As part of our “‘Not If, But When’ Means Right Now” series, we highlight the importance of assigning greater urgency to projects that mitigate cybersecurity risk before consequences are realized. In this post, Daniel West discusses the reasons small to medium-sized enterprises experience difficulty initiating projects before a breach, the change in priority that an incident brings about, and demands that SMEs challenge the status quo by doing something about their cybersecurity.
“We’ve got to start making [product] again,” the CEO said, his operation hindered by ransomware, they were prevented from making the products they brought to market. Not long after responding to the incident, I was sitting down to lunch with that same CEO to talk about improving security moving forward. I asked him, “Would you have taken my call three weeks before the breach?” His answer was simple, direct, and unsurprising – “No.”
This is the norm when talking with leaders in most small to medium-sized enterprises, and is representative of how business priorities change with circumstances. Until you have an incident, you don’t have evidence that you aren’t secure. It is easier to think you are protected in your current state than to go looking for another problem to solve. You’ve invested money into prevention technologies already, shouldn’t that be enough? Unfortunately, unless you can confidently say that your organization has no gaps in its cybersecurity people, process, and technology, there is still work to be done.
The Status Quo
In today’s market, “doing nothing” about cybersecurity is the status quo before organizations reach a certain size. This choice represents some of the biggest competition that cybersecurity companies face. Unfortunately, unless there is an incident, it is unlikely for companies to take proactive actions to challenge the status quo and make the necessary investments to mitigate their risk. By 2021, cybercrime will cost the world in excess of $6 trillion annually1. If the status quo remains unchallenged, your business faces risks that are important to keep in mind: reputation damage, system downtime, regulatory fines, loss of revenue – any of these can affect the bottom line.
To challenge the status quo, cybersecurity needs to be a Board/C-level initiative with all key parties involved (Leadership, IT, Operations, Finance, along with Risk, Compliance and Legal if you have them) from the top down. With priority from leadership, everybody participating, and visibility into the problem, it’ll be easier to push for change to ensure that there are no gaps in your cybersecurity people, processes, and technology. One way of doing this is sitting down before a breach happens and asking yourself these questions to understand your current cybersecurity prevention posture:
- Can we be breached? Would we know if we were? How?
- What attacks are we still vulnerable to?
- If our staff clicked through on a ransomware infection, how would we react? What would the consequences be?
- Given these risks, what is the most affordable way to solve the problem?
Asking these questions will enable companies to make informed decisions about mitigating the risk of a cyber-attack. You can also conduct drills to see whether your answers align with the outcomes of a simulated cybersecurity incident. Or, by engaging a company like IntelliGO to help you identify the gaps. Whatever step you choose to begin with, the important thing is to do something. SMBs need to start taking proactive measures to improve, or the cost of “doing nothing” will continually increase. The longer you wait, the more costly the project, the greater the consequences if you are breached.
Consequences Have a Cost
This is reflected in studies that quantify the cost of a breach, which is going up. Ponemon Institute’s research stated that in 2018, the survey respondents spent an average of $1.43 million because of the damage or theft of IT assets. They also pegged the average cost of a breach at $3.5 million – an increase of 6.4% over the previous year. Do not wait to be a company that will make a reactionary change in a bad situation; be the company that is proactive, and addresses the challenges and risks head-on.
If you are ready to do something about your security, IntelliGO can help you take proactive measures to challenge the status quo, ensuring that when an incident happens, your company is prepared. Start with the steps recommended above, and consider the business case in a new light having seen the cost of doing nothing.
CSO Online, Cybersecurity Business Report, August 22, 2016