“It’s not a matter of if but when an organization is going to be impacted by a criminal cyber actor,” Whalen said, speaking at RSA 2021, the digital version of one of the most important security events of the year. Small businesses are especially prone to failing to plan for the worst, he said, often assuming they are unlikely to be targeted.
“Regardless of the size of the organization, it’s a matter of being underprepared. Sure, a lot of companies might have thought about some sort of IT defense and resilience, but having a plan on a shelf that they’re able to reach to in the event of a ransomware attack was maybe not quite there. Or what would happen when we had to send all of our employees home?”'
Why Businesses Don’t Plan for Data Breaches
With so many companies victimized by data loss, why aren’t more of them planning for the likelihood of an attack? Whalen said that many believe one or more of the following myths:
- Cyberinsurance makes incident response planning unnecessary. “This one scares me,” Whalen said. Having cybersecurity or business continuity insurance is important but is not a substitute for an incident response plan, just as having homeowners insurance is no reason to let your house burn down, he said. “I have insurance too, but I still protect myself when I go out in my daily routine. Having insurance is a great strategy in your incident response, but maybe we want to think about doing a little more.”
- Small businesses aren’t targeted for attack. Many small businesses think their low profiles make them unlikely to be victimized. In fact, their lack of preparedness makes them tempting prey for threat actors. “Attackers are like fishermen,” Whalen said. “They go where the fish are, and they use the bait that’s going to work best. So if you have a common vulnerability in your environment, they’re going to find you if they’re looking for it that day, and then they’re going to figure out how to use your organization to raise capital.”
- A stout perimeter defense is sufficient. Most incidents involve a human actor, and that’s usually someone inside an organization’s environment, rendering traditional perimeter defenses all but useless. “It could be someone who configured things the wrong way, it could be someone who just clicked on an email,” Whalen explained. “It’s not necessarily intentional. It’s just people trying to get through their days with all the stressors that can result in security violations, and those turn into breaches.”
- Developing an incident response plan is too expensive. The average cost of a breach is $3.86 million, according to the Ponemon Institute. And that doesn’t count the reputational cost to a breached organization. While data security carries a business cost, it’s much lower than the cost of a successful attack.