Are small organizations adequately prepared for cyber-warfare? It is well known that in 2014 and 2015, high-profile corporate brands such as Target, Home Depot, AT&T, JPMorgan, Neimen Marcus and Sony all had massive data breaches resulting in millions of dollars spent on mitigation of damages. All of the aforementioned companies are not in any danger of closing their doors anytime soon. However, there’s a good chance if your small organization incurred a cyber-attack your outcome may not end so well. Furthermore, as large organizations develop stronger controls to protect against cyber fraud, attacks on small organizations have proliferated. Small organizations are in the direct crosshairs of cyber criminals. They are particularly vulnerable due to management oversight and a lack of understanding how to adequately protect the organization’s assets against cyber-threats. According to Experian, more than 50 percent of small organizations that suffer a cyberattack will not be around after six months. Here are five ways to help small organizations mitigate cyberattacks and the resulting financial impact.
- Education – You cannot prepare for what you do not understand.
The Association of Certified Fraud Examiners (ACFE) supports estimates that in 2014 fraud losses related to cybercrime were well over $100 billion. Additionally, from 2001 to 2012, the Internet Crime Complaint Center (IC3) has reported a staggering 2,849 percent increase in total dollar loss from all related cases of cyber fraud. Go-Gulf, an international web application design and development company, reports that 42 percent of the direct financial cost of cyberattacks is related to Internet fraud. The major motivations behind cyber-attacks as ranked by reported research from Go-Gulf:
- Fifty percent hacktivism which is the use of computer programs to disrupt business internet activity and also to promote political ends. (This type of attack can paralyze the business ability to carry on business that requires internet connectivity including email.)
- Forty percent internet fraud to embezzle and rip-off your organization’s money and valuable assets.
- Seven percent cyber-espionage to use computer networks to gain illicit access to confidential information. (This attack is directed to steal your customer’s personal data, which is then most often sold to third parties.)
- Five percent cyber-warfare by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks.
- Threat Assessment – Broadly identify the types of threats to your organization and the possible means to mitigate those threats.
For each threat, ascertain the favored method of attack and evaluate your company’s defenses. It’s best to have a cybersecurity firm test your system to find weak points in your protections, then make sure you address them and get them fixed.
- Employee Code of Conduct and Cyber Security Policy – Company employees must understand how to recognize and respond to a cyber-attack.
It is important to make certain your employees have read and understand your company has a clear-cut list of guidelines about the company’s cybersecurity policies. Employees should also receive routine training of how to recognize and properly respond to cyber-threats. For instance, the national white collar crime center reports that more than 70 percent of the complaints received regarding fraud committed over the internet come from emails. All the preparation, technology and insurance in the world will not stop a cyber-thief if an employee lets one wander right in.
- Insurance – Cybersecurity insurance transfers some risk of security breach.
A specific cybersecurity policy will provide some level of financial recovery related to direct financial loss, forensic investigations, legal defense etc. However, before you buy, you must be very familiar with what risks are covered, the policy language and liability limitations. Make sure you incorporate the mechanisms and triggers of the policy coverage to make certain you and your employees’ reactions do not limit coverage liability. Make certain you understand the limitations of the policy. If not specifically required in the policy, you need to make sure key financial-related employees are bonded by a fidelity insurance policy.
- Data Recovery – Whether the threat is of being hacked, crashed, lost, stolen, corrupted, vanished or misplaced, securing your data is not up for negotiation.
Do not scrimp on making certain your data is secure and protected. Develop business continuity operating procedures, and in addition to data protection, make certain the company’s data infrastructure is protected and recoverable. Policies and plans must include preparation and training for responding to an emergency. Having a plan that has never been tested is like playing Russian roulette with your company’s future. The more you are familiar with cyber-threats, cybersecurity and how cybercriminals can break into your system, the better prepared you’ll be to prevent a potential breach and survive a cyberattack against your small business. H. Glen Jenkins, CPA, CVA, CFE, is Senior Manager in the Fraud & Forensic Services practice in the Atlanta, Georgia offices of Warren Averett, the 27th largest accounting firm in the U.S. Jenkins has more than 20 years of experience assisting corporate counsel in complex commercial litigation, calculation of economic damages, fraud investigations and business valuations of tangible and intangible properties.