Cyber attacks and hacks are a risk for every business. In recent times, we have already met at a cybercafe meeting, where we also heard the stories of local business owners. Just people like you and me. That you don't have to be a corporate to be hacked was also proven there. So recognize the danger, embrace the risk and be prepared. European legislation and other parties, such as financiers, increasingly demand that you have your affairs in order. A lot can be gained with a few relatively simple steps. Time to share these with you #superlogical of course!

The days when cybersecurity risks were only a problem of large institutions are a thing of the past. Any organization can become part of a cyber attack. So can your organization. And even if you've taken protective cybersecurity measures, disaster can still strike. Your systems can be taken down or your data held hostage.

Cyber security of organizations is also no longer just the domain of technicians, but must be secured throughout the organization. Indeed, liability and responsibility lie with the board and management. For many non-technicians, though, it remains an intangible topic. More clear explanations are needed on how to take this responsibility and periodically review it. In this article, we give you some tips that you need to work with as a minimum if you want to protect your company from cyber attacks and remain operational in the future.

Risk management goes before cybersecurity management

Do you already understand your cyber risks? So we start with risk management; this always precedes security. After all, you want to determine what your risk appetite is. You do that with fire safety, for example, but this is also important with cybersecurity. With three simple steps, you determine the risk.

• Tap 1: Defining business goals and necessary information/data. - Identify where important information needed to produce a product or perform a service resides. Consider: data, assets (buildings, cabinets, data centers), applications and services.
• Step 2: Determining the causes, risks and financial implications. - What could pose a risk to the continuity of the organization? What is the impact in euros if the risk occurs?
• Step 3: Determine measures. - The question to ask here is ‘how quickly do we know that an incident has occurred?’ And ‘how quickly can I inform my CEO or regulator? It takes an average of 197 days for a company to know it has been hacked. Sometimes it takes three years before this is discovered by accident. Review what is already in place and what needs to be done additionally to mitigate the risk.

We also discuss the steps mentioned above with Rabobank customers. It always surprises us that entrepreneurs have not yet secured cyber management in their organization, as cyber risks are only increasing. Therefore, it is important for entrepreneurs to be aware of the risk they face, identify it and determine the measures they need to take. Even before we can talk about cyber security or insuring the financial consequences of a cyber attack at all.

The importance of cybersecurity

The Denver Post wrote that 60% of SMBs that are hacked go bankrupt within six months of the hack, due to continuity failures and no backups, customers walking away, high recovery costs and emotional stress. Businesses face image damage, through social media, for example, which is a snowball effect of accusations can cause. For some companies, a cyber attack does not have such a fatal outcome, but we do see that it can take a long time to get back up and running. It can take three to 13 weeks or even longer for you and your employees to get back to work. Imagine your business being down for that long. You are missing out on a huge amount of revenue with all the consequences this entails.

Large organizations that have been in the press with security incidents such as ASML, UWV, ING, Yahoo, Gemalto, SONY, Tax Office, Diginotar, Target and University of Maastricht (video) are often indirectly affected by security incidents. Those responsible - and liable - in these organizations are boards of directors and executive managers. Board members struggle with information security and cyber risk responsibilities and liabilities.

This could have serious consequences, as they are also legally liable are. So in the case of a cyber incident, directors' liability also comes into play. This means that as a director, you can be held liable with your private assets for damages caused by, in this case, a cyber incident. The cost of a liability claim can be substantial. But even if the court rejects a claim, it will involve high legal costs. If you do not have directors' liability insurance as a director, then you will personally wind up paying for damage claims and possible high legal fees.

Own responsibility

But lenders (Banks, Private Equity) are also increasingly looking at the cyber resilience of their portfolio. In mergers and acquisitions, cyber resilience is increasingly a regular part of the investigation, the so-called technical due diligence. Rabobank is also increasingly strict about accepting new customers and granting loans.

Companies will have to take personal responsibility by having their cyber security in order. This is an ongoing process that should be reviewed periodically. By doing this, you make it more difficult for cyber criminals to commit a cyber attack now, but you also ensure that you can remain operational in the future. You take responsibility in the chain, making you an attractive partner to work with. Because let's face it: are you eager to work with a party whose cyber resilience you know is low?

European directive tightened

The threat of cyber attacks continues to grow. To better protect Europe from cyber attacks, a new European cybersecurity law is coming: the NIS-2. In Europe, the NIS-1 directive currently applies to essential infrastructures. The NIS-2 directive expands the requirements. The new directive will apply to many more companies in different sectors, including SMEs. As a result, companies will have to meet higher requirements and receive more help from the government, for example, when they are affected. If a director is demonstrably negligent, a fine can be issued.

Setting up cybersecurity that really works: ‘zero trust’

A recent movement within cybersecurity is zero trust: the most effective cybersecurity strategy (including for SMEs) adopted by, among others, U.S. President Joe Biden in the fight against cyberterrorism and warfare decreed becomes. At the zero trust-approach, nothing and no one is trusted anymore, provided it has not been explicitly verified for legitimacy first. Also, actions within the network are intensively monitored and traffic is constantly inspected for viruses or attacks. This strategy also makes the organization resilient against accidentally becoming part of an attack. In fact, hackers are increasingly using other people's weak systems to set up an attack or to use as a hub to get in somewhere.

Effective measures that zero trust support and that you as a company can apply immediately:

• Segment - Segment the network environment (email, accounting package, CRM, etc. all separate) and links in and out. Start with the key cabinet: in many companies, the ActiveDirectory where all users, permissions, etc. are stored. In virtually all hacks, this appears to be unprotected and easily accessible to hackers.
• Automatic patching of software. - Patching is updating software to an improved version that protects against (known) vulnerabilities.
• Creating backups. - This sounds like an open door but has proven to be the ultimate salvation for many companies that have been hacked. Test regularly to make sure everything is still working and data can actually be restored.
• Multi Factor Authentication (MFA).. - Use a system, for example Google Authenticator, where access to a system is additionally authenticated at the level of the user and his or her device.
• Monitoring and alerting. - As with a physical building or business park, constant surveillance for uninvited guests has proven to be very effective in limiting damage, but also as evidence for insurance or in case of legal action. This so-called Managed Detection and Response can often be invested in a specialized party. Such services are going to become even more prominent under NIS-2 because people are fluent about events/incidents must be able to report.
• Incident Response Plan. - Create a roadmap outlining what to do in the event of a cybersecurity incident. Doing this with a professional ensures that in the event of a hack, you can act quickly and effectively to reduce the impact. This is another hard requirement under NIS-2.

Unfortunately, many companies do not report a cyber attack, even if it is an online crime. Organizations are often reluctant because of embarrassment or the unnecessary burden of an investigation. Nevertheless, we advise companies to always report it to relevant agencies so that authorities can launch an investigation. In addition, it is important to analyze what happened and publicly share what can be learned. In this way, organizations can help each other further in increasing cyber resilience throughout the chain.

Source of the article (emerce).

Analyst ICT can help you with this. We are happy to start the conversation, help you put together a plan and even test your cyber security together. Curious? Take a look at contact up!