The truth is that you’re going to pay for cybersecurity one way or another. So, it’s better to invest now while the cost is much lower and more predictable.
As a business owner, you have lots of projects vying for your time and money, and let’s face it, anything that’s not a revenue driver is easy to push to the bottom of the list. Unfortunately, cybersecurity too often falls into this category. Companies may tell themselves, “We already have security in place. We have a firewall; we have antivirus software; our critical applications are password-protected.” The reality is that you’re probably well aware that cyberattacks have exploded in the past 18 months, both in terms of frequency and seriousness. This year, for example, the damage costs from cybercrime are expected to reach $6 trillion, up from $3 trillion in 2015. To put this number in perspective, if it were measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. In the past, data breaches were about data loss and the potential harm to the victim’s reputation. Today, however, we see attacks that result in significant operational delays and setbacks.
Case in Point: Ireland’s Health Service IT Systems
Earlier this year, Ireland experienced the worst cyberattack in the country’s history, leaving most of the country’s hospitals without computers for over a week. The outage wreaked havoc, forcing the mass cancellation of routine appointments, blocking access to patients’ records, limiting testing and critical treatment services, including services for cancer patients.
A report from IBM found that data breaches now cost companies $4.24 million per incident on average—the highest cost in the 17-year history of the report. In addition, breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in the research group without this factor.
The problem with putting off investing in your cybersecurity —intentionally or unintentionally—and waiting until something bad happens is that paying a ransom is like plugging a hole in a dam; you will still need to fix the underlying issue or face future breaches.
Start Here: Assess Your Cybersecurity Program
Companies often put off investing in more robust cybersecurity because it can be overwhelming figuring out where to start. For example, should you research the latest endpoint security tools? Is your data backup and recovery up to par? How about employee security awareness training? All these things are good and necessary, but you need to take an organized approach to ensure your plan is comprehensive. The best place to start is building or assessing your cybersecurity program and aligning it to an industry-standard framework. A commonly used framework is the NIST Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST). It effectively balances the need to be thorough while still being approachable for organizations new to leveraging a cybersecurity framework. It describes some of its benefits as:
Building from those standards, guidelines, and practices, the Framework provides a common
taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process - Assess progress toward the target state
- Communicate among internal and external stakeholders about cybersecurity risk.
Leveraging a framework like the NIST CSF gives an organization a consistent, industry-proven approach to direct efforts toward the most impactful activities. It’s easy to constantly be reactive when managing technology and even easier to change priorities based on today’s hot topic. Establishing a cybersecurity program based on a framework helps cut through the noise and sets short- and long-term goals that yield the most significant benefit.
Many of the cybersecurity incidents we see stem from a failure to implement basic controls. It’s vital to shore up things like device inventories, user directories, system patches and vulnerability management. Leveraging a cybersecurity framework like the NIST CSF helps remind us to stay focused on the day-to-day work as well as cutting edge cybersecurity technology.
Besides the NIST CSF, there are other cybersecurity frameworks to consider, such as the CIS Critical Security Controls v8, which is more prescriptive and technology-focused, and PCI DSS, which is intended for organizations that accept credit cards. Here’s a short article that compares each one to help you determine the best fit for your organization. If you don’t have the internal resources or experience to be successful today, Presidio can help. Keep in mind that no outside company can determine how much risk you should take; it’s a decision your business stakeholders, IT, and legal department will need to decide.
The essential point worth reiterating here is that you shouldn’t neglect your cybersecurity posture any longer. Just because you haven’t been hit with a significant cybersecurity incident doesn’t mean it isn’t coming. However, having a robust cybersecurity program in place can go a long way in minimizing the damages from a threat or attack.