Only 38 percent of the organizations surveyed by Information Systems Audit and Control Association (ISACA) felt they were taking substantive steps to address the problem of cyberthreats. Over half of the organizations surveyed thought they were not doing their part in the fight against cyberthreats.
Organizations know that they are not taking enough action in protecting themselves from cyberthreats. And why is that? Why are they not taking enough action?
“The biggest problem in cybersecurity is the lack of alignment of security with the business or with the mission of an organization. They don’t understand each other very well,” said Cybereason CISO Sam Curry when I asked him about the biggest challenge in cybersecurity today.
Currently, cybersecurity and information security as a whole aren’t widely understood, especially by those outside of the field. This leads to cybersecurity being seen as an IT issue instead of a human issue.
Cybersecurity is a continuous, always-on, proactive activity—not a task or a single point in a process. As such, it calls for a holistic strategy including people, processes, and technologies that integrate security at every level instead of downstream, which is often too late. When organizations fail to look at cybersecurity from a holistic lens, their strategy often fails.
The technology implemented is very important, but the people using the technology often play an even larger role in the cybersecurity strategy. Cybersecurity policies and procedures must take into consideration possible human error.
“There are two highly credible types of attacks that are unavoidably part of the overall attack surface: human and physical exploits…Current research shows that electronic exploits constitute less than one-third of the threat,” according to the Cybersecurity Body of Knowledge.
Too often, when organizations and individuals think about cybersecurity, they think about something directly digital, electronic, or IT related—that the threat has to be by someone using something electronic to exploit their security protocols. This mindset is what leaves large gaps in security policies. An information security policy that doesn’t consider human behavior and natural disasters cannot prevent an exploit from being carried out.
There’s also the issue that some companies don’t think that preventive cybersecurity measures are a profitable solution. They don’t see that prevention is profitable enough, so they’d rather react to the issue than to prevent it.
They think, Well, I haven’t been hit yet. I haven’t had a breach yet. So, they think they’ll be okay. If they do have a breach, they’ll be able to react to it. They think it’s more costly to put in all the preventative measures needed to properly protect themselves from a cyberthreat than to react to it when it happens. It’ll blow over in a few months, and someone else will be the star of the news cycle.
However, this is not a bright idea. If we continue to normalize and ignore cybercrime, it encourages hackers and shows them that their behavior is acceptable. This is the way to commit the crime, get rich, and never get caught. They think why shouldn’t I just be a cybercriminal? It makes all the sense in a world for me to do it. It’s much less likely that I’ll be caught, it’s much less likely that anyone’s even going to care. There are far fewer physical boundaries to it than me going out and robbing a bank.
Look at the recent Colonial Pipeline Ransomware attack, for example. The Pipeline ended up paying the cybercrime group an undisclosed ransom amount. The hackers asked for $5 million, but it is unknown if they were paid the full amount.
The fact that they were paid at all, however, encourages other cybercriminals to perform similar attacks in search of a comparable payday. This is the reason that the FBI discourages companies from paying ransoms.
It makes no sense for companies to not put in these security measures in cyberspace. Companies do it in the physical space all the time, sometimes at extreme costs.
We put in security cameras. We put in gates. We put in locks. We do all of these things that cost money and resources because we care about securing our physical space. We can see the physical world, so we have a grasp on what’s going on, and the dangers that go along with it.
However, since we can’t “see” cyberspace, many times we choose to ignore the dangers and the need for security, but shouldn’t we want more security for something we can’t visualize in the physical space?
Cyberspace and cybersecurity are just as important as our physical space and physical security because today we spend just as much time in our physical space as we do in cyberspace. So, we have to ensure we are maintaining security in both.
We no longer can claim ignorance to the threats we face in cyberspace, and I’m sure you’re thinking that you’re not tech savvy enough to protect your business. Wrong. When your business needed physical security did you decide you weren’t strong enough to defend your building? Of course not, you called in the pros, and you should do the same thing for your cybersecurity. A cybersecurity consultant or solution can provide you with the tools you need to protect your company and your clients. You can even find cybersecurity training for your employees.
Over the next several weeks, I’m going to be sharing excerpts and stories from my book, Cyber Curiosity: A Beginner’s Guide to Cybersecurity – How to Protect Yourself in the Modern World in this article series. Here is the link to get your copy on Amazon! The eBook is 0.99 cents only for the month of May, so get your digital copy today and start reading immediately.
If you want to take your first step to being cyberaware, please subscribe to my weekly Cyber Curiosity Newsletter to get industry news, my articles, and more.