It should be common knowledge by now that, if you ignore cybersecurity,
you are putting yourself and your company at risk. Yet, organizations are still inviting trouble by using legacy tactics and a multitude of legacy tools, coupled with insufficient planning of their cybersecurity programs.
A Sea of Cyber Blight
There is an endless sea of industry news and data that exhibits cyberthreats and all their shameful glory. The latest report by cybersecurity firm Sophos showed how 97% of organizations suffered a breach in the last year. Everything from ransomware attacks to phishing scams and data theft was included, and it’s entirely possible your company (or those you work with daily) is in that report – or the next, or the one after that.
The report on the costs of these breaches should shock even the most jaded of readers. On top of reputational damage, legal fees, business downtime, and the loss of data, the overall price tag for an average breach is just over $4 million. Ransomware attacks have an average cost of just under $2 million. Some are probably lower, and some are probably much higher, but the result is the same. It’s just plain nasty.
Stop Pretending
Pretending your company does not have valuable data as an excuse for ignoring cybersecurity is simply no longer acceptable. Virtually all businesses collect and store some form of sensitive information, whether it be customer data, financial information, or intellectual property. Furthermore, a lack of cybersecurity can also harm partners and suppliers. When just one company is breached, it can spread to others throughout the supply chain, leading to a ripple effect of financial loss and reputational damage.
A negligent business decision can start with just one intellectually dishonest act. In this way, ignoring cybersecurity is not only financially irresponsible, but also ethically wrong. Organizations and professionals who help make these organizations tick have the additional, inherent duty to protect personal customer information and employee data.
Everyone Means Everyone
Hackers do not discriminate based on company size or industry, and they will target any business with valuable data. Cybersecurity is not a luxury or afterthought anymore; it’s a basic necessity. Ignoring it or doing an incomplete job is akin to ignoring physical security measures, such as locks and alarms. Cybercriminals are constantly evolving, and so should your cybersecurity measures. Too often, the headlines expose the truth that somewhere in the chain of events, the ball was dropped – once, twice, or as many times as needed. Also too often, these incidents go undetected for days, weeks, even months before the ultimate event transpires.
Reports that approach near 100% occurrence of cyber threats are not the kind of news we want to hear in the industry. When I recently reviewed the T-Mobile attack, my intent was to help others raise shields, and protect themselves against these existential-level type of events.
Principles Over Tools
Focusing on cybersecurity principles over products and tools is critical to successfully protecting your organization. Comprehensive and proactive security principles, such as active visibility, monitoring, detection, and resolution of anomalous conditions across applications, identities, behaviors, infrastructure, cloud, endpoints, and data, should be emphasized. In many cases, services such as managed security and active response and resolution services are the best products to meet these needs. Traditional Managed Detection and Response (MDR) services should be renamed to Managed Detection and Alerting (MDA) to avoid confusion, since they are mostly alerting services. Cybersecurity awareness should focus on the real MDR which is “Resolution,” and goes beyond traditional security swim lanes to extend into deep into patching, monitoring, DevOps, and disaster recovery.
Statistics show that cyberattacks are a prevalent threat to businesses of all sizes, and the cost of ignoring them is too high. Pretending that a company does not have valuable data is dangerous, and leaves you vulnerable to attacks and future victimization. Ignoring cybersecurity response is not only financially irresponsible, but intellectually dishonest.
This article was originally published in Forbes, please follow me on LinkedIn.