To better protect organization’s in today’s cyber landscape, a seemingly infinite number of cybersecurity best practices and recommendations have evolved into more formal industry-wide frameworks and regulations. While some organizations have found themselves ahead of the curve, new policies create an obstacle for many, especially those ill-prepared for digitization in the first place.
Too many companies then make the mistake of looking for a quick fix, ignoring the major pitfalls associated with a mediocre cybersecurity strategy. There are common errors these organizations tend to make while they’re scrambling to put something together to simply say you have a set of policies in place.
1. Going for cheaper cybersecurity options, despite long-term implications.
There’s no doubt that CFOs play a critical role in cybersecurity programs, as data breaches can be extremely costly and jeopardize the health of the company. In turn, the CFO is often tasked with assessing cybersecurity threats, aligning cybersecurity policy with company strategy, and obtaining board approval for necessary cybersecurity investments.
The CFO’s motivation is quite different from the CIO or CISO: save money, optimize costs. Effective decision making, however, comes from a better understanding of the potential impact of a breach. The cheaper option may sound the most appealing up front, but a cyber attack comes with a hefty $3.86 million price tag.
If there’s one thing we can all agree on, it’s that history repeats itself. The General Data Protection Regulation (GDPR) alone, which has been dubbed the most difficult framework ro date, reported $332 million in fines as of January. As frameworks become more difficult to follow, the price tag for non-compliance will be even higher.
Although the U.S. has yet to adopt a framework similar to GDPR, experts agree that it’s coming– and proper investments should be made now. Evidently, although cybersecurity does not result in direct profits, a mature cybersecurity program could prevent the business from devastating attacks with long-term repercussions.
2. Leaving cybersecurity to the IT department, instead of making it an enterprise-wide initiative.
Demanding cybersecurity practices have become another burden on top of the IT departments’ already stacked plate. Instead of referring to it as a business issue, cyber risk oftentimes takes the back seat to other initiatives. That mistake will cost the, as global cybercrime is projected to cost businesses $11.4 million per minute by 2025.
Successful cybersecurity necessitates more than a one-time deployment of a product and a one-time introduction of security procedures. In its simplest form, it requires a risk-aware attitude with a holistic mindset—the entire business ecosystem along with third parties continuously, not just point-in-time.
3. Underestimating the enemy, despite the evolving sophistication of cybercriminals.
We already know the size of your organization doesn’t matter when it comes to cybersecurity. Small and medium-sized businesses make a critical error in believing they aren’t a big enough target, when in reality they are being used to infiltrate larger, more valuable organizations, as 28% of data breach victims are small organizations.
The consequences, on the other hand, are almost always dire. Regardless of whether it’s loss of earnings, regulatory fees, or even damage to your brand reputation, breach impact has evolved just as rapidly as the attacks themselves. It is not productive for any business to underestimate the enemy, nor is it to consider themselves immune.
4. Being in reactive mode, rather than creating a proactive risk management program.
The traditional “underestimating the enemy” mindset has put organizations in reactive mode, rather than proactive. However, ransomware attacks, which grew by nearly 140% from 2019 to 2020, are a prime demonstration of how flawed this mindset is. No business is an exception, as our research team revealed 35% of all supply chain-targeted attacks involved ransomware.
Imagine what it could mean to an organization if the “ransomware” that holds the company’s data hostage halts business operations until the hacker’s demands are met. Not only does it result in hefty extortion fees, but that company would also take a loss in terms of production.
To learn more ransomware, check out the 2021 ransomware playbook.
5. Ignoring the financial risk associated with your third-party risk management program.
The old-school, classification-based risk approach does not cut it any more. Critical elements of a good risk management program, such as ROI analyses as a part of the mitigation process, get lost in classification-based systems. Using a true risk-based approach beyond classification puts you on the same page as business executives.
Using terms such “high cyber risk” or “insufficient technical scores” when evaluating a third party will likely create churn and resistance among those outside of the IT department. After all, while your focus is risk management, their focus is the business of conducting business, boiling down to profit and loss.
There’s no better way to get them on board than putting cybersecurity into a financial perspective. Those colleagues who are responsible for cost-benefit analyses will be very open to requests for support when they understand the financial implications of a cyber incident.
6. Undervaluing supply-chain risk, as third parties create more avenues for hackers.
As 2020 closed with one of the most sensational supply-chain attacks we’ve seen to date, 2021 kicked off with another. It’s safe to say that hackers have cracked the code of a successful cyberattack… weaker weaker vendors. Yet, many organizations still do not channel enough resources towards third-party risk management programs.
Third-party involvement is one of the largest data breach amplifiers, increasing the data breach cost by $207,000. By understanding your potential risks and which vendors and suppliers leave you the most vulnerable to an attack, you can take the proper course of action to protect yourself from becoming the next headline.
7. Ignoring the human element associated with effective risk programs.
There is a common misunderstanding between “security budgets” and “investments”. IT professionals tend to think the more they buy security products and enhance their portfolio, the safer they get. Most of the time, however, that’s not the case. Humans still play an integral role in cyber defense.
Taking the time to implement company-wide security practices reduces the risk of human error, which is responsible for nearly one in every 4 data breaches. Therefore, raising security awareness and investment in security training throughout the company will always pay off.
Looking for an inexpensive solution to manage the supply chain is not unheard of. However, we’ve entered a new era of cyber disruption, which requires combatting with evolved cybersecurity measures. Start investing in your third-party risk management program today before it costs you tomorrow.