Most Businesses Unprepared For Cyberattack
The gap between perceived and actual preparedness among respondents signifies the extent to which most businesses are still trying to identify and mitigate points of compromise that could be exploited by ransomware threat actors.
Most businesses unprepared for cyberattack
But this optimism may be misplaced. Our report found that nearly two-thirds (65%) of board members believe their organization is at risk of material cyber attack in the next 12 months. Almost half (47%) feel their organization is unprepared to cope with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.
Most businesses rely on computer networks for day-to-day operations, and this creates exposure to cyber risk. Any attempt to steal data or destroy, damage, or disrupt a computer system is known as a cyberattack.
Last year I wrote two FORBES articles* that highlighted some of the more significant cyber statistics associated with our expanding digital ecosystem. In retrospect, 2021 was a very trying year for cybersecurity in so many areas. There were high profile breaches such as Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact. Ransomware came on with a vengeance targeting many small and medium businesses. Perhaps most worrisome was how critical infrastructure and supply chains security weaknesses were targeted and exploited by adversaries at higher rates than in the past. Since it is only January, we are just starting to learn of some of the statistics that certainly will trend in 2022. By reviewing the topics below, we can learn what we need to fortify and bolster in terms of cybersecurity throughout the coming year.
A host of factors can make smaller businesses more vulnerable to cyberattacks. SMBs may have fewer IT staff, or even no dedicated IT staff. With smaller budgets than larger companies, they may have much less sophisticated computer and network security and backup procedures, and lack an overall security roadmap. Employees may lack security awareness, making them less likely to be able to detect social engineering attacks and email phishing scams. Those scams include impersonation attacks in which attackers send official-seeming email messages that entice victims to reveal sensitive financial and personal data.
A recent report on board views about cybersecurity found that 65% of board members believe their company is at risk of experiencing a material cyber incident within the next 12 months, but almost half (47%) feel their organization is unprepared to deal with a targeted cyber attack. Boards that believe their company is unprepared for a cyber attack (or could be better prepared) have time to improve cybersecurity measures before new disclosure rules expose cyber risks to investors.
Our lives are interconnected via technology more now than ever. Along with constant innovation comes increased risks and added concern for businesses as they look to protect their data privacy assets. The construction industry is particularly vulnerable to cyber-attacks and generally unprepared to combat them. The structure of construction projects, which often involve several entities working together toward the completion of a singular goal requires constant and in-depth sharing of sensitive information making it an attractive target for a hacker seeking to run a ransomware scheme and make a quick profit. Construction professionals don't have to remain sitting ducks, however, they can take steps to protect their assets and ward off cybersecurity criminals seeking to derail their operations.
A study completed by Safety Detectives recently found that the construction industry was the 3rd most likely industry to experience a cyber-attack. www.safetydetectives.com/blog/ransomware-statistics Construction professionals are not helpless in the fight against these crimes, however, and have the ability to significantly reduce their risk by developing and implementing a plan to combat cybersecurity interference with their businesses. An incident response plan should:
Over the past month, Keeper Security surveyed 500 senior decision makers at SMBs to uncover more about their mindsets around cyberthreats (likely or not?) and common misperceptions (too new, too old, whose job is it anyways?). The findings underscore just how unprepared businesses are for cyberattacks.
#1 Cybersecurity is not on the to do list60% of respondents say they do not have a cyberattack prevention planOnly 9% of businesses rank cybersecurity as a top business priorityIn fact, 18% rank cybersecurity as their lowest priorityOnly 7% of CEOs, corporate chairs and owners say a cyberattack is very likely, and nearly half (43%) of them say a cyberattack is not at all likely (higher than any other management group surveyed)
These premium jumps are due to the increased number and severity of cyberattacks. Cyberattacks are now mostly driven by nation state actors (mostly cybercrime gangs sanctioned directly or indirectly by nation states such as China, Russia, North Korea, and Iran) that conduct much more sophisticated attacks than we saw even just a few years ago.
Questionnaires are growing in length and include additional areas of cybersecurity previously overlooked. Hurt by paying out expensive claims, insurance carriers are trying to avoid underwriting businesses that are too high risk. Many insurers are refusing to serve businesses, some are raising premiums to a very high level, and most are tying lower premiums (or any premium at all) to a business implementing a growing number of cybersecurity best practices.
73% of organizations are unprepared for cyberattacks today, many of them remaining unprepared even after an attack. Organizations must implement the necessary technology to avoid future attacks before a breach can occur.
Cyberattacks can cause devastating consequences for any business, but small businesses are uniquely at risk. When a cyberattack hits, unprepared small businesses may deal with overwhelming financial repercussions as well as hits to their reputation, pricing structure, productivity, employee morale, and much more.
As stated earlier, the costs associated with a cyber attack are expensive, even for a small business. Studies have shown that 83% of small and medium-sized businesses are unprepared financially to recover from a cyber attack.
While financial institutions, medical facilities, and even retail chains have been forced to face the dangers of cyber threats, manufacturing companies spent most of the last decade blissfully unaware of the likelihood of attack. The reasons for this were mostly two-fold. First, the very real lack of connection between manufacturing companies and the outside world created a comfortable barrier between cyberattacks and manufacturing companies. Second, manufacturing companies mistakenly believed they didn't have much to offer cyber attackers.
By 2019, the manufacturing sector reached the top 10 status as the 8th most targeted industry by cyber attackers. The problem exploded in 2020 when many companies were forced to depend almost entirely on remote workers due to pandemic restrictions. While most of the world was largely unprepared for the effects of COVID-19, cyber attackers were ready. The manufacturing industry moved from the 8th most targeted industry by cyber attackers to number 2, falling behind only finance and insurance. According to the 2021 Global Threat Intelligence Report (GTIR), this represents a 300% increase in a single year.
Some of the most high-profile attacks in recent months have been supply chain attacks that affect multi-million dollar corporations, critical infrastructure, and even global food production. For many, the Solar Winds attack that infected a trusted software update used by many well-known companies was a much-needed glimpse into the potential dangers of a supply chain attack. In May 2021, a supply chain attack on Colonial Pipeline shut down 45% of the fuel supply in the Eastern U.S., clearly echoing fears of the potential damage of a supply chain attack that affects the nation's critical infrastructure. The gas line attack was followed almost immediately by a cyberattack on JBS Foods, one of the world's biggest suppliers of meat. Both of these attacks were resolved quickly with the payment of millions to hackers. However, the potential dangers of more severe attacks are clear. Successful attacks with malicious intent beyond extortion could cause long-term shutdowns to critical systems and food chains to multiple nations.
Perhaps some of the most dreaded cyberattacks that exist today, nation-state attacks are cyberattacks carried out by the government or threat actors employed by the government of another country. The motivation for these attacks varies widely and can range from monetary value to intellectual property theft of defense weapons, or even a grudge. Hackers look for any data that will benefit their country's economy and strengthen both key business and military strategies. Nation-state hackers have been known to attack government agencies, critical infrastructure, and virtually any industry known to hold sensitive information.
For most manufacturing companies, an in-house cybersecurity team isn't something that can fit within the budget. However, cybersecurity isn't a part-time job. Manufacturing companies with long supply chains and vulnerabilities due to fragmented systems need a comprehensive solution that provides complete visibility into the network, threat detection, and remediation plans for the inevitable moments when threats are identified within your network. A large portion of companies that aren't prepared for cyberattacks cite lack of funds as the biggest reason. Yet, manufacturing companies can't afford to skimp on cybersecurity.