WBJ: Fenoglio Featured in 2024 Cybersecurity Table of Experts

1. Why is cybersecurity more important than it’s ever been, and why should businesses pay attention?

Cybersecurity will continue to gain importance because the attack surface for cybercriminals has grown exponentially. Consider how many more digital transactions, cloud storage solutions, and remote work opportunities exist today compared to just five years ago.

Additionally, threats are becoming more sophisticated, causing businesses severe financial and reputational damage. It’s no longer a matter of “if” but “when” an attack might happen, and businesses of all sizes must be aware that no one is immune. Developing a plan for when these attacks occur is critical for bringing a business back online quickly. Questions such as, “How will I communicate to my team if a method of communication is down?” or “What if my data is seized or inaccessible if a forensic investigation is required?” should be addressed. Incorporating incident response and business continuity plans into your company’s overall strategy is also essential.

The regulatory landscape is tightening as well, with stricter compliance requirements, making cybersecurity a non-negotiable component of business resilience.

2. What is the expense associated with cybersecurity, and how do small businesses justify the expense?

The cost of cybersecurity can seem steep, especially for small businesses, but it’s important to view it as a necessary investment rather than an optional expense.

The financial and reputational damage caused by a data breach can far outweigh the upfront cost of implementing cybersecurity measures. Small businesses often justify the expense by recognizing that a single breach could be devastating, not only in terms of lost revenue but also in terms of customer trust.

Additionally, there are scalable cybersecurity solutions available, meaning small businesses can adopt suitable measures without breaking the bank.

3. For businesses that don’t have their own IT experts, how do they navigate this, and what should they do?

Businesses without dedicated IT expertise should really consider outsourcing their cybersecurity needs to a managed service provider (MSP). An MSP can function as your company’s cybersecurity partner—they bring specialized knowledge, leading-edge tools, and ongoing monitoring to help protect your business, all without the overhead of having to maintain a dedicated IT or cybersecurity team. More importantly, an MSP can help uncover gaps in your security posture that you would likely look over on your own.

4. What key factors should businesses evaluate when selecting cyber insurance policies, and what considerations must they keep in mind to protect their customers effectively?

Before considering cyber insurance, businesses must ensure they have a solid cybersecurity foundation. Cyber insurance is not a substitute for a strong cybersecurity strategy; instead, it complements it.

When selecting a policy, it’s crucial to evaluate what the coverage includes—such as legal fees, data recovery, and business interruption—and ensure it covers third-party breaches if customer data is involved. The policy should be seen as a backup, not the first line of defense, and rates are typically influenced by the strength of your current cybersecurity measures. Ensuring that you’re following best practices like encryption, multifactor authentication, and regular employee training can help lower premiums and enhance overall protection.

If your company is not employing strong multifactor authentication methods while operating online, there should be a technological limitation for not enabling it. For the 99% that do not have a legitimate exception for deploying MFA, turn it on now.

5. What are the most effective strategies for establishing and sustaining a culture of cybersecurity awareness throughout an organization?

Building a cybersecurity-aware culture starts with employee training. Employees are the first line of defense, and regular education on identifying phishing emails, creating strong passwords, and practicing safe internet habits is essential. Ongoing initiatives like simulated phishing tests, cybersecurity quizzes, and regular updates through newsletters help maintain awareness.

Additionally, it’s vital to create a work environment where employees feel comfortable reporting suspicious activity. Leadership buy-in is equally important—when executives actively participate in cybersecurity efforts, it signals to the entire organization that protecting digital assets is a top priority.

6. What role does administrative control play in optimizing technology management, and how can securing executive-level buy-in accelerate this initiative across the organization?

Administrative control establishes who has access to what systems and data, playing a key role in limiting exposure to potential cyberthreats. By implementing clear access policies, such as least-privilege access, you reduce the chances of unauthorized individuals accessing sensitive information.

Executive-level buy-in is crucial because it ensures cybersecurity initiatives receive the necessary budget, resources, and prioritization. When leadership is involved, cybersecurity becomes a company-wide initiative, making it easier to enforce compliance and deploy protective measures more effectively.

7. What are the key non-technical measures a company can adopt to significantly mitigate its cyber-risk profile without relying on new technological solutions?

One of the most impactful non-technical strategies is building awareness. Simple training programs that teach employees how to identify phishing scams, avoid weak passwords, and report suspicious activity can help drastically reduce your vulnerability to cyberattacks. Ensuring consistent security practices, like locking devices when unattended, avoiding overly permissive account access, or verifying email requests, also contribute to mitigating risks.

Establishing clear data-handling policies is another effective non-technical measure. Ultimately, fostering a vigilant culture where employees understand their role in cybersecurity can go a long way toward reducing vulnerabilities without relying on new technology.

8. What did we learn from the recent attacks right here in Wichita?

The recent cyberattacks in Wichita have shown that no business is too small, too local, or too “anything” to be immune from sophisticated threats. Cyberattacks are opportunistic, preying on organizations that have data and potential vulnerabilities. The key takeaway is that businesses need to be more proactive, regularly assessing and updating their security practices—click here to learn more about cybersecurity risk assessments.

Businesses are part of a much more extensive network of digital data, and a breach in one company can have cascading effects across entire supply chains, industries, and our community. Every company needs to perform full risk assessments, especially if there is little to no knowledge of the inner workings of their digital infrastructure. There are risk-scoping practices that you can also employ to help reduce your risk.

9. In what ways can organizations quantify the potential costs of downtime due to cyber-risk events to effectively justify their investment in robust cybersecurity measures?

Quantifying downtime involves calculating the direct costs, such as lost revenue during outages, and the indirect costs, including reputational damage, customer churn, and recovery efforts. A common approach is to evaluate the average cost of downtime per hour and multiply that by the potential hours lost due to a cyber event, including time spent on recovery, remediation, and any potential fines. High-profile attacks have shown that downtime can result in six or seven-figure losses, which makes investing in strong cybersecurity measures a clear ROI-positive decision.

10. How does AI play into all of this? What are the critical cybersecurity considerations for businesses integrating AI into their operations? How can companies navigate the unique risks and opportunities that AI presents without sacrificing security?

AI offers incredible potential for automating security tasks, identifying threats in real-time, and improving the efficiency of cybersecurity systems. On the other hand, cybercriminals can leverage AI for deepfake scams and automated phishing attacks.

Businesses must integrate AI securely by ensuring proper oversight. The insider risk that comes with employing AI must be met with the classification of company data and scoping of that data with role-based access. For example, this process will prevent an entry-level employee from retrieving the salary data of colleagues from HR through the use of a carefully crafted AI prompt.

AI should enhance, not replace, human oversight. Regular audits of AI systems, transparency in AI decision-making processes, and robust access controls will be key to balancing the benefits and risks of AI without compromising security. While AI can detect anomalies at a scale and speed humans cannot, it’s the trained experts who interpret and respond to these insights effectively.

Whether you’re looking to develop a cybersecurity strategy from scratch or improve your current defenses, our team is here to help.

If you have questions about cybersecurity or want to assess your business’s security posture, please reach out to us. Our cybersecurity risk assessments are designed to identify vulnerabilities and create a tailored plan to help protect your organization from future threats.

Let’s work together to build a safer, more secure future for your business.