We have provided breach response work for several different size companies ranging from single small business owners all the way thru enterprise, and most everyone we have worked with was surprised that the incident happened, and they never thought it would happen to them. We would like to share 5 things that victim companies wish they would have known about Cybersecurity prior to the attack:
1.) They wish they would have known that they did not have a secure backup. In almost every breach that we have worked so far, the IT person or business owner thought they had a good backup, but in most cases the backups were not backing everything up or the backups were deleted by the threat actors because they were not securely backed up to the cloud.
This results in ransoms having to be paid in order to recover some or all of the data. We have been told MANY times by victims that they wished they would have had better backup technology and that they would have tested backups more often. With the right business continuity backup, they could have been back up and running in hours.
2.) They wish they would have had Managed Detection and Response Cybersecurity, or at least an incident response plan, to protect them from cyber-attacks. Many companies who fall victim think that their IT person or outsourced company was “securing” them because they had antivirus and firewalls.
Unfortunately, most companies still operate with legacy firewalls and definition-based antivirus and they think that is going to protect them. With Managed Detection and Response Cybersecurity, they would have been able to detect malicious behavior before suffering a breach. Many people we have interviewed told us that they thought Cybersecurity was too expensive, but after suffering a breach they realize prevention would not have been all that expensive after all.
3.) They wish they would have trained their users. Most cyber-attacks come from phishing email attacks, and all it takes is for an untrained employee to open the wrong attachment or click the wrong link in an email to shut the whole company down. I have talked to several victims who said they were just too busy to go thru the training, but after suffering a breach they really regret not taking the time to do the training – especially since there are training videos available that are very inexpensive and require very little time to invest.
4.) They wish they would have known about multifactor authentication or two-factor authentication. This simple layer of security has been available for years and it’s free, but many companies still use gmail, office 365 and even social media without setting up this additional security step.
Sadly, most phishing email attacks could have been prevented with this layer of security and a little training, yet many companies that I have worked with have suffered millions of dollars in losses and loss of reputation simply because they did not take the time to set this up and train their users.
5.) They thought that Cybersecurity insurance would take care of everything. Sadly, many companies rely only on cybersecurity insurance and best efforts for backups and antivirus to protect them.
We find that most cybersecurity insurance policies don’t even cover cyberextortion, and the coverage limits are ridiculously low, like $250,000 to $500,000. These limits barely cover the attorneys fees, let alone the cost of IT professionals having to rebuild everything and the cost of not being able to conduct business for days or weeks.
So all 5 of these situations have 1 thing in common – The companies who fell victim to cybercrime realize they if they would have spent a little more time on assessments and invested in proper cybersecurity controls and training, they would not have suffered losses ranging from hundreds of thousands of dollars to millions of dollars and they cannot put a price on their reputation.
As incident responders, we have to watch business owners wrestle with the possibility that they may go out of business or suffer unrecoverable losses.
We have worked with many good, hard-working company owners, and they simply did not know better or they thought that cybersecurity was for much larger organizations.
We have a few great clients who have pleaded with us to get the word out there and share their story so that they can protect others.
We hope this blog and video has helped you understand how serious the threat landscape is, and we want you to know that we are happy to schedule a free consultation with you to talk about assessing your risk. Do you have a plan in place? If not, we should talk! Please drop us a message here on Social Media and press the like button. You can also checkout our latest posts on our blog site.