November 29, 2016Nowadays, no one is safe from being the target of a cyberattack, especially as more businesses move to the cloud: The U.S. SMB cloud computing and services market is expected to grow from $43 billion in 2015 to $55 billion in 2016.
This means that organizations across all industries globally have a lot to worry about when it comes to security, as ransomware, phishing and impersonation attacks are only becoming more sophisticated and damaging. But according to new data, small and mid-sized businesses are especially prime targets – they are hit by 62 percent of all cyberattacks, about 4,000 per day.
Cyberattackers will do anything they can to infiltrate your organization, even if it means playing dirty. Through tactics like social engineering, attackers identify their target. Then, they use email, almost always, as an entry point to steal data, employees’ personal identification information, tax documents, and cash – they can even hold your systems hostage and put productivity into lockdown.
What does all of this mean? For most businesses, cyberattacks can result in downtime, data, and financial loss. However, medium enterprise businesses have a lot more to lose. The U.S.’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their business over six months after a cyberattack. And, according to the Ponemon Institute, the average price for small businesses to clean up after they have been hacked stands at $690,000 – for midsized companies, it’s over $1 million.
Being a medium enterprise means you need a plan. Today, defending against insidious attacks requires a broader focus, beyond just security. You need a realistic approach to cyber resilience planning that spans security, data protection, businesses continuity and end-user empowerment. Medium enterprises are often high growth, increasingly complex and global. And, they don’t always have large IT or security teams, or budgets. This means they have high-level requirements without large enterprise money. That’s okay. With the right vendor, you don’t need enterprise-level resources or budget to implement an effective cyber resilience strategy.
If you want to keep your business running, you need to act now. The quickest, easiest and most effective way to start the process of becoming more cyber resilient is to focus on one of your organization’s most vulnerable links – your employees. Educate and empower your entire organization on good security practices. Teach employees to:
- Pay attention to things like requests for financial transfers, domain names, and website addresses.
- Think before they share too much information on social media. Cyberattackers troll sites like Facebook and LinkedIn for personal details and whereabouts.
- Never share credentials or click on suspicious links– even if the email looks like it is from a legitimate bank or financial institution.
Building out a cyber resilience strategy is no longer an option. In fact, whether or not you have a cyber resilience strategy in place could be the difference between life and death for medium enterprise businesses. Download this E-book to learn more about strengthening and empowering your employees. And, learn howMimecast can help your business become more cyber resilient.
It seemed clear to a lot of the speakers and delegates at the recent RSA Conference that protecting organizations from cyberattack is not just the responsibility of the IT security team. Shared responsibility is the expression on everyone's lips.
Many of the sessions and speakers talked at length about how the changing nature of the attack, and the significant damage they are now causing, means the executive leadership of every private or public organization, big or small, needs to take the threat seriously.
I bet if you found the CEOs or CFOs of the many companies that have suffered a high-profile attack – Sony Pictures, Target, SnapChat, etc. they would all agree that a hack, data breach, ransomware or whaling attack is a big deal. They cost money to fix. They damage reputations. They disable organizations. Employees care, shareholders don't like them and regulators or law enforcement are very concerned. Nobody wants to be the next CIO reporting a breach to their board.
But, amazingly, our own research shows that despite the high-profile damage attacks are causing, a surprisingly small number of executives are taking IT security seriously. According to IT pros surveyed, only 15 percent of C-level executives are extremely engaged in email security, and 30 percent are somewhat engaged. Confidence plays a major role in this equation: confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate.
The most confident were also most likely to feel they had good security resources. It is no surprise to me that executive support also leads to the proper investment. If the problem is understood and taken seriously, money and resources will follow.
But, it’s not just about how much the C-suite is involved in email security decision-making, it’s also about how they prioritize it in the broader business strategy. According to research from ISACA and RSA, 63 percent of respondents say their cybersecurity function (CISO) reports into the CIO and not the CEO. They argued, in a session at RSA, that his can create a conflict of interest, as the CIO is balancing a diverse range of priorities and may inappropriately deprioritize security in an effort to balance the books. The engaged CEO will consider IT security a risk management issue while the CIO will see it as a technology problem. Who the CISO reports to could make all the difference to the level of protection and cultural focus cybersecurity has in an organization.
So, it’s time for both sides to get together and recognize email security is a shared responsibility. The organizations that work together and see the wider relationship between IT security and other corporate risks are better placed to protect themselves from the worse affects of an attack. The problem is part technology, but also commercial, cultural, human and process.
On the IT side, learn to speak the language of the boardroom and show in real terms the risk and cost of the problem. This is not a technology conversation, it is a risk management discussion. On the executive side, take the time to understand the exposure and risk your organization is facing and put IT security higher on the risk management priorities. If you are a shareholder, next time you get the opportunity, ask the CEO or CFO about their IT security strategy. If their answer is ill informed, you might want to reconsider your investment.
Email security is not the responsibility of just the IT team. Everyone across the organization needs to play a role in protecting mission-critical data. It’s up to IT and the C-suite to work together to make email security part of the broader business strategy.