For the last decade and a half, business security has always been about detection and prevention; "How do we keep a breach from happening?" and "how do we know if we've been breached?". Unfortunately, those lines of thinking are quickly becoming out-modded, and cyber attacks are becoming more a matter of when and not if. Today, a third question is quickly becoming an absolute must.
Assuming breach
The third question that should be at the top of your stack is "what is our response to a breach?". This question is one many business owners don't want to ask or even think about, but given the sheer number of different softwares and tools which businesses and the companies they rely on for support use, being 100% breach-proof 100% of the time is becoming next to impossible. As recently seen with the breach of Solar Wind's Orion platform, the chain is only as good as it's weakest link. While your company might be a tight ship, it is now almost mandatory to assume the software or tool providers you use may be compromised in some way.
Develop a response plan
Developing a breach response plan helps prevent chaos in the event of an attack and provide for a more calculated response opposed to everyone running around with their hair on fire. Effective response plans should take into account a number of possible scenarios. For example, the response for a physical break-in or theft of equipment containing data is going to be different than the one for an attack on a critical application which occurred months before it was detected.
Response plans should also be reviewed regularly, at least once a year, as the security landscape is always changing. Scenarios you may be prepared for today may be obsolete in 12 months, replaced by newer and more effective attacks and negating any preparations you may have made. Also keep internal changes in mind; new employees, changing line-of-business apps, and more can potentially leave you unprepared if not included in your response plan.
Limiting vulnerability
Regular reviews of breach response plans can also highlight potential areas where vulnerability can be limited. For example, in one of our recent client pickups, we found they did not have any sort of retention policy in place for old data. They had data from nearly 10 years ago which was unused, un-needed and still sitting around. In the event of a breach, they would need to be contacting clients from 10 years ago and explain they may have had personal information exposed. Instead, we helped the client determine a cutoff date for data, anything past the cutoff was removed, thereby reducing the vulnerability.
Reviewing breach response plans can also be a good time to review security standards and policies in general. Making sure everyone is on the same page and policies are being adhered to. It needs to be stressed, having a response plan doesn't mean prevention and detection should be ignored.
Don't bury your head in the sand
All of this can be overwhelming to think about. And we often see a couple of concerns surface regularly. Statements like "I'm too small to be a target" or "I don't have anything an attacker would want" are common as well as "Making changes is expensive".
Firstly, no business is too small to be a target. Attackers don't focus just on Fortune 500s or businesses with over a certain revenue number. They'll hit a 12 person accounting firm or lawyer office, or even a 2 person mom-n-pop store just as readily as a 100 person banking firm.
Next, a data breach isn't necessarily about stealing information that is useful to an attacker. All businesses have one thing attackers want: money. Ransomware attacks are unfortunately extremely common today and they're about preventing you from doing business entirely until you've paid a ransom. Here's a quick exercise: think of the one thing which your business relies on daily. Without it you grind to a halt and start losing money. It may not even contain any sensitive information, but if you can't function without it, it's a target.
Finally, we get it, businesses run on a budget. However, like it or not, your costs are already increasing. The cost of data breaches is skyrocketing which means if you sit tight, do nothing, play the security lottery and lose, you lose big. Spending resources on ensuring you have the proper protection, detection and response in place can be a drop in the bucket compared to a full-scale disaster you're not prepared for.
Preparing for the business landscape of the 2020s
Moving into the next decade, businesses will rely on technology and IT more than ever. This introduces new security challenges which necessitate sound policy and strategy. Many businesses and organizations can no longer afford to go it alone and fly by the seat of their pants. If you feel like this is you and would like some help, feel free to reach out and we'd be happy to help.