Ransomware groups and other cyber threat actors are moving beyond 'big-game hunting' to target midsize and early-stage companies, particularly those that have recently received venture capital or corporate capital investment, or been acquired by private equity firms or corporates.
This is because poor cyber hygiene and well-publicised access to funds (for ransom payments) held by those anxious to preserve their investment value have made portfolio companies attractive targets.
The severe financial, operational and reputation impacts of a major cyberattack present an existential threat to midsize and early-stage companies. Establishing the right cyber security measures from an early stage, and reassessing these as your business changes, may be the thing that ensures its very survival. These measures also don’t need to break the bank.
Below is a checklist of key items to help uplift your organisation's cyber readiness (ie its preparedness for a cyberattack) and resilience (ie its ability to withstand and recover from a cyberattack).
Define your cyber risk appetite, understand your cyber risk profile and develop an uplift roadmap to align the two
Every business is different and not all risks need to (or can) be immediately addressed.
- Start with a clear understanding of the organisation's risk appetite, and an assessment of the cyber risks and threats facing the organisation.
- Next, consider your organisation's vulnerabilities. What systems does your business use? What type of data does it hold? How critical are these systems and data to business continuity? What systems face your public network? How many endpoints does your business currently have and how are these protected? What staff members have access to key systems and data right now, and do all these individuals need this access to do their jobs?
- Then, develop a documented information security program or roadmap that outlines the steps your business needs to take in order to address the identified risks, and ensure that the cyber risk appetite and risk profile are aligned.
Develop a cyber incident response plan … and test it
Your organisation should have mechanisms in place to detect and respond to information security incidents, and a cyber incident response plan to help manage all stages of an incident, from detection to response, recovery and post-incident review. Your plan should:
- identify key contacts for escalation within the business, as well as external forensic, legal and communications breach response experts;
- define the key roles in the event of a cyber incident, so that the incident response team know what to do if they become aware of an actual or suspected cyber incident;
- outline steps to be taken in relation to particular types of cyber incidents (eg ransomware / cyber extortion or a supply chain attack);
- outline the triggers and requirements in relation to applicable mandatory reporting regimes;
- be accessible even during a systems interruption; and
- be tested and reviewed to ensure that it remains fit for purpose as the organisation is scaled and as the threat environment evolves. Ideally, this should include a simulation to ensure the cyber incident response plan works in practice. If you do suffer a cyber incident, you should also review your plans as part of your remediation efforts, to understand how they held up under pressure and where you may need to make changes. Evolving industry guidance suggests that good practice is to run cyber simulation testing at least twice a year, using different scenarios, supported by focused desktop training sessions throughout the year (although critical infrastructure entities, or those at higher risk due to the nature of their industry, operations or the data they hold, should look to run simulations on a quarterly basis).
Implement critical cyber defences
Some of the most important security measures to take, no matter how early your business is in its lifecycle, are:
- enabling multi-factor authentication for all staff and requiring strong passwords with pre-set renewal periods;
- prioritising security from the beginning when developing or procuring your IT systems;
- keeping up to date with your system patches and updates;
- maintaining updated logging and detection systems;
- ensuring staff only have the access privileges they need to perform their role;
- implementing a data retention and deletion policy, so you are not storing information for longer than necessary; and
- ensuring you are regularly doing and properly storing the right backups.
Introduce a cyber training program for staff
Many of the most common threats, like phishing attacks, that businesses face will target employees, so an informed and empowered team is a critical defence. Early detection and escalation (facilitated by a 'no-blame culture') and fast containment are key to mitigating potential fallout for the business. Your organisation should:
- implement regular cyber security training (including phishing exercises) for all staff;
- run simulations for the incident response team and management, to identify areas where you may need to bolster the training program and other systems and controls; and
- create an open environment where staff feel comfortable speaking up about IT concerns or potential incidents, and know exactly where to direct these reports.
To find out more about cyber risks and how to address them, feel free to contact our cyber experts below.