By David Black
You don’t need to be a Certified Information Systems Security Professional (CISSP) to see how debilitating a cyberattack is for small businesses and e-commerce sites. As the volume of attacks continue to increase, all businesses need to take every provision to keep safe.{mprestriction ids="1,3"}
The 2018 “State of Cybercrime” survey, conducted by the Secret Service and Community Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie Melon University, evaluates the trends in frequency and impact of cybersecurity incidents on small businesses. The study highlights the changes in cyberattack sources, cybersecurity spending and the plans, processes and trainings that organizations have implemented to mitigate security breaches. Companies are investing more money and time in their cybersecurity than ever before as cyberthreats remain prevalent for businesses of all sizes.
Key findings of the survey include:
• Budgets continue to rise for security funding. Fifty-nine percent of businesses reported that their cybersecurity budget increased over the past year.
• Enterprise-level organizations are compromised more often than small businesses. Enterprise-level organizations average 196 cybersecurity events per year, compared to small businesses, who experience 24 cybersecurity events per year.
• Three-quarters of all cybersecurity attacks are from outside sources, with hackers providing the greatest threat, with 27 percent of all attacks.
• Seventy-eight percent of enterprise-level businesses have a formal incident response plan in place. Only 54 percent of small businesses have a plan in place. A mere 44 percent of all organizations reported that they test their plans at least once per year.
• Ninety-five percent of all organizations surveyed reported that they provide security awareness training at least once per year. More than 55 percent of the security decision-makers noted that C-level executives needed the most training.
Organizations surveyed hope to derail attacks in 2019 by adding new technologies, conducting audits and assessments, adding new skills and capabilities, redesigning their cybersecurity systems, redesigning their processes and participating in knowledge-sharing.
By re-evaluating your security systems in place, you can increase the ability to respond to a security incident. Without a deterrent, attackers are going to keep targeting vulnerable networks and getting through.
The cybersecurity industry will continue to shift and evolve as we progress through 2019. As the industry evolves, businesses must learn to adapt and evolve as well. Key areas that should be focused on are staffing, consolidation and the cloud.
Various industry estimates state that there will be 2 million to 3 million cybersecurity jobs that will go unfilled by 2020. If every student currently attending college in the U.S. for a degree in computer science were given a guaranteed job, there would still be a shortage of security experts. As we all know, not all who gain computer science degrees enter the workforce in cybersecurity.
Now is the time to secure your options. Existing service desk personnel can undergo training to become certified and capable of supporting deeper needs. Outsourcing your IT is a cost-effective solution to gain access to teams of certified cybersecurity professionals to provide your small business top-level support without breaking the bank to hire individuals with the same high-level experience.
The cloud offers some great capabilities for businesses of all sizes. Most businesses are in the cloud in at least one area of their operation. Be it Office 365, virtual machines or cloud storage, cloud solutions are the way of the future, but they are not flawless when it comes to security. Twenty percent of incidents and breaches involve cloud solutions.
The good news is that innovation is extremely high in cloud solutions, which is still in a very infant stage in its existence. A lot of money and resources are spent to improve performance and security in the cloud. This also means that there are more devices, programs, processes, platforms and technologies that businesses are required to be savvy with to keep up with the quickly evolving innovations. Having properly trained team members will be vital to the success of your cloud environment.
Lastly, a lot of the incoming innovation is geared toward consolidation. Being able to consolidate the tasks your employees and business rely on is key to streamlining processes, becoming “leaner” and ultimately reducing wasted resources.
This is very relevant when it comes to cybersecurity. Not only does trying to focus on too many categories and systems at once cause heads to spin, it becomes increasingly expensive and cost-versus-reward goes out the window.
When it comes to cybersecurity, everyone is always wanting the magic pill at a generic cost. It doesn’t exist. But you can train your employees and implement processes to effectively manage your security systems. If you assume that because you bought a firewall you are safe, you couldn’t be further from the truth. The first question that needs to be asked is: “What am I trying to control or achieve?”
Being able to accept that you can’t protect everything equally is a must. You can’t leverage the same security protocols of your vital servers on your employees’ laptops or email usage. You need to have varied and different controls in place. It boils down to identifying what your assets are and knowing what you are actually trying to protect. Once you build an architecture with the ability to protect an asset, you can then reuse and adapt that capability with different needs.
Unfortunately, there are no quick fixes or easy options for cybersecurity. If there were, the demand for cybersecurity professionals wouldn’t be so high. We need to keep fighting the good fight, one step at a time, while using the right technologies to develop processes to automate the easy tasks, andbuild teams of trained and qualified personnel to act upon critical tasks and ensure processes and procedures are properly documented so all members of your organization know how to react to and hopefully prevent future cyberattacks.
David Black is the director of business development for Wasatch I.T., a Utah provider of outsourced IT services for small and medium-sized businesses.{/mprestriction}