By Russ Reeder, CEO, Netrix Global
Ensuring 100% prevention against all cyberattacks is impossible today, as modern perpetrators find more sophisticated ways to strike by the minute. A strategy focusing on protection and recovery over prevention is much more realistic and attainable.
However, the private sector is in an alarmingly unprepared state of general readiness to repel cyberattacks. Small and midsized businesses are especially vulnerable due to budget and hiring challenges.
To bring attention to the lack of general readiness, President Biden issued an executive order earlier this year regarding improving the nation’s cybersecurity. His order, in part, stated: “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government.” The executive order established a U.S. Cyber Safety Review Board that will include private-sector organization representatives.
A few stats that speak to this challenge:
- Half of U.S. businesses remain without a cybersecurity risk plan.
- Attacks on business emails have resulted in a loss of $43 billion since 2016, according to FBI data released in May.
- Cyberattacks and data breaches mushroomed by 15.1% last year compared to 2020.
- Company networks are so vulnerable that cyberattacks may breach 93% of them.
- A ThoughtLab report published earlier this year found that 39% of CEOs said their budgets are inadequate “to ensure cybersecurity.”
A cyber-defense security strategy should encompass the proactive and operational security of digital channels, data and personally identifiable information (PII). It also should include a regularly tested crisis plan that outlines action steps and reduces confusion when an incident occurs, enacting a fluid response.
Trusted partner advantages
The most cost-effective and efficient cyber-defense strategy for a majority of businesses is to work with a trusted partner. A trusted partner supplying such services will prepare companies for a future that promises larger security attack vectors and impacts. Artificial intelligence will feature more prominently in cybersecurity offense and defense during the coming months and years.
Top-notch cybersecurity service providers are those that offer the ability to continue to operate with confidence within this evolving dynamic. They are domain experts that should monitor the landscape for industry trends and emerging threats. These providers train like they fight — constantly testing and validating tools — ensuring your company is prepared for future threats.
Outsourcing risk identification and remediation provides protection to businesses without the resources to build the necessary cybersecurity infrastructure, and can help companies save up to 50% on monitoring costs. These savings will vary from company to company. However, they ultimately pale in comparison to the cost of not investing in cybersecurity at all, then being exposed to an attack that could tank a business.
Working with a trusted partner is particularly helpful in today’s uncertain macroeconomic environment, when many companies are taking a conservative approach to hiring full-time staff and even not backfilling those who depart.
How to find the right cybersecurity service provider
Determining the appropriate company to serve as a service provider to any business partly rests upon that business’ own cybersecurity goals. Without such guiding principles, expenditures could quickly get out of hand and result in the opposite of one of the primary reasons to hire a managed security services company.
It’s important to ask specific questions when searching for the right cybersecurity partner for your business. This may include questions about a potential service provider’s expertise and experience in the field, as well as the team’s overall capabilities, respective vertical-industry knowledge and proven track record of success. Indications of the provider’s maturity will show themselves in their understanding of the costs, effort and commitment mandatory to create a functional cybersecurity program. The best candidates, too, will be sensitive to the hiring company’s concerns and focus on relationship building.
Smaller companies can find immediate benefits in forging relationships with a trusted managed service provider to handle cybersecurity, including access to best-practice tools and processes, along with seasoned experts in the field available for counsel. This enables smaller businesses to continue to focus on their core priorities rather than having to divert attention to cybersecurity challenges, by having an expert cybersecurity service provider at their sides.
For larger companies, layering in the experience of a service provider might serve to augment solid existing processes, quickly filling in any gaps. Collaborating with a cybersecurity partner also provides checks and balances on the overall system, ensuring more than one set of eyes is assessing that system’s health.
Incident response plans
The U.S. Secret Service recently needed help with running a cyber incident response simulation for public and private corporations.
The exercise my colleagues and I did with them highlighted the importance of having a functional company incident response plan. At the highest of levels, this type of plan is akin to a cookbook. Setting out to make a meal — i.e., declare a cybersecurity incident — you do not make every recipe in the cookbook. Instead, you select the recipe appropriate to the specific meal.
A strong incident response plan defines what an incident is because this varies among organizations and industry verticals. It also assigns roles and responsibilities, describes the incident severity according to its business impact, defines categories and examples of common incidents, outlines an escalation process to engage senior leadership and provides flexible instructions that act as guiding principles for responders during an event.
