How Planning Can Reduce the Risk of a Cyberattack

Not all cyberattacks operate in the same way. Cybersecurity Awareness Month, which is celebrated each October, is the perfect opportunity for associations and small businesses to bring cyber safety to the forefront and kick off a yearlong training program.

With technology ingrained in numerous aspects of our daily lives, it’s no coincidence that the number of cybercrimes and data breaches grows with each passing year. Though often considered a primary threat for large corporations, the number of smaller organizations and individuals victimized is staggering—often leading to significant financial losses and repercussions that cause critical damage. So, how do you protect your small business, association and stakeholders? The best defense is widespread and continuous education.

According to Cybercrime magazine, estimated cybercrime damages totaled $6 trillion in 2021. The impact of this massive figure may be easier to comprehend when broken down into shorter time measurements: $16.4 billion a day, $684.9 million an hour, $11 million per minute, or $190,000 per second. If cybercrime were a country, its economy would be third, only following the U.S. and China. And that number is expected to top $10.5 trillion in 2025— making it the fastest-growing form of crime worldwide.

Cybercriminals are slick and adaptable, which makes it difficult to anticipate when or how a cyberattack may occur. However, by proactively training your staff and members, you can help ensure mitigation efforts are executed swiftly and effectively to minimize the impact of a cyber threat. 

Not all cyberattacks operate in the same way. Cybersecurity Awareness Month, celebrated each October, is the perfect opportunity to bring cyber safety to the forefront and kick off a year-long training program.

Types of Cybercrime

Some of the most common forms of cybercrime are:

Denial of service (DoS) and distributed denial of service (DDoS). Overwhelming a service with traffic, sometimes impacting availability by temporarily or indefinitely disrupting services.

Phishing. Deceptive messaging designed to draw out users’ sensitive information, such as banking or business login credentials, or used to embed malicious code to enable remote access.

Ransomware­. A tool used to lock or encrypt victims’ files until a ransom is paid.

Malware. A trojan, virus, worm, or other malicious software or code harmful to your computer or network.

Data breach. Unauthorized access and disclosure of information due to a cyberattack.

Social engineering. Attempts to trick someone into revealing personal information via social media channels.

To keep your association or small business safe, determine its exposure risk [PDF] and develop a cyber-risk management program, which consists of these three steps: 

Risk assessment. A holistic evaluation of your business to identify areas that could be vulnerable to cybercrime or data breach, along with the immediate rollout of vetted policies and procedures to strengthen weak spots.

Risk mitigation. Implementation of proactive measures to reduce internal and external mistakes and attack exposures. Additionally, the development and regular evaluation of an incident response plan (IRP) not only expedites recovery time and reduces costs associated with a cyberattack but also ensures best practices are followed during such a crisis.

Risk monitoring. The continuous evaluation of potential cyber threats and your ability to protect your business against them, which frequently includes compliance and operational audits to test your organization’s response.

Prevention Tips

Though it’s imperative to help keep cyber safety top of mind year-round, Cybersecurity Awareness Month is the perfect annual reminder to reevaluate, refresh, and redistribute your cyber risk management program to all team members. One way to do this is to test your organization's cyber risk exposure through a cyber-liability scorecard [PDF]. In addition to that, here are some tips for keeping cyberattack prevention fresh and effective:

  • Leadership support. Obtaining C-suite approval for new initiatives can be difficult— especially if a request for funds is involved— but it’s essential for them to support cybersecurity measures and lead by example. Sharing statistics on cybercrime and the costs of an average data breach may help encourage their adoption and budget approval.

  • Employee education. According to Verizon’s 2022 Data Breach Investigation Report, social engineering accounted for nearly one-third of all data breaches. How can businesses combat such effective means of cybercrime? Continuous employee education through training, testing, and simulations.

  • Remote safety. The work-from-home movement went from a slow trickle to a waterfall at the onset of the pandemic and businesses had to adapt overnight. Unfortunately, with personal health and safety a primary concern, cyber safety often took a backseat. Now’s the ideal time to ensure your remote workforce is as protected as your onsite team. To reduce the risk of foul play, require that all employees must exclusively use company-provided or -approved devices and operate on secure networks.

  • Good hygiene. It’s easy to forget the basics, but we really should make them a priority, as they work so well. Scheduling regular password updates— and mandating they be a combination of lowercase and capital letters, numbers, and symbols— strengthens your cybersecurity, as do old standbys, like firewalls and VPNs. Multifactor authentication—when a second device is needed to verify a login, such as a text message code, app notification or email confirmation—is becoming more commonplace. The best way to defend against a ransomware attack? Frequent data backups. None of these things are revolutionary, but they all work wonders.

  • Separation of roles. If one team member is responsible for a large portion of sensitive information and that person is hacked or loses their laptop, your business is in trouble. That’s why it’s best practice to distribute data controls and processes amongst your team. Separation of duties ensures cybercriminals cannot get too far by tampering with one employee’s credentials or device. This includes dividing responsibilities such as HR and payroll and accounts receivable and payable, as well as users of client and other data to prevent an unsafe concentration of information.
  • Vendor management. Vendors are often used as extensions of your staff— but frequently forgotten when it comes to cybersecurity measures. As part of your risk and reputation management, you should regularly your business partners’ cybersecurity protocols. As they typically handle your sensitive data, you must understand what data they have access to; how they’re using, transmitting and storing it; and on which devices they’re doing so.