In the Crosshairs: 4 Tips for Lessening the Likelihood of a Cyberattack
The vast majority of businesses live with the ongoing threat of a cyberattack. They possess money and data, which cybercriminals want to steal. Therefore, these businesses should do everything in their power to lessen the likelihood that an attack will be successful. But what does that look like?
Let’s discuss!
In the Crosshairs, the Series
In this series, we focus on cybercriminals, for they are the largest and most well-known threat bad actor type. We lay out a straightforward framework for how you can ASSESS the likelihood that cybercriminals will attack your business, LESSEN that likelihood, and how to ENGAGE cybercriminals to win the cyber war. Here are the highlights and links to the other articles:
Guiding Principle #1: If you have a lot of money, you need to protect it.
Guiding Principle #2: If you have a lot of data, you need to value it properly to determine the appropriate level of protection it requires.
Guiding Principle #3: If you make it easy for cybercriminals to attack you, they will, and that’s bad for everyone.
Guiding Principle #4: Cyber threats and cybersecurity are constantly evolving cat-and-mouse games.
Technique #1: Staff your board of directors and leadership teams with cyber experts from industry and government
Technique #2: Ensure your CISO reports to your CEO
Technique #3: Build a cybersecurity team with experienced experts — even reformed cybercriminals
Technique #4: Rebuild your legal department, this time with former prosecutors
Technique #5: Develop a strong public-facing cybersecurity reputation
Technique #6: Build strategic relationships with law enforcement
Technique #7: Explore the dark web and approach cybercriminals
Technique #8: Never pay a ransom, period
In the Crosshairs, Part II - LESSEN
This is the second article of our “In the Crosshairs” series. It discusses tips to LESSEN the likelihood of an attack. As you’ll see, this conversation is more complicated than “increase cybersecurity” and more nuanced than “buy more security solutions.” It’s about finding strategic ways to decrease visibility within the threat landscape.
Overcoming human nature by being proactive
Before getting into the details, I want to talk about human nature. Consider this a starting point: would you ever disagree that cybercrime threatens business? That it needs to be taken seriously?
When I meet people, they are appropriately concerned about cyberattacks. So when I hammer home the importance of good cybersecurity, they’re right there with me, nodding that cyber is critical to their success.
Then they go back to the office and forget about it… obviously. When the budget rolls around, cyber gets pushed down the priorities list. Does this happen because they forgot what I said or suddenly disagreed with me? Hell, no! I‘m memorable and brilliant. Why would you disagree with pure genius that you can’t forget? LOL. It’s far more likely that human nature took hold. It is easier to kick the can down the road. Let’s be frank; cybersecurity is a cost center. And spending on cost centers reduces profit margins. In cybersecurity, people tend to wait until a crisis occurs and then take meaningful action after it.
That's understandable. But I want to change that mindset. To get you to think proactively about cybersecurity so that you’ll lessen the likelihood of an attack. Remember, the estimated cost to remediate a data breach in 2022 was $9.44M. And the best part is that these suggestions are very cost-effective!
Here are 4 tips for lessening the likelihood of an attack.
Tip #1: Don’t shout about your $100 million funding
It feels great to announce your success to the world. When you finally close your latest funding round, you won’t just write an email to your friends. You’ll try to get media headlines and pump up your win. The promotion is critical for increasing visibility, and the publicity helps validate your work. Everything about it is excellent… ALMOST.
The flipside to this coin is that, for cybercriminals, your success is their opportunity. When they read “Sesame St. Hardware & Software Closes $100 Million Series B Round,” two alarm bells go off in their head:
Alarm bell 1 (Awareness) - Look at this company with money to steal.
Alarm bell 2 (Intrigue) - How easily can I compromise them?
Building your business can be an all-encompassing endeavor that leaves room only for cybersecurity basics (hopefully, you at least have those covered). But if you can’t apply the most strategic zero trust principles, you can still mitigate threats in other ways. Announcing your tremendous success to the world, with substantial dollar signs attached, doesn’t help. It makes you an immediate target. Your cyber adversaries are waiting to pounce, and you might not be prepared for that.
