More than a third of offices have little to no plans on improving their cybersecurity.
That is, a third of small, mid-sized businesses and non-profit organizations without any clear path to avoiding being scammed—or even worse, getting shut down from a major data breach or ransomware attack.
As organizations have started to embrace cloud-based systems, they continue to run their organizations without seriously considering cybersecurity ramifications. What’s even more frightening is that many admit to being ill-prepared to secure their networks, but haven’t taken any action.
Are you worried about your cybersecurity planning?
While I’d hate to admit it, cybersecurity is the number one threat organizations are confronting right now in 2018. As I mentioned before, threats to your network keep growing. Growing to the point that many IT Support teams are ill-prepared to take action and are too inundated with fixing day to day user issues that simply don’t have enough time to dedicate to shoring up imminent cyber threats on your network.
You might be one of the 15% of people that fear your organization’s cyber strategy (or lack thereof) is not seriously addressing the growing cyberattacks coming out this year (predicted to get worse in years to come). Note: the first step to addressing concerns is to explicitly understand where your vulnerabilities lie.
If you were to rate your organization’s cybersecurity, where would it fall?
Advanced— you have a security plan, a business continuity plan and means to recover from a disaster (including cyberattacks and data breaches). Your technology is maintained and you are continually thinking about and implementing newer technologies proven to protect network infrastructures like your own. You have someone evaluating your network and prioritizing vulnerabilities and threats as they pop up and are continuously devising strategy to confront new threats. (Organizations like these represent only 9.5 percent of all organizations).
Intermediate— you have both a security and continuity plan. While your technology is maintained relatively well, holes do pop up—especially when your IT team is busy with other things. You may be thinking about improving your technology to make it more secure, but might not have actually implemented everything and don’t realize many of your hurdles are easy to fix with the right guidance. (Organizations like these represent about 19.5 percent of organizations).
Basic—you have general ideas of how to protect your network. You might have someone trying to patch up vulnerabilities, but usually run out of time fighting other fires. You probably are aware that you’re not doing enough to keep your users secure, but don’t realize you could cost effectively make improvements to seriously boost your security, but don’t know how to identify your weaknesses. (Nearly 34 percent of organizations fall into this category).
Non-existent—your team doesn’t do any monitoring or maintenance on your network—even when they say they are! Most organizations that fall in this category don’t even realize that they’re sitting ducks to cyberattacks because their IT teams are feeding them mis-information. You don’t even have a solid plan that concretely addresses recovery. (Astoundingly, 22 percent of organizations are facing this scenario).
In the planning stages—you may have a framework you’re working on to become secure, but no one has actually done anything yet. Your IT team means to get around to it, but cybersecurity is not as big a priority as firefighting user issues. (Nearly 15 percent of organizations are still here).
Not to beat a dead horse, but looking at where organizations are with their cybersecurity, over a third have nothing substantial in place. Planning certainly is better than nothing, but only until a plan gets implemented, evaluated and revised, will you start protecting your organization.
Many of those that are not strategically implementing security to keep their users and data safe are making some common—but very wrong—assumptions relating to their security:
The cloud is safe—the reality is that cloud platforms are just as insecure as having servers stored in house. They use the same software and house the same exact vulnerabilities as you would housing the infrastructure within your network.
We’re too small—the reality is that cybercriminals are attacking anyone not doing their due diligence to protect their networks. To them, size doesn’t matter as much as ease of access to a network.
We’ve bought a top of the line firewall—the reality is that nearly half of firewalls are misconfigured and not actually protecting your network as you think they are.
We’ve got an IT guy—the reality is that many IT guys don’t understand security. They’re used to fixing user issues, but don’t have the capacity to make sure your organization is free from threats and risks leading to major data breaches or cyberattacks.
There are all sorts of reasons and justifications for why organizations decide not to be constantly improving their security. Trust me, I’ve heard it all. But the one thing most organizations fail to accommodate are the growing threats from cyberattacks.
In 2018 alone, over three-quarters of attacks could be attributed to not maintaining a network adequately. Basic maintenance and patching—things that you’re likely paying someone to do, but they simply aren’t doing or aren’t doing right.
By keeping very fixable risks lingering on your network, you are nearly 11 times more likely to fall victim to an attack. And that number increases exponentially if you consider the number of vulnerabilities released every single day. As hundreds of new vulnerabilities—several of which are critical security vulnerabilities that could very likely jeopardize your organization’s business continuity—get discovered each week, you put your business at risk if you simply assume patches to those vulnerabilities are being successfully applied.
Even if you are using the cloud, you shouldn’t be surprised to see the growing number of breaches to result from cloud misconfigurations. Organizations with cloud infrastructure are more likely to get attacked today simply because more people are using cloud platforms. The cloud is no inherently safer than a traditional network configuration, especially if the team managing it is too busy or lacks the skills to keep it safe.
One last thought: Are you part of the problem or the solution?
The good news is that cybersecurity is not insurmountable. What organizations need to realize is that its best to work together to contain risks rather than reinvent the wheel thousands of different ways—many of which will probably not even work long term.
Even if your organization is relatively secure—although security experts would recommend a network security assessment—are your vendors and suppliers?
More often than not, secure organizations work with all sorts of collaborating organizations that lack the same security controls and measures. Many of these organizations simply tell their vendors to be HIPAA compliant (or compliant to whatever regulations you are held accountable to) without providing any assistance or guidelines.
If you depend on other vendors to help keep your donors or clients safe, how is simply telling them to be secure enough? Will that keep trust in your organization? Again, experts recommend that you have them go through the same rigorous network security assessment to prove their network is as secure as they say it is.
With changing technology and growing security offerings, it’s really hard to get a solution that fits your organization. Many organizations we’ve assessed have spent good money on security, later to realize that they’ve invested in good technology that wasn’t set up or configured properly.
Or that they still are missing patches or have other lingering vulnerabilities on their network because their IT Support preferred to sell more expensive shiny security toys than actually clean up basic security issues—issues that will never go away until properly addresses.
Over a long enough period of time, the probability you will have one of those vulnerabilities cause a breach or attack is near 100%. While we cannot entirely prevent an attack from occurring, we can make it exponentially harder for attackers to lock down our systems or access sensitive data.
We get it—budgets are tight, especially when it comes to security. But security doesn’t have to cost an arm and a leg. By simply prioritizing your risks and eliminating known vulnerabilities attackers are exploiting to penetrate networks, you are arms above the other organizations doing next to nothing—the third of organizations either planning to eventually do something or haven’t done anything at all.
It takes just one vulnerability to shut your business down. Are you prepared?