Businesses that neglect cybersecurity may regret it — but pandemic-strained smaller companies often complain that their cash is already stretched. Experts say, though, that staying safe doesn’t mean blowing up the budget.
“There’s a common misperception that it’s expensive to implement a good cybersecurity program,” according to Matthew Ferrante, a Withum partner who leads the Cyber and Information Security Services at the advisory and accounting firm. “It’s important to recognize that in today’s modern times — when the average cost of a data breach is exceeding $8.19 million — a significant data breach has put some small- to medium-sized companies out of business. Cybersecurity is necessary and scalable to an organization’s size.”
Even smaller businesses can take inexpensive steps to shore up their security. “First, get an assessment and penetration test of your environment,” he said. The results of the assessment and penetration test should be in layman’s terms and backed by supporting technical evidence of findings. Also, be sure they check your firewall [a digital barrier between a trusted personal or corporate network and an untrusted network, like the Internet].
The firewall that your internet provider provided may be good, but it often is not configured properly or actively managed. A firewall is only as good as it’s configuration. A less expensive; but properly configured firewall is much better than a much more expensive; but improperly configured firewall.”
The basic security process begins with a strategy, he said. “Some businesses go on a shopping spree after they’ve suffered a data breach and overpay or buy the wrong kinds of defenses; while others may have the proper tools but they don’t use them to the fullest extent. That’s why it’s important to get knowledgeable assistance from cybersecurity professionals.”
Before suggesting a program, “Our professionals will examine the company and its overall environment,” Ferrante said. “We may also suggest a ‘threat emulation,’ or authorized hack exercise that’s designed to detect vulnerabilities. That’s particularly important now, when the expanded work-from-home model has drastically increased companies’ digital footprint and their attack surface.”
WHERE TO BEGIN
A comprehensive cybersecurity plan will usually “start with a risk assessment that identifies your vulnerabilities,” according to Bill Blum, president and founder of the computer support and information technology services provider Alpine Business Systems. “Does a business have a backup and recovery policy — if yes, how often do they back up their data — and are they monitoring who’s on their network?”
Besides identifying their risks, “[b]usinesses need a policy and procedure for each risk, and they should document whether they’re actually following these policies,” he added. “Even large companies can get overwhelmed with the necessary steps, while smaller- and medium-sized companies may not have the staff do this and will need to engage a consulting or other firm that can provide 24-hour security.”
In one case, “[w]e recommended solutions to a professional services firm with more than 100 employees, but they didn’t adopt our suggestions,” Blum recalled. “Subsequently, they suffered a cyber-breach and besides tarnishing their name, their breach-related costs totaled more than $100,000. After that, they listened to us and put security procedures in place that included multi-factor authorization,” an authentication method that requires the user to provide two or more verification codes to gain access to an application, online account or other asset.
Because smaller businesses are less complex than large ones, “it may be easier and less-costly to layer in security in a small- or medium-sized business,” said Carl Mazzanti, the president and founding partner of eMazzanti, a company that provides outsourced IT and network solutions. “They should start with a trusted advisor or outsourcing provider that can educate them and implement the necessary basics.”
Low- or no-cost solutions include prohibiting re-used or shared passwords, he noted. “Also, almost all platforms offer the ability to use multi-factor authentication, he said. “MFA is an added layer of security even if a password does get out. Most cybercriminals will skip over a secured account and go after an easily accessed, unprotected one.”
He also cited DNS, or domain name system, sort of like the Internet’s phonebook, as a weak link. “There are DNS security tools available, he said, including guidance from the National Security Agency, “but very few businesses bother to use it.”
Moving a company’s data to “the cloud” — software and services that run on the Internet, instead of locally on a business’ computer — may help, “but it still requires vigilance,” said Mazzanti. “A cloud service provider typically only guarantees that the service will run and be available. They’re generally not held contractually responsible for a breach. The business itself retains fiduciary responsibility for data protection and giving the data to third party for storage purposes doesn’t remove that responsibility. So there’s no quick solution for cybersecurity, but an expert advisory company can help.”
Right before tax season in 2020, the CPA firm Stephen P. Gunby & Associates P.C. took “a leap of faith” and moved its systems to the cloud. “Our server was getting old,” said owner Stephen P. Gunby, “and we had discussions with Bill [Bill Blum, CEO at Alpine Business Systems] about a new server. He suggested possibly going to the cloud.”
It was a big bet, coming right before the “busy season” for CPAs. “Honestly, we were petrified of doing it so close to tax season,” said Gunby. “But Bill promised they would be there to deal with any issues and he promised us it would not hinder our tax season efforts. It didn’t — and with the outbreak of COVID it actually became a godsend as we were all able to work from home much easier.”
IT providers agree that every business should take safeguards to protect their systems and sensitive data. Some simple steps follow:
- Be sure all operating systems software (like Microsoft Windows or macOS) are up to date and have received security patches
- Ensure that all employees receive periodic training on the basics of cyber security.
- Implement multi-factor authentication and require strong sign-in passwords — and tell employees not to share their passwords
- Spring for a secure firewall [a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules] that meets industry standards, and then be sure it’s updated regularly
- Implement a robust backup and disaster response program, then ensure that it’s utilized, monitored and documented
- Install industry-standard antivirus software on your systems — and on employee’s laptops or desktops
- Limit administrative access to necessary individuals, and monitor system activity
- Secure any mobile devices
Moving to the cloud did add some costs, “but, it also is much more secure, and we feel it’s a good investment,” he added. “Spending money on your business is an investment — this is one we felt we needed to make.”
The kind of information that will attract cybercriminals depends on the industry, according to Mazzanti. “That’s why it’s important to identify your valuable assets, determine what they’re worth on the open market, and then take steps to protect them — because that’s what cybercriminals will go after.”
Retailers, for example, have customers’ credit card data that can be sold on the “Dark Web,” part of the Internet that’s not visible to most search engines, and requires the use of an anonymizing browser be accessed.
Hospitals, meanwhile, have patient records with personally identifiable and other information that can go for $12 to $14 per record, “and net a cybercriminal a lot more than what a doctor earns in a year,” Mazzanti noted. “When it comes to manufacturers, their intellectual property — like R&D or patents — is often more valuable than their physical property. So that’s what cybercriminals will seek to access and sell.”