–or next–cyber incident cannot be overstated when considering that your finances, reputation and trust are all on the line.