After a record year of breaches, two cybersecurity experts share tips on securing your business’s most valuable assets.

BY BEN SHERRY, STAFF REPORTER@BENLUCASSHERRY

For Inc.

Illustration: Getty Images

Was your company hacked in the past year? If not, consider yourself lucky.

It’s not a question of if, experts say, but when you’ll get hacked.

Cybercrime is up exponentially, driven in part by the pandemic shift to remote work and employees using their own devices to access company networks or, alternatively, adopting work devices for personal use. According to a year-end report from cybersecurity services provider Flashpoint, 4,146 global data breaches were reported from January 1, 2022, to November 30, 2022. About a third of those, 31.8 percent, targeted U.S.-based companies. And while we hear a lot about the hacks at large companies and organizations, small and midsize companies tend to be even more vulnerable to cyberattacks.

“I often see smaller companies that say I’m small enough that hackers wouldn’t care about me,” says Tiffany Kleemann, clients and markets leader for cyber and strategic risk at Deloitte. “That’s just simply untrue. I don’t care what size business you are–everyone these days is a target.”

Kleemann points out that smaller companies that experience hacks can face an existential threat. Take ransomware for example, a type of cybercrime in which an attacker encrypts a victim’s data and demands a ransom from the victim to restore access to the data. A smaller company without the cash flow to meet a hacker’s demands could be sunk.

Prevention starts with awareness

Kleemann says that “job one” for every company looking to safeguard from cybercrime should be to conduct a cyber risk assessment. A cyber risk assessment is a process for evaluating the potential risks to an organization’s technology infrastructure, business processes, and security controls to identify vulnerabilities and the potential impact of a hack or data breach. Kleemann likens the process to identifying your company’s “crown jewels,” and then formulating specific plans for how to safeguard those valuable assets.

Also vitally important is training your employees to identify attempts from external actors to break into your internal systems. These attempts often come in the form of phishing scams, in which someone attempts to obtain sensitive information, such as passwords and credit card numbers, by disguising oneself as a trustworthy entity via electronic communication. These days, Kleemann says, cybersecurity consultants are going a step further than hosting classes on phishing scams; they’re sending fake phishing emails to employees as a low-stakes way of testing their abilities to recognize threats.

Continue reading….