Organizations in the U.S. spent $9.44 million on average responding to cyberattacks last year, according to a Ponemon Institute report.
This figure is more than double the global average, which leads us to ask why things are so bad in the U.S. and what can organizations do to tackle this threat.
Part of the problem is the U.S.’s lax laws on cybersecurity. Without strict regulations such as the EU GDPR, which contain specific instructions on how to prevent data breaches, organizations in North America are left to fend for themselves.
This often results in inadequate or inefficient security measures that fail to account for the risks specific to each organization’s practices. A crucial component of the GDPR, for instance, is incident response. There are rules in place for not only how to defend against attacks but what to do when they have occurred.
That U.S. organizations spend so much responding to data breaches indicates that they don’t have a plan ready when disaster strikes. This leads to drawn-out response during which time disruption continues and costs mount.
If organizations on this side of the Atlantic are to reduce the costs associated with data breaches, they must reconsider their approach to cybersecurity.
That doesn’t necessarily mean they have to follow the EU’s approach to the letter, implementing every one of the GDPR’s requirements. But there are simple things organizations can do to boost their security posture.
1. Make a business case for more resources
The first step to protecting your organization is to invest more resources in cybersecurity and IT teams.
It may seem counterproductive to spend money in order to reduce the cost of data breaches, but the investment in cybersecurity pales in comparison to those of cyberattacks.
With just a few thousand dollars, you could make major improvements that mitigate most of the common forms of attacks.
Given the current economic situation, it’s unlikely that the board will increase budgets unless your team can make a compelling business case. You should point to the cost of data breaches and their frequency, as well as the associated damage – including customer churn and reputational damage.
You should also consider specific areas where the budget will help the organization. Don’t simply rely on more technologies to protect your business; consider the other resources that are potentially at your disposal.
This might mean budgeting for staff awareness training course, bringing in internal expertise or hiring a consultant to manage an in-depth security audit.
2. Plan for a ransomware attack
Ransomware has quickly emerged as cyber criminals’ favorite tool. Attacks are relatively cheap to conduct, they don’t require sophisticated hacking knowledge and they can net the criminals large sums.
That is, providing that organizations pay the ransom demand.
Many organizations are starting to follow cybersecurity experts’ advice not to pay up, the reasoning being that there is no guarantee that the criminals will keep their word and decrypt the data once they’ve received their money.
Moreover, gaining the decryption key only solves one of your problems. There are the lost hours or days in productivity, the potentially permanent damaged to systems and the fact that the incident is still classed as a data breach, meaning you should respond accordingly – notifying relevant authorities and affected customers.
The unfortunate reality is that ransomware attacks are almost impossible to prevent altogether. There are simply too many vulnerabilities for criminals’ to exploit – and even if your systems are airtight, they can target employees with phishing scams.
As a result, cybersecurity experts urge organizations not to rely solely on their ability to prevent ransomware. They should also consider what will happen if they come under attack.
That means implementing an incident response plan. The document details what to do in the event of various cyber attacks – including ransomware – with roles and responsibilities outlined and practised.
A crucial component of responding to ransomware is to ensure that you have offline backups of your data. These should be isolated from your networks and updated regularly.
This ensures that you’re not reliant on regaining the decrypted files in order to get up and running again. You can instead wipe the infected systems and restore them in a safe environment using the backups.
3. Implement a patch management program
Website and system vulnerabilities are one of the more avoidable causes of security incidents.
With a patch management program and other relevant policies, organizations can be sure that they have the latest versions of software and that existing weaknesses are spotted promptly.
Unfortunately, these defenses are applied all too rarely, exposing businesses to routine data breaches. All criminal hackers have to do is look out for known weaknesses and then find organizations that haven’t fixed them.
This is one of the most misunderstood aspects of cyber security; criminal hackers aren’t necessarily targeting specific organizations, and you don’t have to be singled out in order to fall victim.
They are instead targeting vulnerabilities, enabling them to identify dozens, if not hundreds, of organizations that can be breached using the same method.
You can learn more about patch management by following the advice outlined in ISO 27001.
It’s the international standard for information security management, demonstrating how you can monitor and address information security concerns in a simple, structured way.
It includes a section dedicated to technical vulnerabilities, alongside a range of other information security risks. The framework promotes a holistic approach to organizational security, looking at the ways people, processes and technology interact.
We explain how the Standard works in our free green paper: Cybersecurity and ISO 27001 – Reducing your cyber risk.
This guide explains the information security threats that your organization faces and the ways in which ISO 27001 can be used to bolster your defenses.
We also outline the business case for ISO 27001 certification, demonstrating the ways it bolsters your reputation and helps you win new business.
A version of this article was originally published on February 15, 2021.
