Protecting Your Business From Cyber Attacks

As the world continues to become more interconnected online, cybercrime is at an all time high. More than 2,200 cyber attacks happen per day in the US, according to research by Astra Security, with a single data breach costing an average of $9.4 million. In 2022 alone, cybercrimes cost $6 trillion in total damages. Cybercrime is predicted to cost $8 trillion by 2023, and increase to $10.5 trillion by 2025, according to Cybersecurity Ventures.

More specifically, small businesses account for 43% of cyber attacks annually. On average, small and medium-sized businesses lose $25,000 due to cyber attacks. In 2020, small businesses faced more than 700,000 attacks, which caused a total of $2.8 billion in damages.

“As more and more of our infrastructure and business processes rely on computing and Internet of Things devices, the threats continue to grow,” says Doug Vargo, vice president and emerging technologies practice lead for CGI. “As we keep adding technology to our solutions, we expand the footprint of available attack surfaces. This will only continue to get worse as technology adoption continues to grow.”

Vargo says the biggest change from five years ago is the increased adoption of working from home. “This adds to the complexity of security due to having to secure more connections to main business processes,” he says.

Cynthia Hetherington, founder and CEO of Hetherington Group, says that companies ill-prepared to manage a remote workforce, whether through policy, technology best practices or both, are leaving themselves open to attack.

“Attack vectors disrupt with more than a simple power outage; client data is lost, customer confidence is lost and reputational damage to the company could be long lasting,” she says.

Everything Changed. Nothing Changed.

Vargo says the biggest cyber threat of all has remained the same since cybercrime began: people.

“You can apply all of the security appliances and policies available, and any person or user of the system can still make a mistake and open the door to cyber attacks,” he says.

“The pervasive problem of yesteryear continues to be the problem of today, and that is the ill-informed, uneducated or distracted user,” Hetherington adds. “Simple threats that are a mouse click away have gotten more sophisticated, but it still takes a user to click on a link they haven’t inspected first.”

She says that human reliance on all things data driven is ripe for misinformation and disinformation generated expertly by adversaries behind Artificial Intelligence (AI) driven bots, which can create vulnerabilities even for sophisticated users.

“The users aren’t stupid, but the threats are getting more sophisticated. We need to treat anything related to the internet like it’s a live grenade,” Hetherington says.

According to the World Economic Forum, 95% of cybersecurity breaches are attributed to human error.

“All the virus software in the world isn’t going to stop you from opening an email you think is from your boss or your mom … nor clicking on a link that you truly believe is from your bank,” Hetherington adds. “Our country’s enemy is no longer a missile strike away, it’s a mouse click away, and it’s not being delivered to our government heads of state, it’s on your kid’s cellphone.”

Can Technology Keep Pace with Threats?

While the threats are becoming increasingly sophisticated, it begs the question if the technologies meant to prevent cyber attacks can keep pace. The answer? Just barely, according to Vargo, who says that at this point, we have no choice but to be reactive to cyber-attacks.

“Unfortunately in cybersecurity, the defense is always behind. It is just a matter of how quickly we can catch up,” says Jeremy Pogue, director of security services for Integris.

“When bad actors find a new way to attack, we identify the threat, analyze it, then build a solution to prevent or repair damages from the attack,” Vargo explains. “Hopefully, with the latest advances in Large Language Models and smarter interpretation of human requests, we can see advancements soon on how to use this to achieve predictive analytics that can help us identify solutions to potential problems.”

The challenge will still be to stay ahead of the bad actors, but this will give a greater chance of identifying potential threat vectors faster, he says.

Hetherington adds that while technology advances over the past decade are certainly improving, the reliance on social media, email and other open systems require a trusted state by the user, thereby making it impossible to 100% block cyber threats.

What Can a Business Do to Protect Itself?

With human error being such a major factor in cybersecurity, diligence is the key to prevention. However, there are some best practices that businesses can use to better position themselves to be protected.

Pogue says that, aside from user training, having even one layer of backend protection is still beneficial, especially given how many companies don’t implement any such defenses.

“It is a path-of-least-resistance situation if I am an attacker. The difference between 12 and 15 layers of protection is a small percentage of improvement, whereas going from zero to one layer of protection is a 100% improvement. Adding in simple protections like email filtering, antivirus and web filtering can go a long way, even if you don’t have huge multi-layer protections like larger companies,” he says.

Additionally, Vargo suggests speaking with security consultants or hiring a security engineer if you are large enough to support one.

“A thorough risk analysis should be completed to determine your [business’s] weakest points and threats,” he says. “From there, companies have the ability to assess risks and determine if they should implement solutions, or accept those risks as a part of doing business. The main goal is to know your risks and attack surfaces so that you can make better decisions.”

Hetherington adds that small companies need to ensure that they have a solid practitioner in information technology in their company, or on call.

“This practitioner is going to stay abreast of the latest threats to networks and the connected world,” she explains. “This specialist will advise on policy and best practices and will help guide the company through the future challenges that each year brings. Or, in the event of a breach, they will be sharp enough to advise the company on how to minimize the damage.”

Conclusion

There is no getting around the fact that in today’s world, cyber threats are pervasive. Ultimately, being aware that these threats exist and being proactive in educating your employees will go a long way. There are also additional resources that can help businesses fight to protect themselves. For example, agencies such as the Small Business Administration, NJ Small Business Development Centers and the New Jersey Cybersecurity and Communications Integration Cell offer programs, analysis and information related to cybersecurity.