A recent study conducted by the cybersecurity company Kaspersky Lab found that the average cost of an enterprise data breach was approximately $1.23 million. That number is a staggering 24% higher than last year’s average of $992,000.
For small to medium-sized businesses (SMBs), the cost of a security incident rose from $88,000 to $120,000. Security incidents related to third-party IT infrastructure cost SMBs about $179,000. When it came to enterprises, third-party IT infrastructure costs rose to $1.47 million.
Ransomware attacks like WannaCry, ExPetr, and (Not)Petya confirmed that no one’s safe from a data breach. At the same time, we also have to accept the fact that the costs associated with security incidents (loss of revenue, damage to brand reputation and credit rating, insurance costs, IT upgrades, and staff training) will also keep rising.
As cyber attacks have the potential to bankrupt a business, companies have increased their cybersecurity spending with enterprises forking out as much as $8.9 million and SMBs spending about $246,000.
If you look at it on a national level, cyber attacks cost the U.S. economy between $57 billion and $109 billion in 2016. That’s approximately 0.3% to 0.6% of the country’s goods and services.
With the costs of cybersecurity incidents rising exponentially, what can businesses do to protect themselves? Let’s take a look.
Get Cyber Liability Insurance
Cyber liability insurance will become the norm going forward because the costs associated with a data breach are on the rise and not getting insured can have catastrophic consequences (especially for SMBs).
It’s also just like any other insurance policy. If you want to get insured, certain conditions have to be met.
So what are the most common conditions that have to be met?
At it’s most basic, cyber liability insurance will demand that you hold people accountable (for doing their job properly), weed out inadequate third-party vendors, conduct security audits, setup firewalls (and other security tools), and follow cybersecurity best practices.
When your company is insured, you can be sure to access adequate funding to maintain business continuity in the event of a data breach. This remains true even if your partners fail to hold up their end of the deal when it comes to security.
When you go above and beyond to meet the requirements set by the insurance company, your premiums will also be lower. However, at some point, you can expect cyber insurance companies to start monitoring the perimeter security of their clients to ensure good cyber hygiene.
Engage in White Hat Cybersecurity Testing
The white hat approach to cybersecurity testing can be described as ethical hacking. In other words, by engaging in penetration testing, you’ll be able to take pre-emptive measures against malicious attacks yourself.
However, this is a bit tricky because you’ll have to employ the right people with the appropriate skillset (to breach the system). Sometimes these individuals will be reformed black hat hackers who are trying to do some good.
As a result, businesses need to take several steps to protect themselves. For example, whether you work with a third-party provider or individuals, check their credibility. Make sure that they come with references from trusted peers.
Even if you’re working with a reputable third-party, it will also help if you do a background check on those who are going (to attempt) to hack your system. If they have a criminal history, it might be a good idea to engage in discussions both internally and externally before making an educated decision.
Once you hire some white hat hackers, make sure that they sign a confidentiality agreement and an engagement letter. When they sign a confidentiality agreement, they won’t be able to share any of the information gathered during the testing cycle (but make sure that you explicitly specify penalties for violations).
The engagement letter, on the other hand, will define the terms of the engagement, prohibit illegal conduct, and address liabilities. You can also take it a step further and state which data, information systems, and networks can be accessed for penetration testing.
During this exercise, it will also help to monitor the activity of white hat hackers to ensure that nothing suspicious is going on during and after the exercise. This will ensure that they remain within the scope of the work defined in the engagement letter.
This means that you have to change the engagement letter whenever the scope of the project changes. However, all this will only be possible if your cyber liability insurance provider deems it an appropriate method to enhance security.
Your business can also do a lot more to maintain robust cyber security, find out more by reading my previous post on cybersecurity HERE.