A cyber attack is never ideal, but when it does happen, mitigation and damage control take careful and deliberate steps.
In most cases, it’s possible to prevent serious financial or reputational damage – but it’s important to be proactive. Much rests on lessons learned, and you will always want to work with a skilled cybersecurity firm to perform a post mortem and analysis.
Here are a few misunderstandings we’ve often encountered in our work, whether a cyber attack has happened or in determining what people know about cyber attacks in general.
Myth 1: All it takes to be protected is a backup system.
Fact: Backups can make a critical difference in your business’s ability to maintain operations in the event of a cyber attack, but they don’t provide a line of defense. Backups provide you with options if you experience a ransomware attack, for example.
Likewise, backups are only as good as they are reliable. When was the last time you tested your backups? Were you able to fully restore?
Myth 2: The cloud provides sufficient protection against cyber attacks.
Fact: Migrating your data to the cloud can improve operational efficiency, but it isn’t a guarantee of safety. This is true whether you’re reacting to a cyber breach or exploring a cloud solution to support business needs. Be sure to read and understand what the cloud provider offers versus what your responsibility will be. Cloud providers don’t always guarantee data is protected or safeguarded, and the main responsibility for this usually lies with the customer. This is true with software systems like Microsoft Office 365, for example.
Myth 3: We can predict the kinds of cyber attacks that will happen to us.
Fact: No two cyber attacks are the same – and unfortunately, you don’t get “immunity” after a breach. Frustratingly, you can’t predict exactly when or how a cyber attack will occur. But this is why your goal should be to identify you risks and put your efforts towards protecting your most critical assets, not just in preparation for one type of intrusion.
Myth 4: Cyber insurance will cover everything.
Fact: Unfortunately, this isn’t true. Cyber insurance policies can be a worthwhile investment, but they are also typically have very specific policy conditions. The last thing you want to find out after a cyber attack has happened is that (in their eyes) you did not comply with those conditions and are thus not eligible for a payout.
Keep in mind, as well, that some cyber attacks can run in the millions of dollars in ransom sums and other costs. Insurance may only be able to recover a fraction of your – and your customers’ – losses.
Myth 5: Cyber attacks are like earthquakes — you can’t predict them, and you just have to accept the risk.
Fact #1: Sort of. Depending on your approach, this can be a myth – but a very costly one at that.
The earthquake comparison is particularly good, because while scientists are capable of giving rough estimates about when a quake could happen, they still tend to strike without warning. Similarly, you probably won’t get clear hints that a bad actor is prepared to strike.
Fact #2: Actual earthquake preparation tends to involve bracing – sometimes literally, through seismic retrofitting of buildings, so that they sway with most tremors rather than falling apart. A strategic cyber consultant can help you take a holistic view that makes such bracing possible.