Here’s an IT security challenge for Cybersecurity Awareness Month: with 43% of cyberattacks aimed at small businesses, costing companies an average of $200,000, one single attack has the power to put you out of business. Take the quiz below and see how your company would do if attacked.
If you can’t fully answer all 12 questions below, it’s a major problem for your company.
DiamondIT’s cybersecurity experts, including our Certified Information Systems Security Professional (CISSP, the most rigorous IT safety certification available), put together these questions based on real-life examples and common security best practices. The questions will show you how vulnerable your business is, based on your ability to detect, respond, and recover from a cyberattack.
You Will Get Hacked – Will You Survive? Take This 12-Point Quiz To Assess Your IT Security
1. Where are your IT credentials stored?
You can’t have the credentials.
That’s how an IT security tech responded during a cyberattack when we asked for the admin usernames and passwords. His contract was almost up. He didn’t care that we needed immediate access to their systems to mount a response and recover.
Fortunately, the company managing the organization’s backups could provide access. But it wasted a lot of valuable time we could have spent on response and recovery if someone within the organization retained the admin-level username and password to their own system.
2. Do you have a communication plan?
Patients realized the doctor would not see them when they arrived at the clinic and saw the “closed” sign hanging in the front window. It wasn’t an ideal way to communicate, but after an incident, it’s how the clinic informed patients their appointments were canceled.
You can avoid this by setting out right now how you’ll tell employees, clients, and partners that your systems are down or the office is closed due to an emergency.
3. Who can talk to reporters?
Cyberbreaches are front-page news. The media will call. After one breach, we watched as reporters waited for employees to leave the building. Every person who was stopped by a journalist gave a different version of what happened. The employees weren’t trying to be evasive; they all had a different understanding of how the breach occurred. Unfortunately, that’s not how it looked when the story hit the news. It looked like the business had something to hide. Limit who can talk to the press, and always present the same set of facts.
4. What are your employees doing with their devices?
Smartphones are minicomputers we take everywhere. They’re typically less secure than laptops, making your employee’s phone a prime target for cyberattacks. Apps your employees download can carry viruses and malware. Once it’s on their phone, it can spread. If the employee checks their business email from their phone (and who doesn’t?) the virus can wind up on your network.
Set policies around what they can and cannot do with work-issued laptops, phones, and tablets. At DiamondIT, we do not allow employees to access company data from their personal devices.
5. Will you get assistance paying for a breach?
A few years ago, a nonprofit shared with us they received $50,000 to offset costs from a cyberattack, including downtime and unrecoverable software and data. It came from a cyber insurance policy they paid $2,500 for. Admittedly, policy costs have increased. But cyber insurance policies remain the best financial safety net you can find.
Tip: Carefully check your coverages
If you’ve attended any of our cybersecurity events with insurance expert Howard Miller, you’ve heard him warn that insurers are looking for reasons not to pay.
Miller has seen this unfold numerous times. In one instance, a bank was denied their coverage because 1 machine didn’t have the full level of protection required by the bank’s agreement with their insurer.
6. Who you gonna call?
As charming as Bill Murray can be, the ghostbusters shouldn’t be the first team you call when you discover a cyber breach. You don’t call your IT support team either. Your first step is to contact law enforcement and your cyber insurance company.
7. Do you set and forget?
Policies and procedures don’t always keep pace with changes. The shift to remote work is a perfect example. In the chaos of lockdown orders and setting up remote workers, few businesses had a spare moment to sit down and rewrite policies to reflect their new way of working. Make it so you can’t forget to do this by scheduling periodic reviews with your IT consulting team. Choose a frequency that makes sense for your organization, at least once a year. Make it easy to remember by doing it in October, which is Cybersecurity Awareness Month.
8. Who is on your team?
Remember the guy who didn’t want to hand over the usernames and passwords? Would you want him on your IT support team? Probably not. Don’t wait until a crisis hits to discover if your provider has your back.
9. When was the last time you updated hardware and software?
You jeopardize your network security when you run unsupported or outdated versions of hardware and software. When a system is no longer supported, the vendor stops releasing security updates. Any machine running the software becomes vulnerable to whatever flaw cybercriminals discover. It’s equally easy for a cybercriminal to hack into outdated versions because, again, you’re missing the critical security patch released by the vendor.
Pro cybersecurity tip: Turn on auto-updates and patching so you don’t have to think about it.
10. Who does what, and when?
A plan no one knows about might as well not exist. Hold a company-wide meeting where you discuss what needs to happen before, during, and after a cyberattack. Go over responsibilities so everyone knows their role, what steps to take and, equally important, what they should not do.
11. Are incidents included in your budget?
The cyberattack odds are not ever in your favor. You have to repel every attempted attack. Cybercriminals only need to be successful once to cause serious damage, and they have a strong motivation to try until they do succeed: money. According to an analysis by Palo Alto Networks, the average ransomware payment in the first half of 2021 was $570,000. This was an increase of 82% since 2020. The numbers will only continue to climb.
While you should never pay the ransom, you should have a budget to remediate any incident that does happen.
12. What’s your game plan?
Cyberattacks aren’t the only threat to your organization. Wildfires, earthquakes, floods, the delete key – all can destroy your files and systems. A comprehensive incident response and disaster recovery plan provides protection against accidents, disasters and cyber villains.
Managing IT Security on Your Own Is a Disaster
Cybersecurity is complex and nuanced – it can’t be managed by IT generalists. Our clients rely on our security-focused IT consultants to assess their systems and create a plan that makes you safer and prepares you for any scenario.
43% of cyberattacks are aimed at small businesses.
Only 14% of businesses are prepared to defend themselves.
Are you sure you’re one of them?
Let’s Talk