Friday, January 17, 2020

C-Suite Advisory

Cybersecurity: Why an Ounce of Prevention Equals a Pound of Cure

Deck: Address these vulnerabilities now, before your company becomes the next cyberattck victim. 2016 Pew Research survey found that 64 percent of Americans have experienced a data breach, and only half believe the government or modern institutions will protect their data. That attitude is unfortunate but understandable, especially given how harrowing some of the 2017 cyberattacks were.

The massive breach at Equifax showed that even seemingly ironclad institutions can put millions of consumers at risk. Last spring’s WannaCry attack illustrated how devious and effective the threat of ransomware is, and Uber’s cover-up of its own data breach revealed that self-preservation is a higher priority for some companies than consumer protection. Even more concerning is that the most sophisticated attacks will never even make the news.

Not surprisingly, consumers these days are wary, especially those who have had their personal information exposed in the past. But public sentiment is only one of the many ramifications of a cybersecurity (or repeated cybersecurity) failure. From profits to public fallout, cyberattacks have always been costly, but these costs are now more consequential than ever.

Calculating the True Costs of a Cyberattack

The monetary costs of cyberattacks can be massive. Companies must contend with lost sales, regulatory penalties, legal fees, and reputation management. The total global cost of cybercrime in 2016 was estimated at $450 billion, and one specialized form of attack, CEO fraud, netted $3 billion in just 17 months’ time. In 2017, the cost of resolving the average data breach for an organization was over $3.6 million.

Those numbers are staggering, but the reality is that the “true costs” of a cyberattack extend beyond the bottom line, impacting companies in more subtle but equally significant ways.

In the immediate wake of a breach, for instance, the IT team, marketing team, and C-suite must scramble to identify the scope of the threat, recover (to whatever extent possible) the data, then manage the communications regarding the breach. The attack has already proven disruptive, but now huge numbers of internal resources must be diverted to resolve it. Operations slow down further, and lost-opportunity costs skyrocket.

Even after the attack is resolved, existing customers and future prospects will associate that brand’s image with sloppiness and unprofessionalism — an image that long outlasts the actual breach. To restore trust, companies must act quickly to upgrade their cybersecurity infrastructure. This may mean bringing in analysts and consultants, investing in new cybersecurity solutions, and possibly adding personnel to the IT team. Exacerbating the issue is the fact that the breached organization must act fast, not always giving it the opportunity to fully analyze the threats and implement a full strategy.

The 2018 Strategy for Cybersecurity

For organizations in 2018, simply feeling secure is no longer enough. Hackers are becoming more sophisticated, going after previously unlikely targets such as intellectual property (e.g., HBO’s “Game of Thrones”) and focusing on very specific targets and data. They are also becoming more tenacious, finding ways to avoid known protections and compromise even companies that have robust security platforms.

Moreover, customers’ expectations for companies to protect their data are increasing, while regulators are realizing that cybersecurity is an issue of national security and are introducing new laws as a result. The sweeping General Data Protection Regulation being implemented right now across the EU is the most recent example.

Ultimately, every statistic and every “cost” related to cybersecurity reveal one thing: The threat of being attacked is increasing, not decreasing. If companies are going to be protected rather than appear protected in the coming year, then they must make upgrades in three key areas to create an effective cybersecurity strategy:

The weakest point
There are lots of vulnerabilities hackers can exploit, but they typically focus on the most vulnerable vector: the email inbox. Ninety-one percent of cyberattacks are initiated with a phishing email, making the inbox the single greatest threat to your organization. The first step toward combating attacks is to fortify email security via easy-to-use and comprehensive threat protection solutions that catch even the latest ransomware and malware.

The outbound paths
Hackers are generally seen as external actors infiltrating a company. But just as often, they are trying to hijack what exits the company’s systems. Controlling who is responsible for disseminating information and sending that information only to authorized users is a good start. In addition, implementing a data loss prevention solution that automatically encrypts sensitive data when it leaves your organization to protect it in transit can more fully protect you against hackers who prey on this vulnerability.

The internal actors
Employees — often inadvertently — facilitate many cyberattacks, but they can just as effectively guard you against them. Effective employee training that educates your people on how to spot threats, how to handle sensitive data safely, and how (and where) to report suspicious activity does a lot to reduce your overall risk and helps you control any breach situation should one arise.

According to a recent Forbes survey, only 5 percent of executives believe their companies are fully protected against a cyberattack, and though more than half of the survey’s respondents had been affected by an attack, fewer than half of those implemented extra protections after the fact. And if you think only multinational or large companies are at risk, you’re mistaken. Attackers focus on companies with weak defenses. Often, that’s smaller organizations that lack the robust security staff to track the dynamic threat landscape.

The question, then, isn’t “Should I step up protections across my organization?” but “What protections should I update today?” Otherwise, you may find yourself on the wrong side of the 2018 cyberattack overview.

Dena Bauckman
With more than 20 years of experience in product management and product marketing, Dena Bauckman is VP of product management at Zix.
Share via
Copy link