During the first half of 2021, four out of five organizations experienced a cybersecurity breach that originated from a vulnerability in their third-party vendor ecosystems. While small to medium-sized businesses (SMBs) may believe they are "too small to target," these organizations are at risk from ever-increasing automated and supply chain attacks targeting their IT service providers.
Cybercriminals are automating their processes wherever possible. Big data analytic tools and machine learning allow them to find new victims and generate personalized spam messages. Crimeware-as-a-service — which enables criminals with limited technical skills to act as malware distributors for a cut of the profits of successful attacks — and its affiliate programs accelerate the threat. Between automation and supply chain attacks, it's no longer a question of whether you will be breached, but when it will happen. Many an SMB cannot survive such an attack, at least not without planning.
During a recent Microsoft Inspire panel discussion hosted by the cyber-protection company Acronis, four renowned cybersecurity experts explored the challenges of protecting Microsoft 365 environments. One topic of discussion focused on how important it is for SMBs to prepare for the inevitable data breach: to have a data breach incident response plan and crisis communication plan in place.
"Data breaches are no longer exceptional in and of themselves," Troy Hunt, security researcher and founder of HavelBeenPwnd.com, said at the panel discussion. "What is exceptional and newsworthy today is how an organization responds to the incident. SMBs need to be able to communicate with their customers — truthfully and transparently — while they work to minimize the damage a breach can cause once it happens."
While managed service providers (MSPs) can assist an SMB with remediation when an attack happens, few MSPs can provide help with crisis management, public relations, and customer communications. If you are an SMB seeking to engage an MSP or you already work with one, it's important to discuss how the MSP can help with incident response planning and testing as well as crisis management — planning that must happen before an attack happens.
Scott Bekker, Editorial Director of Redmond Channel Partner and Converge 360, remarked at the Inspire discussion, "In many cases, MSPs serve as the only IT staff an SMB may have, but when it comes to public relations, many MSPs have limited in-house resources themselves. However, it would be helpful if MSPs provided their clients with messaging best practices to help these organizations communicate with the public and their customers when a breach happens."
If you discover that your MSP cannot provide the post-breach communications support you require, you might consider engaging other third parties, such as the Cybercrime Support Network (CSN), a 501(c)(3) nonprofit organization created to meet the challenges facing individuals and small businesses affected by cybercrime.
In addition to supply chain attacks, many SMBs have inadvertently created additional vulnerabilities while moving their applications to the cloud. Candid Wüest, VP of Cyber Protection Research at Acronis, commented at the panel discussion, "In many cases, SMBs lack the expertise to correctly configure cloud services, so attackers continue to focus on them to access and exfiltrate data. Worse yet, many SMBs don't use log files, which are useful in forensic investigations."
Log files help determine the causes of a security breach, how much data was stolen, and when was it stolen. While Microsoft provides log files, it's important to set them and ingest them. This is another area where an MSP can help an SMB.
Regardless of company size, your organization can save significant dollars if you plan for an attack so that you can effectively address remediation, crisis management, and communications if and when an attack happens. A recent study conducted by the Ponemon Institute indicates that organizations that developed incident response teams and tested their incident response plans experienced an average $2.46 million cost savings when compared with organizations that experienced a breach without an incident response team or tested incident response plan.
About the Author
James Slaby is Director, Cyber Protection, at Acronis, focusing on the conjunction of IT security and data protection. Before Acronis, Slaby worked as an industry analyst covering IT security, cloud computing, and networking at Forrester Research, HfS Research, Yankee Group, and others.