Incident response plan teams should comprise decision makers and stakeholders throughout multiple levels of an organization. Team members should have an awareness of the risks and costs associated with disruptive events.
Proper communication
The Secret Service breach simulation illuminated a set of optimal communication steps in the wake of a breach:
- Contact the company’s bank and law enforcement.
- Gather as much information as possible.
- Be candid with employees regarding the breach, providing the facts collected, instructing all to change every password, share relevant links so employees may lock their credit and direct them to follow up with a credit protection agency.
- Ensure information sharing among the management teams of the breached company and that company’s cybersecurity provider, with CEOs of each contacting their respective boards as soon as possible.
- Work with legal counsel to comply with state and international notification protocols if PII is involved.
- Monitor press coverage to assess what requires a public statement, discussing the incident publicly only when relevant decision makers have reached consensus on the narrative.
Target’s 2013 data breach and Home Depot’s 2014 data breach are instructive in what to do, and what not to do, regarding communication following an incident.
A forensics firm Target hired to investigate its breach found that hackers stole information connected to roughly 40 million credit and debit card accounts. The perpetrators also obtained about 70 million Target customers’ personal information. Target became aware of the incident when U.S. Department of Justice officials alerted the company that stolen data was online and people had begun to report fraudulent credit card charges.
Home Depot’s breach resulted in hackers gaining access to roughly 40 million customers’ payment card data. The company also said the cyberattack exposed the email addresses of at least 52 million.
Target initially denied many of the breach claims, and pushed a message that conveyed there was “nothing to see here.” That only fanned the flames of public unrest once the breach realities became undeniable.
Home Depot, in contrast, swiftly publicly acknowledged the breach, explained their action plan and executed a process that felt competent.
Both companies endured negative consequences. The company’s chief information officer resigned in March 2014. Target’s CEO resigned in May 2014. Target reported in 2016 that its breach cost $291 million. The company settled with 47 states and the District of Columbia for $18.5 million in 2017.
Home Depot in 2020 reached a $17.5 million settlement after a multistate investigation into its incident. The company said the breach cost the company $198 million.
Public perception of the two companies were and remain different, however, due to the respective differences in communication strategies Target and Home Depot deployed.
We don’t know whether Home Depot had a plan in place then executed a comprehensive incident response plan. But its transparency and structured, effective communication regarding the breach paid off.
Defending for the future
Outsourcing cybersecurity also can help address three key areas of apprehension executives identified in ThoughtLab’s 2022 report: keeping up with digital transformation and new technologies, as well as finding qualified employees.
Companies that decide to collaborate with a business possessing cybersecurity expertise will receive assistance in many areas they cannot develop independently. Those include pen testing; chief information security officer consulting; best practice security tool implementation; incident detection, response, containment, forensics, recovery, remediation, postmortem analysis, and overall plan improvement.
About the Author
Russ Reeder is the CEO of Netrix Global. Russ’ 25-year background in technology spans from early-stage startups to Fortune 500 giants such as Oracle. He has a wealth of experience leading teams, delivering value to shareholders, driving technological advancement, and scaling organizations—and he has been invited to speak on these topics by major news media outlets and at leading industry conferences. Prior to being appointed CEO at Netrix Global, Russ was the Executive Chairman of the company’s Board of Directors in conjunction with a successful run as CEO of Infrascale, a cloud-based data protection, backup, and disaster recovery solution provider. Russ served as President and CEO of the U.S. business of OVHcloud, a cloud service provider based in France, where he oversaw the acquisition and integration of vCloud Air from VMware in 2017. Before OVHcloud, Russ was a member of the Executive Leadership Team at GoDaddy, following the company’s 2013 acquisition of Media Temple, where he had served as President and COO. He is currently on the Board of Directors of the Children’s Science Center of Northern Virginia and the Advisory Board at Virtru, a global data encryption, and digital privacy provider. Russ graduated with a B.S. in Computer Information Systems from James Madison University, where he remains an active alumnus and Chairman of the Advisory Council for the Madison Center for Civic Engagement.
Read about his leadership philosophy on his blog, https://russreeder.com, and learn more about Netrix Global at netrixglobal.com.