Why Being Proactive Is The Best Cyber Defense
Just as the world seems to finally be recovering and re-opening, a cyber pandemic is looming large on the horizon. Bad actors continue an unrelenting cyber assault that the pandemic did nothing to diminish. In fact, cybercrime has been on the rise. Open-source software supply chain attacks have surged by 430% in the past year, cyberattacks on healthcare organizations have risen by 45% since November 2020, and credential theft accounts for about 56% of attacks organizations experience. Companies like Colonial Pipeline, SolarWinds, and Experian keep showing up in the headlines because organizations still refuse to read the writing that has been on the proverbial wall for over a decade.
There is a myriad of excuses companies take to avoid acknowledging that 500 pound gorilla in the room but when it sits on them, the damage is done. You’d think that corporations would take their cybersecurity as seriously as their profit margins. Let’s look at five of the most common yet dangerous beliefs that stop companies from taking a proactive approach to cyber defense and then debunk them.
Belief #1: It Can’t Happen to Me
No one ever expects to be the victim of a cyberattack. It’s natural to assume that with so many richer or easier targets there’s no way you’d be chosen. That logical fallacy is what makes this belief so pervasive. It’s big news when a mega corporation has a major data breach, but there are hundreds, even thousands of breaches that occur each year. Believing that bad actors only target companies because they have brand recognition or billions in revenue is short sighted.
It’s very easy to assume that just because you “haven’t been” attacked that you are safe. Often companies are attacked and don’t discover the attack for on average 197 days. It’s perilous for organizations to buy into a false sense of security assuming if it hasn’t happened yet, it won’t.
Fact: You are a Target
Every organization — large or small, for-profit or non-profit, public or private — is always a target. Research shows that 94% of organizations have experienced a data breach of some kind, and 79% of those were in the last two years. Attackers aren’t only after big business. 43% of breach victims were small and medium businesses. Also, keep in mind that 75% of companies infected with ransomware were running up-to-date endpoint protection. It doesn’t matter what industry you are in, what your size, or what level of brand recognition you have. If you store or process data then you are a target.
Belief #2: Clean it Up and Move On
Another reason companies don’t take their security posture seriously is they see a security incident like graffiti painted on a company wall. They assume that if an attack occurs, they’ll just clean it up and move on. The problem is that cyberattacks, especially successful ones, are more like an oil spill in the ocean. They become huge fast, they spread quickly, they are hard to contain, and even after you’ve cleaned up there are long term effects on your IT ecosystem and company brand. What contributes to this belief is a lack of understanding, regarding the lifecycle of a security incident. Many think that a cyberattack requires little more than isolating the problem, fixing it and moving forward. Even for ransomware, it’s easy to assume that simply paying the ransom or restoring from backup will be sufficient to fix the problem. This is almost never the case.
Facts: There is no Fix It and Forget It
The actual lifecycle for incident response requires initial detection and analysis, containment and isolation, followed by post-incident steps to review what was done and make sure it doesn’t happen again. Each of these steps takes time from different individuals and groups to coordinate and implement each step. This reduces their productivity and distracts them from the normal tasks and projects they could be working on.
The final step in this process that brings everything full circle is preparation. Hardening the infrastructure against future attacks. Investments taken in this step will help reduce time that will need to be invested in the other steps. Time invested here pays off in reducing the impact and scope of future incidents.
Customers no longer ignore security incidents and data disclosures. Research has shown that organizations can lose almost 60% of their customers after a data disclosure becomes known. So instead of covering up an incident and hoping it goes away, businesses need to be open with their customers. Share what happened, why it occurred, and how your business is going to do a better job of preventing it in the future. It may be a small black eye for now, but it will pay off in better customer sentiment.
Belief #3: Cybersecurity Cost Exceeds Benefits
The costs of keeping a cybersecurity program up to date with the latest and greatest applications and technology is staggering. They come with yearly maintenance charges as well as periodic upgrade costs and additional hardware to run it all. It is easy to believe that there is no way that this type of expense can even remotely be offset by preventing an incident.
Fact: Costs for an Attack Are Significant
Experts have shown that cybersecurity efforts can result in a direct savings of over $1.4 million per attack. The study also showed that savings can be up to 82% of the costs associated with managing the entire cybersecurity lifecycle. This amount is only the direct savings in security, it does not even cover the potential damage to reputation or from stolen intellectual property.
Belief #4: We Can’t Find Experienced Cybersecurity People
Yes, there is a well-known and heavily documented shortage of cybersecurity professionals. A critical need for information security professionals has existed for years and demand has only increased. According to (ISC)2, 64% of businesses face an infosec skills shortage, with a current shortfall of 3.12 million workers, the struggle to staff security teams with enough skilled professionals is a legitimate belief. Many businesses believe that appropriate staffing is out of their hands and so their cybersecurity programs struggle. Waiting until the shortage goes away is not an option.
Fact: You Can Grow the Resources you Have
A shortage of seasoned cybersecurity employees is no excuse not to invest in your cybersecurity program. If anything, it underscores the importance of investing in your people. Aspiring security professionals have been in a Catch-22; to get a security role, you need to have experience, but you need to work in a security role to get the experience.
There are ways to break this vicious cycle. First, organizations must allow technical individuals with basic security knowledge to grow their skills while in their current non-security roles — systems administration, programming, networking — by taking on minor security duties.
Mentorship is another crucial piece of the solution. Hire promising individuals who may not have all the experience you are looking for into lower-level security positions. Then pair them with a skilled, experienced team member for mentoring and professional development. This is a win/win for everyone. People with foundational security knowledge and technical skill often need time and grooming to grow into highly skilled security professionals.
Another key is to look in unexpected places. Reach out to tech organizations that champion diversity, consider posting a job on #BlackTechTwitter, tag the Black Cybersecurity Association in LinkedIn, or contact a Women in Technology organization. There are amazing people out there with a passion for security; they simply need the opportunity.
Belief #5: Nobody Has to Know
The old question of “If a tree falls in the forest and nobody is around to hear it, does it make a sound?” plays out in security as well. Some businesses believe that if an incident occurs and nobody knows about it, it never really happened. ISC2 research shows that 62% of infosec professionals disclosed that their organizations failed to report cybercrime even when mandated by law.
Fact: They Will Know
Believing that nobody will ever find out about a cybersecurity incident in the age of rampant social media and open platforms to report is unrealistic. For publicly traded companies, Sarbanes-Oxley (SoX) has specific protections for those that disclose fraud and security abuses. Employees can safely disclose breaches and incidents, especially if it was due to organizational negligence with virtually no fear of repercussions and in many cases protected anonymity. Even if you manage to keep the breach out of the media, current government mandates are already forcing software vendors to disclose breaches. It’s a safe bet that mandatory disclosures of any security incidents a company experiences aren’t far behind.
Human beings are masters at self-justification and corporations at the end of the day are still a collection of human beings. While there are many more excuses companies make for not taking cybersecurity seriously, the fact is that cybercrime is on the rise and there is no excuse for not being prepared. Companies can ignore that fact but the funny thing about facts is that they are true regardless of what you choose to believe.