In 2022, the average cost of cybercrime has reached $4.35 million per organization, and the number of data breaches has climbed by 14%. But despite the rising frequency and impact of cyberattacks, many businesses still do not have a cybersecurity plan: as we will see, this is a catastrophic mistake, especially for small businesses and government contractors (GovCons).

In today’s connected world, businesses depend on information technology (IT) to store information, collaborate with clients and employees, reach new prospects and deliver services to their customers. Consequently, any risk to this connected infrastructure is also a risk to their bottom line and long-term resilience.

Faced with an evolving threat landscape that seems to worsen every year, today’s organizations not only need to invest in cybersecurity early: they also have to make it a core part of their strategy and business culture. In this article, we’ll explain why, and how to get started if you haven’t already.

The Modern Cyber Landscape

In order to understand the modern cyber landscape, we have to understand the motivation of cyber actors who are targeting businesses around the world. Cyber actors roughly belong in three main categories:

• Malice-driven – malice driven cyber actors seek to damage a business out of spite. They may include disgruntled ex-employees, unscrupulous competitors or activists who oppose the organization’s mission.
• Profit-driven – profit-driven cyber actors are not primarily interested in hurting a business, but obtaining materials and access that they can use to make a profit.
• Nation-state actors – nation-state actors are cyber actors affiliated with a foreign government who target organizations with primarily political goals. With mounting geopolitical tensions around the world, GovCons and federal agencies in the U.S are at constant risk of politically motivated cyberattacks.

But while different groups of cyber actors have different end goals, all can achieve those goals in the same way: by stealing information. Every business collects valuable data, from personal information about their customers and employees to controlled unclassified information (CUI) and intellectual property (IP).

Darknet markets have created a vast criminal underworld that makes it easier to traffic and profit from this data than ever before, while providing cyber actors with resources to identify valuable targets. Ultimately, it is not the size or scale of a business which makes it valuable, but how vulnerable it is, and the kind of data that it stores.

Risks for Small Businesses

Today, only half of all small-to-medium sized businesses (SMBs) have a cybersecurity plan in place – incidentally, this closely overlaps with the number of small businesses (42%) impacted by a cyberattack in the last year. Some of the most common dangers include,

1. Ransomware – ransomware is an encryption attack that renders an organization’s files inaccessible until it pays a fee. In 2021, ransomware attack volumes nearly doubled, and the cost of the average ransomware payment is approaching $1 million.
2. Social engineering – most cyberattacks begin with an attempt to manipulate or trick your employees into divulging sensitive information. Social engineering includes phishing attacks – which account for over 90% of all cyberattacks occurring today – and social media attacks, which are on the rise.
3. Data breaches – data breaches occur when cyber actors access sensitive data from your business – they may go on to expose that data, share it with malicious third parties, or sell it for money. The average cost of a data breach is over $4 million, which does not count for the impact it has on brand equity and trust. Data breaches are particularly devastating for GovCons, and may impact their eligibility for further government contracts.
4. Cryptojacking – cryptojacking attacks occur when malicious actors surreptitiously install a cryptocurrency mining application on your company’s computer systems. Cryptojacking attacks can reduce system performance and productivity while raising the cost of energy and maintenance – meanwhile, they have also risen by over 200% in some industries.

Ideally, businesses will start from the outset with a cybersecurity plan in place. But for those who don’t, it’s never too late to get started.

Where to Start with Cybersecurity

For businesses who haven’t invested in security already, getting started can be a daunting prospect. Fortunately, it’s possible to increase cybersecurity readiness with a few key steps:

Develop a Cyber Resilience Plan

Responding to a cyberattack requires rapid and coordinated action to isolate attack source, keep your business running and restore mission-critical operations as soon as possible. Developing a cyber resilience plan will help your organization to adapt quickly during a crisis and mitigate the costs of recovery.

Create a Backup System

A regular, secure backup strategy is the single most important step you can take to protect your sensitive data from encryption or loss. The cloud also provides an easy, inexpensive and automated way to backup data regularly (every 13-24 hours is ideal); however, any backup system must be isolated from an organization’s main network to ensure it isn’t compromised.

Get a Risk Assessment

Partner with cybersecurity experts to assess your IT systems for sources of risk. A good risk assessment will identify vulnerabilities and threats both within your organization and outside it and identify steps for immediate remediation; one risk assessment may eliminate dozens of attack surfaces and save your organization millions of dollars.

Comply With NIST 800-171

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 recommends 110 security controls across fourteen categories. It has become the standard for cybersecurity among GovCons, and even among some private businesses who are not affiliated with the government.

Invest in Cyber Training

The vast majority of cyberattacks and data breaches begin with a social engineering attack. Training your employees to recognize and avoid phishing attacks, use stronger authentication, and report lost devices can substantially reduce the number of successful breaches.

Partner with Cybersecurity Experts

Ultimately, cybersecurity is a long-term commitment that requires the cooperation of everyone in your organization. While the tips in this blog won’t render your company immune to cyberattacks, they will provide a crucial step towards a culture of cybersecurity that will protect you for years to come.