In today’s threat environment, we can count on the fact that there will be more spectacular breaches to come. The bad guys will always get in. It’s time to acknowledge that reality and take action.
In our experience, many organisations who are just getting started on their path to cyber resiliency have a few misconceptions when it comes to cybersecurity. These myths must be busted in order for organisations to defend themselves against the risks they face. Here are four of the most common myths that must be busted.
Myth #1: Cybersecurity is a goal to be achieved.
There is no end game when it comes to cybersecurity. It's not a destination. It’s an ongoing, evolving process.
Just because you have the right defenses in place now, chances are they won’t be enough next year… or even next month. We all know the history. Nothing is static. The cyber threat environment is dynamic and evolving. There are new vulnerabilities discovered on a daily basis. Attacks are getting more sophisticated – they’re getting more complex and flying under the radar of traditional detection technologies.
Your organisation’s environment is not static either. You introduce new network equipment, bring in new people, engage with new third-party vendors, etc., and security needs to be a consideration with every change made.
Cybersecurity has to be a managed process, where you are constantly assessing, remediating, and tracking what’s working and what’s not. Because nothing is static in this environment and you can never eliminate all risk when it comes to cybersecurity, this process needs to be repeated in perpetuity.
Myth #2: Data breaches only happen to large organisations.
With so many organisations, what are the chances that you’re going to get breached? Pretty high actually. Malicious actors are opportunistic. The more vulnerabilities you have in your environment, the higher the likelihood that those are going to be exploited. It’s really become a numbers game. If a criminal can easily exploit many small to mid-sized organisations, and make the same amount as exploiting one large organisation with less effort… why not?
Plus, the barrier to entry into cybercrime is getting lower and lower. Cybercrime-as-a-service (CaaS) has become a thriving global services economy and has changed the game for criminals around the world. CaaS providers aren’t just operating on the dark web – a good number sell services on commercial websites. In fact, many model themselves after commercial IT services providers, working with resellers, offering tiered pricing, and providing help desk support. Little technological expertise is needed to become a very successful cybercriminal.
Myth #3: Cybersecurity is about IT.
There is a tendency to associate cybersecurity primarily with technology, and there are an overwhelming number of cybersecurity technology solutions out there. But there is no silver bullet when it comes to securing your organisation. If you don’t have good processes in place – or people who can interpret the information – technology won’t do as much as you think to protect you.
When building a mature program, there is a lot of focus – and budget allocation – on technology and your control environment. In reality though, it’s the people sitting in the seats interacting with technology, following codified and defined processes that can make a difference. Any appliance or technology control can be thwarted when someone clicks on a link or opens an attachment that introduces an infection into your environment.
Myth #4: Cybersecurity is a cost center.
Not true! Consider the benefits that, while difficult to quantify, all contribute to the bottom line:
- Institutional Memory. A cybersecurity culture is built on a foundation of institutional memory, which is information that’s out of someone’s head and in a “living” document. This is the opposite of “tribal knowledge” where information about operations only resides in the grey matter of subject matter experts. Capturing institutional memory is all about documentation – active organisational documentation that defines your processes and procedures. The result is when someone leaves your organisation, the ramp time for the next person stepping in is greatly reduced – which saves you time and money.
- Business Continuity. Cyber resiliency means a cyber event doesn’t cripple your operations. You can continue servicing customers / patients effectively while at the same time responding to a cyber event. This reduces down time, loss of revenue, and loss of trust.
- Information Assurance. When you work with accurate data, you can make informed decisions.
- Employee Empowerment. Cybersecurity awareness training is essential in any cyber resilient organisation. Employees are your first line of defense against an attack. If you create cross-functional responsibility and involve employees in the decision-making process, they will be more invested and come away with a sense of ownership. This leads to higher adoption rates of cybersecurity best practices that can stop a hacker and avoid an incident.
- Competitive Advantage. Data breaches can cause reputational damage and result in loss of business. If cybersecurity is part of your organisation’s strategy and overall culture, you will build trust with clients and set yourself apart from competitors.
The reality is that cyber-attacks pose a risk to all organisations. Breaking down these misconceptions throughout your organisation can help you further your path to cyber resiliency.