Would you ever walk down a busy New York City street shouting, “I have ten thousand dollars in my pocket! I am walking to my car, FYI.” Of course not. Does that mean you’ll be mugged? Probably — or at least several people will be sizing you up. I hope you have taken the appropriate steps to secure yourself and your $10K.
The same is true when you shout about additional funding for your business. Strive to share, not shout. Opt to forgo press releases centered on the amount raised. Instead, do a press release concentrating on what you want to do next with your business. For example, focus on your vision for growth or your intention for new product/service offerings (the next section illustrates an example). Announcing your success more quietly can lessen the likelihood of an attack.
Tip #2: Collaborate in the cybersecurity space
One way to publicly announce your success without drawing cybercriminals’ attention is to simultaneously promote your partnerships with regulators and enforcers. For instance, the JCDC, or Joint Cyber Defense Collaborative, is a public-private initiative from CISA (the Cybersecurity and Infrastructure Security Agency, which is part of the US government) that “proactively gathers, analyzes, and shares actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense, and response.” Being part of groups like this increases lines of communication between industry and the federal government and makes everyone safer from cyber threats. In addition, it can serve as a powerful deterrent when dealing with cybercriminals.
To illustrate the point, let’s do a quick drill: Which press release summary makes a business less of a target?
One -
Company A’s $700 million Series C round places it within the top 10 largest climate tech raises in 2022
Microsoft Climate Innovation Fund, Lightrock's Climate Impact Fund and Moore Strategic Ventures among investors in the Series C extension following the first close led by Porsche AG
Financing supplemented by the Biden-Harris Administration and the DOE's $100 million grant award announced in October 2022 to fund the buildout of Company A’s factory in EL Paso, Texas
Two -
Company A’s Series C round will propel it to new heights in climate tech
Company A will focus on integration with generative AI, expansion into European markets, and cutting global emissions by 10%
Trailblazing a safer environment in climate tech, Company A will be closely aligned with the JCDC to share mutually beneficial threat intelligence and indicators of compromise targeting cybercriminals
The first one is standard. When a cybercriminal sees it, they think, “Yep… that’s what we will be targeting first thing Monday morning.” The second one hits a different note. It still shares success but mutes the bombastic bravado — and the third bullet serves as a warning to any cybercriminals, “Don’t fuck with us. We don’t play.”
Bold, right?
Yes — because it needs to be. I expound on that notion in the third article of this series, “8 Ways to Engage Cybercriminals to Win the Cyber War.”
Information sharing and government collaboration aren’t always natural for businesses. You don’t want to give away your secret sauce, and you don’t have to! You share what you want in a controlled and collaborative manner.
You shouldn’t limit sharing to certain governmental agencies. You should share with industry partners. You can join professional industry trade organizations, national information-sharing societies, etc. Some great options are:
CompTIA Information Sharing and Analysis Organization (ISAO)
Technology Association of Georgia (TAG) - A state-specific option, each state will have similar organizations!
A considerable benefit from this is how much knowledge and experience you will gain. How many Chief Information Security Officers (CISOs) do you need? Just one. But what if you could harness the knowledge of 10 or more? Empower your CISO to join and actively participate in these groups. They will return with far more knowledge than they could ever acquire independently.
If you collaborate with others, you will lessen your threat profile. You might be a big target, but leveraging the benefits of collaboration will allow you to operate from a position of collective strength. Remember, cybercriminals leverage the benefits of cooperation by working with one another. You need to level the playing field and do the same.
Tip #3: Audit, secure, and reduce your attack surface
Businesses increase their likelihood of a cyberattack when they have insecure entry points to their systems. This is known as having a weak “attack surface.”
