With cyber-attacks becoming more common by the day, and cyber criminals increasingly sophisticated with their tactics, having a strong cybersecurity strategy in place is crucial to your organization's ongoing operations.Unfortunately, many small and medium businesses still have the impression that due to their size, they are less likely to be the target of cyber-attack. Irrespective of size, if you are running a business, then from a cyber-criminal’s perspective, you have the two things they want: data and money. As a business leader it is your responsibility to understand the potential risks to your business, and to take steps to manage these risks.
What is the risk to your business?
No matter the size or industry of your business, there are three main areas of risk that you must be aware of. Despite the recent rapid move towards remote working, which has again changed the playing field for both sides of the cybersecurity battle, these areas of risk remain constant.
Financial risk is most commonly present in the form of ransomware. This is where a malicious piece of software is able to penetrate your network security and encrypt business data, making it inaccessible to your staff. To regain access to your data a ransom must be paid, often in the form of Bitcoin or some other cryptocurrency. There are many examples of recent and high-profile ransomware attacks such as that on Toll Group in 2020.
Loss of reputation and credibility is a very real risk following a security breach, particularly for organisations with a high duty of care, such as those in the finance or healthcare sectors. Damage to reputation is also likely to directly affect sales, customer retention and even business valuation, particularly with Australia’s Notifiable Data Breach scheme (and similar schemes internationally) ensuring that any significant data breach is highly likely to become publicly known.
Most cybersecurity breaches will result in some degree of disruption to business operations. This may be relatively minor in some situations, ranging to catastrophic in others. Such disruption will also inevitably bring both reputational and financial damage to the organization, in turn placing greater pressure on business recovery and possibly even survival. Again the Toll Group breach of 2020 is a compelling case study highlighting extreme disruption to business operations.
“As the world went into lockdown in 2020, the criminals did too. This means they needed to shift their operations somewhat and start targeting workers who were at home rather than in the office.”
- Akamai State of the Internet/Security Report 2021
Your Cybersecurity Strategy
While cybersecurity does cost money, the amount spent on cybersecurity needs to be considered against the potential risk and loss your business may face from a security breach. A good place to start in constructing a robust cybersecurity strategy is by familiarising yourself with The Essential Eight, a trusted framework of strategies and security best practice to mitigate cybersecurity incidents.
While each business will likely have a different cybersecurity strategy depending on its organisational requirements and goals, there are common factors most likely to affect the cost of implementation.
- Company size
- Complexity of IT environment
- Compliance requirements
- Sensitivity of data
Although It is critical to align your IT and cybersecurity strategy to your core business goals, in most cases businesses of any size or industry will require investment in a few common areas.
A firewall commonly sits between the public internet and your private network, providing a strong layer of network security for both incoming and outgoing internet traffic. Not all firewalls provide the same level of protection. Sophos and Meraki are two cybersecurity vendors that provide high end, advanced firewalls suitable for a business environment.
Firewalls may sometimes be included in the price of your internet connection, although are commonly a separate purchase with an ongoing annual subscription fee for maintenance and updates from the vendor. An advanced firewall suitable for a company with 50 staff would cost around $7,500 over 3 years including the purchase price and annual subscription. A firewall for a larger company of 100 staff would cost around $32,000 over 3 years including the purchase price and annual subscription.
Endpoint Security software & Endpoint Detection and Response (EDR) Software
Traditionally known as Antivirus software, modern Endpoint Security & EDR software is installed on individual computers to protect against malicious software such as viruses and malware.
Sophos is one popular vendor that provides this type of security with their line of Intercept X Endpoint products. Endpoint security software will typically cost around $2-5 per user per month and $5-15 per user per month for the more advanced EDR versions.
Popular email platforms such as Office 365 include some level of email filtering to scan all incoming and outgoing emails for malicious attachments, SPAM and phishing attacks. You can add on higher levels of filtering either within Office 365 or with third-party services such as ManageProtect for Office 365. These advanced levels of filtering will usually cost around AU$3-7 per mailbox per month depending on features.
Multifactor authentication (MFA) is one of, if not the most effective line of defence against user account breach. To authenticate your user account with MFA enabled you must enter not only your username and password, but also provide some extra point of authentication, such as a special code that arrives via text message.
Most modern applications already have MFA support, simply requiring you to enable it. For older legacy applications without MFA, third-party options such as Duo are available for around $3-9 per user per month.
Cyber insurance is rapidly becoming a common inclusion in many general insurance packages, designed specifically to apply in the event of a security breach. Cyber-insurance experts AllSafe Insurance Brokers recommend a minimum of AU$1M cover with a Criminal Financial Loss benefit. The cost of such an insurance policy will vary greatly and will be influenced by factors such as how much revenue is generated online, and what types of cybersecurity protections the business has in place.
Cybersecurity Awareness Training
Arguably the most broadly effective, and yet least used of all cybersecurity tactics, training staff to be cybersecurity aware can be both cheap and easy. Running your own in-house training sessions can be easy and mostly cost-free, although you may like to consider bringing in an external trainer which may cost around $200 per hour.
Another possibility to consider is an automated cybersecurity awareness program for around $2 per user per month. Programs such as this will provide ongoing tips and guidance for staff, along with testing the effectiveness of staff awareness through automated ‘friendly phishing’ campaigns.
Cybersecurity Consulting Services
For more tailored services, specialist cybersecurity consultants will provide an experienced team of experts to deliver customised services such as vulnerability assessments, penetration testing and threat monitoring.
This type of service will usually be charged at hourly rates of $250-1,000 per hour.
As a business leader it is your responsibility to be aware and informed of the cybersecurity risks to your business, and to take steps to actively manage these risks. A strong cybersecurity strategy consists of many elements, and understanding the potential costs associated with these is a key step in implementing security best practices.