If you’re a business leader and you’re not losing sleep over cybersecurity, you’re not paying attention. From the Colonial Pipeline hack to the JBS supply chain fiasco, high-profile cases are a dime a dozen. The latest T-Mobile hack is the company’s sixth known breach in four years (and the worst one yet).
Then there’s the silent majority of businesses that suffer under the radar. A recent survey found that 51% of businesses in America were hit by ransomware alone in 2020, with an average ransom demand of $178,000. The sad truth is that 60% of small businesses are shut down within six months of a significant cyberattack.
“As every business becomes more networked, the risks are increasing. It used to be easier to keep the ‘bad guys’ out, but now with threats from every direction, no one is safe,” says The HT Group Director of Consulting Services Sam Wood. “It doesn’t take a sophisticated attack to cause problems, either. For example, one staffer clicking on a phishing link in an email can send an entire organization spiraling.”
He calls out several sectors as examples:
Oil And Gas
The Colonial Pipeline attack was a wake-up call (the entire system was breached due to a single compromised password). Still, it was only one in a series of attacks on an industry with critical infrastructure that’s now highly digitally connected. “The new wave of digital solutions integrates operational technology (OT) and information technology (IT), leveraging the power of emerging technologies (e.g., automation and artificial intelligence), to help the oil and gas industry innovate for the energy transition. This shift exposes critical infrastructure and entire supply chains to cyber risks, making cybersecurity a core requirement of the business model,” the World Economic Forum concludes in a recent paper.
Financial Services And Banking
J.P. Morgan Chase spends almost $600 million annually on cyberdefenses and considers cyberattacks “the biggest threat to the U.S. financial system.” It’s easy to understand how big banks become targets, but smaller financial service firms and banks are vulnerable, too. According to Boston Consulting Group, banking and financial institutes are 300 times more at risk of cyberattack than other companies. These numbers include community banks and other small- and medium-sized businesses.
In manufacturing and logistics, there are literally and figuratively many moving parts. More and more of these parts are interconnected and networked to the outside world, opening them to cyberattacks. Cybercriminals are exploiting the fact that manufacturers, warehousing, and logistics companies are bringing more OT online. “But, there’s a problem,” IBM Security Intelligence points out. “Many OT assets aren’t equipped to defend against today’s threats. Some of those assets are decades-old legacy systems that use proprietary protocols to talk to one another.”
“Cyber risk is not new to the healthcare sector, but the risk of significant business disruptions and its recovery costs from cyberattacks are growing,” says Erik Kubinski, an executive advisor for CIOs and technology teams as part of The HT Group’s IT Advisory Services. With the healthcare sector under strain from the COVID-19 pandemic, cybercriminals are exploiting vulnerabilities at heightened force. And it’s not just HIPAA-protected data at risk. The first ransomware-caused death was reported by a hospital in 2020 (a patient that needed transport was turned away due to a ransomware-forced ER closure). As the Brookings Institute explains, malicious actors compromise mission-critical healthcare infrastructure, from automated refrigerators that store blood products for surgeries to the CT scans used to triage trauma patients.
Building A Mitigation Plan
When it comes to a cyberattack that threatens business continuity, the question isn’t ‘if” but “when.” The best way forward is—and with any business threat—is to plan for the worst and mitigate that threat as much as possible. Pam Matthews, an experienced cybersecurity architect and CISO executive advisor with The HT Group, recommends starting with simple, achievable steps. First, be on top of what needs to be done from a regulatory perspective.
“There’s a higher demand for digitally delivered patient info these days, which means HIPAA compliance is more critical than ever,” she offers as an example. “Checklists for compliance can offer a great place to start.”
Then, Matthews says, find an expert in the framework to help you prioritize about five items to evaluate with an initial risk audit. Identify measurables that will help move the needle on your security efforts. “Building a security infrastructure can feel like an impossible task, so it’s important to build it with achievable steps. In other words, start with the low-hanging fruit,” she adds.
Building And Hiring Your Defenses
There are only a handful of organizations that can dump unlimited funds into thwarting cyberattacks. The rest of us must be more resourceful. Realistically, you can:
Seek incident management training. Matthews recommends considering a prepaid retainer engagement to prepare and train around security disasters. “Turn to advisors who have been there before and can pass on first-hand knowledge to best prepare your organization’s leadership to take action when an incident occurs,” she recommends.
Shore up employee and vendor vulnerabilities. Wood points out that employee and vendor weaknesses cannot be overlooked at this point. About 90% of all cyberattacks are caused by human error—leaving a laptop unlocked, clicking a suspicious link, etc. When it comes to vendor risks, look to SolarWinds as an example. A routine software update sent to SolarWinds clients contained malicious code that made its way to the inner workings of Microsoft, Intel, Cisco, the U.S. Treasury and even the federal agency tasked with protecting federal computers from attacks.
Hire IT professionals who know what they’re doing. Ransomware and many other hacks lose their power when IT teams lay a foundation of protection—from backup and disaster recovery measures to data security protection and employee monitoring and training. “There is a fast-growing dependency on complex and costly cybersecurity systems in both large and small healthcare systems and other vulnerable sectors. Hiring talent to design and support these systems should be a major factor in an organization’s strategic planning,” Kubinski says.
Consider whether it’s time for IT security leadership at the top. That can include hiring a fractional CISO or CRO, often one who reports to the CIO. The Wall Street Journal recently reported that “many companies that previously didn’t have chief information security officers have hired one in the past few years, driving the need for professionals with experience, technical skills and business knowledge.” But, WSJ adds, security leaders with these qualifications can be challenging to find, and their salaries are rising by the month. Starting with a fractional executive like those found through The HT Group can be a smart way to ramp up.
Whatever your organization’s size or industry, cybercriminals will find you. As cyber risks continue to explode and evolve—including continued work-from-home for employees and the vulnerabilities it presents—your organization needs to be up to the challenge. Consider starting with:
- Security awareness training that’s timely, topical, and perpetual.
- A cybersecurity program review based on compliance frameworks and open standards.
- Staff augmentation and/or consulting using experienced subject matter experts.
We’re here to help with IT advisory services, fractional executives, and IT talent to help you mitigate the threats. The HT Group can also help you put a system in place with a consultant who can guide your efforts.
The HT Group fills roles in Temporary Staffing, Executive Search, Technical Recruiting, and Retained Search.