An increasing number of companies worldwide have come to realize that cybersecurity is an important factor in the running of a successful business. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 annually by 2025, up from $3 trillion in 2015. As a result of this knowledge, companies have scaled up their investments in defending against cyber attacks. A Canalys forecast predicts cybersecurity investments will increase 10 percent worldwide in the best-case scenario in 2021.
However, many of these investments do not gain traction. According to the recent Accenture’s study, there’s been a larger drop of 27 percent in the number of security breaches which indicates the basics seem to be improving. But still, on average organizations face 22 security breaches per year. Research shows that, in many cases, a company itself is making cybercrimes possible. With this in mind, a reasonable question for companies to ask is: what are the mistakes that organizations make when setting up their cybersecurity system and how can they avoid them to be protected from cyber-attacks?
Focusing on the technical aspects only
One of the most common and critical mistakes companies make is focusing solely on the technical aspect of cybersecurity. For example, a company spends thousands of dollars on network perimeter security, investing in the best firewalls, intrusion detection systems, web application firewalls, and so forth. After such a large investment, that company would expect to see results. However, instead, a security breach happens. Why? Because the company has neglected to provide proper training to its employees.
Cybersecurity is a holistic system: a separate solution will not help that much, instead, companies need to apply a set of measures. One such measure is training employees, making them aware of what security is and how it works. Keep in mind that “a chain is only as strong as its weakest link,” if that weakest link in the company’s people, then it’s likely the breach will be due to their lack of preparation.
Not knowing your enemies
An important detail many companies forget to consider is who their potential attackers might be, where they come from, and what consequences the breaches may have on their business. Imagine that you use an internal system to store all of your sensitive data and that this data is not accessible from the outside, as it has solid protection in place from any external breaches.
Even with strong security in place, some good questions to ask are: Where might any attackers come from? Are they internal or external attacks? What happens if there are data leaks? How much will it cost to fix any issues? How much of a loss will there be from potential opportunities? Knowing the answers to these kinds of questions, and approaching security with them in mind, a company will be able to build a wall that will be hard to break.
Another common mistake is building a security system just to be compliant with some standards. Being compliant won’t keep your company safe from attacks. What companies should do is evaluate their risks: some breaches can cost a fortune and a reputation, while others may not affect their business much.
There is no bulletproof protection plan, there can be thousands of different risks, but there is no need to try to eliminate everyone. Instead of trying to cope with all risks, what can help is a better understanding of the matter, companies should know what they are protecting, evaluate how this protection measure will help overall, and if the protection is worth the cost or not.
Unpreparedness for attacks from trusted circles
A good concept to follow is to always “assume breach”. Given today’s threat landscape, a company should acknowledge that a breach has either already occurred, or that it’s only a matter of time until it does. “Assume breach” is a mindset that limits the trust and assumes both internal and external tools, applications, services, and people are not secure and probably already compromised. It’s a very useful approach.
What many people do not realize is that no company can consider itself to be completely secure. There is no such company that cannot be hacked, and no security plan can guarantee safety from every attack. Moreover, with technology continuing to advance, new opportunities for cybercrime appear every day.
Choosing a wrong tech partner
Many companies realize that cybersecurity is a complex issue. In order to implement it correctly, they need to find a security organization capable of success. However, when choosing a partner, companies often make the mistake of assuming that cybersecurity solutions are comprehensive and suit any business. In fact, the threats that advertising companies may be exposed to differ from those in, say, aviation, or e-commerce, telecommunications, healthcare, or construction. If your cybersecurity partner doesn’t have experience in your particular industry, then there is a greater chance that their solutions won’t meet your expectations and won`t be efficient in preventing breaches.
Try to find the right partner that provides comprehensive security services. The partner that will advise on security strategy, create the most suitable solution that meets your specific security requirements, run audits, and carry out incident responses.
It is important that your partner is not focusing on the bulletproof approach. Instead, it should focus on making attacks unprofitable by continuously running assessments, pentests, red team exercises, as well as, applying the “assume breach” approach, developing incident response (IR) playbooks, and conducting training, both on security and on GDPR.
Remember that your tech partner should have expertise in a vast array of markets, and, as such, advise on the most suitable solution for your unique company.
Alexey Stoletny, Managing Director, Sigma Software