Despite the pandemic, many companies in the Triangle have grown – some quite rapidly, but their cybersecurity policies remain in pre-pandemic dark ages. Adapting to the new hybrid workplace meant that companies needed to reconfigure and redesign their training and guidance to stay ahead of the curve. As your business expands, Bernard Robinson & Co. recommends examining five key elements to minimize your cybersecurity risk.
While businesses grew in the hybrid workplace, network security concerns compounded as more individuals worked from home. Many organizations offered employees (for the first time) options in remote work. This resulted in adding an unprecedented number of home-based users who are working on multiple devices and using new applications, including some hosted from a cloud or other type of data center. With intensified stress on legacy systems, the risks of outrunning the network and security infrastructure are significant especially for smaller companies.
“From my discussions with businesses in the Triangle, there’s a popular misconception that cyber crooks only seek out the big organizations,” said Andy Harding, director of practice development at the CPA and advisory firm of Bernard Robinson & Co. (BRC). “Mostly because of their size, folks think that the larger organizations have deeper pockets, numerous points-of-entry, and can be slow in patching their systems. But the reality is, the threats are the same no matter what size the business. This can be especially true if the owners and business leadership are just barely getting their hands around the business growth in a hybrid work environment.”
Harding provided additional insights on how smaller firms with limited IT resources can mitigate these issues. “In developing solutions to prospective clients, BRC recognized that investing in the talent of a strong cybersecurity team could benefit businesses of all sizes. It is not always feasible to have a large internal IT department but utilizing the right consulting firm for what is needed is a great solution for smaller companies.”
Ben Hunter, principal and cybersecurity team leader at BRC, adds perspective to the security around vulnerable areas of the company. “There is an old saying: ‘It is easier and cheaper to retain a customer than to acquire a new customer.’ The same can be said of cybersecurity. It is easier and cheaper to prevent a cybersecurity incident than to recover from one.”
Don’t underestimate the impact of a ransomware attack, probably the most well-known type of cybersecurity incident. In Cynthia Brumfield’s article on CSOonline.com, she discusses a review of 2021 8-K filings that reveal “the actual costs of ransomware attacks, including lost revenue, can far eclipse the simple dollar amount of any ransom paid.”
Let us look at just two examples: Sinclair Broadcasting Group and Blackbaud, Inc. Sinclair disclosed a ransomware incident, paid no ransom, yet had a $63 million loss of advertising revenues and $11 million in remediation costs. Blackbaud was hit in 2020 and paid the ransom. Blackbaud recorded $10.4 million in expenses related to the incident, which was offset by $9.4 million from insurance. However, customers sued and Blackbaud has disclosed an expense of up to $50 million of non-recurring legal expenses. The costs of a cybersecurity ransomware incident can far outweigh the actual ransom. Those examples are good case studies since the impact is observable from the public records. For smaller private companies, although the attacks and related costs are not transparent, their costs are likely equally as detrimental.
BRC has identified five tips for companies to protect corporate growth in today’s hybrid work environment.
1. Education: Develop a culture of cybersecurity awareness
Cybersecurity is everyone’s responsibility. Employees are the first and last line of defense of the organization’s data security. With a culture of cybersecurity awareness in place, the employees are always on alert for emails and situations that are out of the norm. This type of culture allows and encourages employees to speak up when they see phishing emails or when corners are cut on security procedures.
The highest levels of leadership (including the board of directors) need to not only participate in the security training but also actively advocate for and defend the cybersecurity and data security procedures at the company, creating a culture of cybersecurity awareness.
The first step toward creating a culture that values cybersecurity is training. Unlike 20 years ago, such training should take place more than once a year. Training should be ongoing and treat cybersecurity awareness similar to safety in manufacturing. The safest manufacturing floors talk about safety all the time – at the beginning of each shift, at the end of each shift or whenever an incident occurs. Cybersecurity should be talked about at every “all hands” meeting. Managers should keep cybersecurity and data security top of mind to help foster awareness.
By talking about cybersecurity early and often, leaders establish the value of protecting their organization’s data. This allows the employees to think cybersecurity first and save the organization money, time, and reputation by preventing a cybersecurity incident.
2. Defense: Implement two-factor authentication
Two-factor authentication (2FA) should be used whenever and wherever it can be deployed. It is the most important cybersecurity tool that exists to prevent account takeover and the lateral movement in networks that hackers exploit. There are various forms of 2FA for user accounts. A physical device such as the Yubico Yubikey or the Google Titan Security Key can be used. More common is an authentication app or SMS messages. The physical device is the most secure 2FA method and SMS messages is the least secure. Any method used is better than not using 2FA. In addition to implementing 2FA for all the organization’s user accounts, training needs to be provided. Employees need to understand how 2FA is protecting the organization and why is it so important, even though it adds a bit of friction to the login process. Employees also need to understand that nobody needs the 2FA code and nobody should ever ask for it. Only crooks will ask you for the 2FA code.
3. Implementation: Focus on patching
Yes, patching (or updating) the systems is an essential cybersecurity activity. When “sophisticated” data breaches happen, the breach was often made possible because the company did not keep the systems patched. One of the most infamous computer viruses, WannaCry, took advantage of unpatched computers. Microsoft released the patch in March of 2017. WannaCry was released into the wild in May 2017. If every organization had updated their computers with the March Microsoft patch, then the WannaCry worldwide cyberattack might not have happened.
Organizations need to focus on patching everything from the employee’s phones to the virtual servers in the cloud to IT devices running the office building. Patching is as essential as changing the oil in your engine. It is a process that can be measured and is something management can verify is being done in a timely manner. Routine review of the vulnerability scan will ensure patches are installed in a timely and accurate manner.
4. Prevention: Use anti-malware solutions
With the move to work from home at the beginning of the pandemic and now the continued emphasis on hybrid work schedules, the need for anti-malware on end point devices is more important than ever. The organization’s attack surface has grown exponentially. Employees are now the “CISO” of their own home. As the employee is often the first line of defense, the employee’s device is the first device to be attacked. A focus on endpoint security plays a critical role in enabling the remote workforce. All organizations should use a next-gen endpoint solution.
5. Restoration: Have good, clean backup copies and test at least annually
If all your preventative measures fail, then the best and fastest way to recover from a cybersecurity incident is to restore data from backups. How often the organization backs up its data, and where the backups are located is a risk-based decision for management. The important part of the process is confirming the backups are complete and clean (meaning, any malware a criminal installs is not replicated to the backup copy).
Another important process is confirming the organization can restore from backups. Management needs to understand how long it will take to restore data and get back up and running so an appropriate risk-based decision can be made concerning cybersecurity.
Cybersecurity is a business process that is essential to protect and facilitate the continued growth of any business — whether big or small. Assessing these five key areas will support your goal of reducing risk by increasing cybersecurity awareness.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]
Andy Harding Director of Practice Development
Andy serves as BRC’s Director of Practice Development (including marketing and corporate communications). Known as a bold and successful innovator of practice growth, Andy has over 20 years in the accounting industry and extensive knowledge in positioning complex services for CFOs and other “C-level” executives. Andy heads BRC’s strategic growth initiatives firm-wide in addition […]