It has been about 5 years since WannaCry and NotPetya hit companies worldwide in full force, launching a new era of cybercrime. Now, there’s a new report of a ransomware attack weekly. Although this may seem scary, we know more now than we ever have. With each attack, we can see and ultimately learn from which vulnerabilities were exploited. We cannot prevent the inevitable, but we can prepare and minimize the effects. There is a famous quote by author Zig Zigler “Success occurs when opportunity meets preparation.” While a ransomware attack is not an opportunity to look forward to, it is important to be prepared.
How being unprepared cost organizations
Eight years ago, one of the most infamous hacks on large retail took place. In the end, it changed the way we use our credit cards at the point of sale, costing this particular retail giant $202 million,2 and multiple senior level executives including the CEO and CIO were terminated3. The chain of events is clear: Leadership did not prioritize cybersecurity strategy, the organization suffered a serious security incident, the incident became public which affected the company reputation and performance, leadership was held accountable, and the organization was stuck with enormous financial responsibilities.
As risks continue to increase, Gartner® took a deeper look into the challenges plaguing organizations in properly addressing their cybersecurity needs5:
Societal perception of cybersecurity is that it is a technical problem, best handled by technical people.
The most common types of attacks include Business Email Compromise, Account Compromise, Phishing, specifically Whaling and Spear Phishing, and Web Application viruses. What does this mean? Essentially, cybersecurity is everyone’s problem. Threat actors know that the best way to infiltrate an organization is through its people. But instead of cowering away in fear and staying disconnected from the realities of cyber threats, we must begin to understand our role in it. No amount of technology takes away the human factor that is inherent in cybersecurity.
Cyber threats have continued to gain notoriety over the last decade. We are at the turning point of understanding. We can acknowledge the threat and tackle it head on. Bringing people together through education, testing and training can position your organization to be at the forefront of the societal perception shift. The challenge that many organizations are tackling is to position your organization from being an easy target to a prepared opponent.
Organizations are focused on the wrong questions about cybersecurity.
Society is recognizing the risks, and organizations are starting to realize that they need to review their cybersecurity posture.
There is no minimum spend that will guarantee safety, nor is there a set amount of tools, compliance or regulations that will ensure an attack-free zone. Yet questions around these topics are the top inquires organizations have. Instead of taking a holistic approach and incorporating cybersecurity into their business strategy, organizations are looking for short cuts to check the box. They are equipped with a false sense of security that comes with a minimum investment and compliance. Asking questions that equate to “How can I get by with the least amount of spend and getting regulators off my back?” or “What is the least amount of training I can give my team to ensure compliance?” will lead to it only being a matter of time before you are facing the questions “Do we pay the ransom?” and “Will we ever get our data back?”
The good news is that it doesn’t not need to be this way. By having a plan and running through ‘what-if’ scenarios, organizations can prepare themselves for different situations. Just as a football coach watches game film to prepare his team for different types of plays the opposing team may run, organizations should prepare their employees to not only respond, but to be prepared with their own ‘plays’ to scout out risk and address short comings and vulnerabilities before they become a larger problem.
Current investments and approaches designed to address known limitations are not productive and fall short.
Cybersecurity is complex. Organizations are struggling to hire and retain talent to not only manage day to day operations, but to fully understand and recommend strategic approaches to cybersecurity. They’re trying easy fixes or focusing on one piece of the entire cybersecurity puzzle, and it is resulting in less than adequate investment strategies. Without the right resources and a thorough plan that focuses on prevention and emergency ‘what-if’ scenarios, it’s impossible for organizations to truly be protected.
Plus, one of the biggest issues that organizations are facing is talent attrition and when you lose talented people in this job market, it’s hard to fill roles. Cybersecurity teams are in a constant state of reacting, and they are getting burned out as a result. When organizations pivot their strategy to better plan and prevent, they can break the cycle of stress and ridiculous response times. It is also important to know when to bring in outside expertise. MSPs are a great resource for overworked and overburdened staffs that need 24x7x365 coverage but are drowning in reactive approaches.
Pivoting cybersecurity to be a business accelerator
Offensive cybersecurity has taken a back burner position for far too long. It has resulted in huge financial and data losses across virtually every industry, and organizations of every size. After the pipeline breach in the spring of 2021 that left most of the East Coast without access to gasoline, there was a shift in consumer trust. The average individual now understands the value of their data and is going to prioritize trust in data protection as much as cost value in their buying decisions. Where cybersecurity investments were once a hindrance to the bottom line, the negligence to prioritize a solid cybersecurity strategy will now hurt businesses from many angles: lack of consumer trust leading to less propensity to buy, along with an inevitable breach leading to huge financial losses. A cybersecurity strategy is not a safety net, it is a leading value add that will drive your business forward.
Attribution and disclaimer:
Gartner, Cybersecurity Must Be Treated as a Business Decision, By Paul Proctor. Published 14 July 2020.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Additional sources
- Gartner Report
- https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031
- https://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/?sh=92bca677c9fa
- https://www.housingwire.com/articles/equifax-expects-to-pay-out-another-100-million-for-data-breach/#:~:text=In%20total%2C%20the%20breach%20cost,million%20in%20cybersecurity%20insurance%20coverage.
- Gartner Report
- https://www.ipohub.org/cybersecurity-laws-regulations/