Think about it in brick-and-mortar terms. Pretend you own a restaurant. Business is good, security is strong, and you’ve never faced an attempted robbery. So you open a second location across town. The expansion goes 10% over budget, so you make cutbacks — hire faster, vet less, and opt for cheaper surveillance. You still feel like the odds of a break-in are low, but the reality is you’re defending more business with less protection. What if business exploded and you operated hundreds of thousands of restaurants, spanning the globe? Some corporate, some franchise, and some you honestly don’t know.
What’s the digital equivalent of this? Operating a business with hundreds of thousands of internet-facing computers (an example of an internet-facing computer would be a web server or a remote employee’s laptop). These are external entry points into your organization’s internal network. Think of them like doorways. The more users, systems, and networks associated with your business, the larger your attack surface; thus, the greater your exposure to cybercriminals. Remember that a cybercriminal only needs to be right once to attack your business — they only need to find that one vulnerability for one moment.
In this scenario, reducing your attack surface may sound impossible. But you don’t need to hamper your growth and expansion; you only need to pay close attention to how you grow. Don’t lose sight of employees and devices; keep records of devices and clear documentation around people, processes, and hierarchies. More specifically, you must continually map out your attack surface, label assets accordingly, secure all your assets, and monitor everything. You can lessen the likelihood of an attack by strengthening your attack surface.
Tip #4: Add a cybersecurity expert to your board of directors
Cybersecurity is a huge business risk. The board of directors helps manage that risk. Yet too many board of directors lack cyber knowledge, experience, and expertise. This can make your company more likely to experience a cyberattack. Why?
Strong cybersecurity starts with being prepared, which begins with understanding the problem. The board of directors is a company's highest level of authority, with the CEO reporting to it. If the board isn’t thinking about cybersecurity because it doesn’t truly grasp how complex, complicated, and critical cyber is, then that lack of awareness can negatively affect the entire company. The board might not appropriate the correct level of spending for security, might not ensure the CISO reports directly to the CEO, or might not fully grasp why defense in depth is so crucial in cybersecurity.
However, you can be proactive about cyber if you have a strong cybersecurity expert on your board of directors. An expert will:
Prove indispensable when there's a cyber issue. A board of directors often takes a while to understand cyber problems. An expert will grasp it immediately. They can explain it to fellow board members and start guiding the executive team.
Assist in up-leveling the company’s collective security posture. Suppose your board of directors has the cyber chops to help your CEO navigate the evolving threat landscape. In that case, your business can get ahead of the next attack with strategic risk management for today, tomorrow, and the future. For example, if your business threat level is low right now, you may not want to invest heavily in a large cyber team. If you have a cyber expert on the board, they’ll help guide the executive team as your business grows and scales and the threat landscape evolves. The expert will share when it is time to expand your cybersecurity capabilities.
Provide essential strategic cyber guidance to executives when dealing with complex cyber operations, like digital supply chains or international geo-political cyber processes — many cybersecurity experts are proficient in overseas cyber operations.
A cyber expert on your board of directors will categorically lessen the likelihood of an attack. Addressing a pervasive threat like cyber can only be successfully overcome with your eyes wide open. Adding a cyber expert(s) to your board of directors does that and more!
Conclusion: Lessen the likelihood of a cyberattack... while saving money
When discussing how to lessen the threat of a cyberattack, we don’t have to talk about blowing out the budget. Every one of our tips is about making intelligent, proactive, strategic moves to reduce your visibility and navigate the threat landscape shrewdly. In fact, lessening the likelihood of a cyberattack can save you money! Bringing a cybersecurity expert to your board of directors and collaborating with others are cost-effective tactics to stop cybercriminals before they start, and keep your money and data out of the wrong hands.
Want to know how to build a rock-solid program to counter cyber threats? Check out the next In the Crosshairs series, “8 Ways to Engage Cybercriminals to Win the Cyber War.”
Why don’t I go eat some hay? I can make things out of clay, or lay by the bay. I just may. Whaddya say? Oh…and don’t forget to share this “eh!”
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD