November has arrived. For most people, this is marked by the air being a little crisper, the days a lot shorter, and pumpkin spice everywhere. For businesses, it also means planning and budgeting for the upcoming year. The strategic decisions made now will have a dramatic impact on the tactical options available in 2023, and if done right will set your business up for success in the coming year.
When deciding which IT area in 2023 will best benefit your business, the top answer is security. When you consider how dependent modern businesses are on computing and then combine that with the increasing sophistication of cyberattacks, underfunding cybersecurity is recipe for disaster. For companies that have already been investing in security, increases tend to be modest and targeted at specific areas of concern. Having a qualified expert assess your current security situation and recommend improvements is a great way to kick off an IT budget decision.
Unfortunately, far too many small businesses have been underfunding their security and lack the security features considered essential by both security experts and insurance companies.
The most common rationalizations include:
- “We’re too small for criminals to bother with.”
- “We’ve never had a problem before.”
- “We already use Microsoft Defender.”
“We’re Too Small!”
Barracuda Network published a study earlier this year that revealed that employees at small businesses were 350% more likely to be targeted by cybercriminals than an employee of large companies. Criminals have learned that small businesses often lack adequate security, and it’s easier and more profitable to launch many small attacks than one big attack.
“We’ve Never Had a Problem Before!”
According to a recent insurance company report, 23% of small businesses have been victims of a cyberattack within the past twelve months. The odds of going three or more years without an attack are vanishingly small. If you haven’t been attacked yet, unfortunately, it’s only a matter of time.
“We Just Use Microsoft Defender.”
A key benefit of Microsoft Defender has been that it is free and pre-installed on Windows PCs. Microsoft has continued investing to improve Microsoft Defender and it now supports cloud-based malware detection but protecting a business against today’s criminals requires more than just malware detection. As criminals have incorporated social engineering into their attacks, businesses must also deploy identity protection, multi-factor authentication, and other technologies to counter this threat. While it’s better than nothing, Microsoft Defender alone is not enough to protect your business.
The Consequences
The most visible consequences of underfunding security are the direct costs, including money stolen from bank accounts and money spent to recover data and restore operations. The median cost of a small business attack is around $25,000 but quickly rises to six figures for more severe attacks.
The secondary costs tend to be even more catastrophic. In addition to revenue lost during the attack itself, there are often compensation payments to customers and suppliers, reputational damage causing customers to flee to competitors, and even regulatory fines. It’s because of these unpredictable costs that 60% of small businesses will go out of business within six months of a cyberattack. That’s a staggering statistic. If you don’t want to be part of the 60%, your 2023 planning process is the all-important first step you can take. By choosing now to plan and budget to improve security in 2023, you’re taking concrete, proactive measures to protect your business against an inevitable cyberattack.
Here are the top three things we recommend you plan to implement or improve in 2023:
- Security awareness training.
- Multi-Factor Authentication (MFA) implementation.
- End-point Detection and Response (EDR) implementation.
Security Awareness Training
People continue to be the weakest link in cybersecurity, so money invested here goes a long way. High-quality security awareness training will teach employees about the latest threats and how to recognize the signs of an attempted attack.
They will also learn what steps to take once they spot a suspected attack. Effective security awareness training turns employees from security liabilities into security assets. This training should not be a one-time event. Content should be clear, concise, and updated regularly so employees feel they are learning something that will help them personally while not wasting their time. One goal is to create a security mindset in all employees, so they realize they are each responsible for the security of the business and are internally motivated to be conscious of security threats throughout the workday.
Multi-Factor Authentication Implementation
Implementing a quality MFA solution continues to be one of the most effective tools to improve the security of your company. As we’ve discussed in previous blog posts, not all MFA implementations are equal. You need to ensure your MFA solution protects against attacks that take advantage of inferior MFA configurations, such as allowing too many MFA requests during a period of time or an MFA approval coming from a different location than the login. Usually, this will require digging into the configuration settings, so you’ll want to have a skilled security expert involved to avoid leaving weaknesses in your defenses.
Linking back to training, it’s critical that your employees are aware of common methods attackers will use to circumvent MFA, including common MFA bombing techniques. Employees should understand that their actions are often more important in preventing security attacks than the security tools IT is using.
Implement Endpoint Detection & Response (EDR)
EDR systems have become an essential tool in IT infrastructure. By monitoring each device (endpoint) and logging key actions, EDR builds a database of IT events within your organization that can then be mined for information. The tool can automatically look for patterns that would indicate an attack is being attempted, either on one device alone or across many different devices simultaneously. The software can then send an alert to IT or, in some cases, take automatic action to limit the attack until IT has a chance to respond. Security experts can also use the database after an attack to investigate how the attack started, better understand the extent of the damage, and how to better defend against future attempts.
Effective Planning & Budgeting
It may sound trite, but whatever your security budget was for 2022, it needs to be larger in 2023. That can be tough even in the best times, but even more so in the economically uncertain times, we’re in now. One thing that is certain is that cybercriminals will not suffer from a recession. Their attacks will increase and the damage they inflict on businesses already struggling from a soft economy will be even more severe. With 60% of small businesses closing their doors within six months of an attack, now is the time to position your company to avoid or minimize potentially company-ending cyberattacks in 2023. It may require tough budgetary tradeoffs but increasing your 2023 security budget is the most important step you can take to ensure your company will still be around in 12 months for the next planning cycle.