While most enterprises have come to terms with the fact that a security incident is not a factor of “if,” but rather “when,” many are still struggling to translate this into the right security architecture and mindset. FireEye’s Cyber Trendscape 2020 report found that the majority (51%) of organizations do not believe they are ready or would respond well to a cyberattack or data breach.
Under an increasingly evolving threat landscape, old security paradigms are predicted to force many victimized companies out of business. Will you be one of them?
If you are guilty of the common mistakes, your cybersecurity may be doomed to fail in the year ahead:
1. You think your business is too small to be a target
Verizon’s 2019 Data Breach Investigations Report reveals that 43% of all cyberattacks are aimed at small businesses. According to insurance carrier Hiscox, more than half of all small businesses suffered a breach within the last year and 4 in 10 have experienced multiple incidents. Further, the US National Cyber Security Alliance reports an estimated 60% of small companies go out of business within just six months of a cyberattack—illustrating the real-world consequences of inadequate cybersecurity measures.
Businesses of all sizes need to make high-tech security a top priority in 2020. While many small business owners believe they can’t afford to keep their companies safe, the cost of a breach can be significant. IBM reports that companies with less than 500 employees suffer losses of more than $2.5 million on average.
It’s better to start spending a portion of that money on proactive security measures. Just remember, doubling your security budget doesn’t double your security. It’s not a one-for-one trade-off when it comes to cybersecurity investments.
Smartly allocate your security budget by focusing on the end goals—whether that be protecting client data, safeguarding intellectual property or avoiding network outages. This will help you prioritize your investments and make the appropriate business compromises between security, usability and cost.
2. You’re unable to defend against zero-day, multi-vector or polymorphic attacks
Since the 1980s, we’ve seen an evolution of cyberattacks, which continuously force us to update the way we protect digital assets. First generation attacks included viruses and were mainly contained using anti-virus software.
In the 90s, threats became more sophisticated as hackers targeted networks—making firewalls an essential security defense. The 2000s, ushered in the mass use of applications along with the exploitation of their vulnerabilities, which made intrusion prevention systems (IPS) popular. Starting in 2010, we began to see zero-day threats, which use highly evasive polymorphic content to bypass traditional defenses. Behavioral analysis tools have helped us tackle these threats.
Currently, we’re witnessing the proliferation of large-scale and multi-vectored attacks, like WannaCry and NotPetya. In these attacks, hackers attempt to exploit multiple fronts—including network, cloud and mobile devices—at the same time. This makes cybersecurity much more complicated. Today, only 3% of the world is prepared to defend themselves from zero-day, multi-vector or polymorphic attacks.
But cybersecurity is not something that you can set once and forget. Cybercriminals keep gaining ground because they are financially incentivized and willing to innovate. As we enter 2020, expect to see even more sophisticated attacks, capable of causing more damage, while being much harder to defend against.
In response, you need to ramp up your defenses with multiple layers of modern cybersecurity. There are potentially game-changing products in development, like autonomous security services and blockchain-based data breach protection, that deserve consideration as attack vectors evolve and these new technologies prove themselves enterprise ready.
3. You’re drowning in data
Hunting for signs of an attacker on your network can be like searching for a needle in a haystack. In many cases, it takes companies an average of 6 months to detect a data breach. Obviously, you need data to find an attacker. But many companies go overboard—trying to capture everything—at enormous infrastructure and workforce cost. Then find they can’t effectively analyze or operationalize that data in a crunch.
More than ever, your security team needs the right tools to detect and investigate critical security threats. This includes security software that provides tools for hunting and performing diagnostics as well as heuristics that study patterns. New adaptive security tools that use machine learning and AI can help you more efficiently find an attacker, halt their intrusion or exfiltration of data within milliseconds and prevent the next attack.
4. You don’t have an incident response plan
Incident response plans provide a set of instructions that help IT staff detect, respond to and recover from network security incidents. IBM found that companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
Your incident response plan should address issues like cybercrime, data loss and service outages that can threaten to disrupt daily business operations at a high cost to the business. If you don’t have an incident response plan, it’s time to develop one.
SANS Institute’s Incident Handlers Handbook, is a good place to start. It provides an overview of the six steps that should be taken by your incident response team to effectively handle security incidents.
5. You aren’t taking third-party risk seriously
The weak link in your enterprise security may actually be your partners and suppliers. Supply chain attacks, also called value-chain or third-party attacks, occur when someone infiltrates your system through an outside entity that has access to your systems and data.
Breaches originating from a third-party cost companies $370,000 more than average. According to Ponemon, 56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information is increasing.
In response, regulators are increasingly looking at third-party risks. Last year, New York State financial regulators began requiring financial firms with a presence in New York to ensure that their suppliers’ cybersecurity protections were up to par. Next year, Europe will do the same, with its GDPR, which applies to any company that collects personal information from Europeans and comes with steep fines for non-compliance—up to 4 percent of total global revenues.
To protect your company and avoid any penalties, you will need to closely vet the security of the companies you do business with in 2020, align your security standards and actively monitor third-party access.
6. Security is not a boardroom imperative
The size of fines assessed for data breaches in 2019 suggest that regulators are getting more serious about punishing organizations that don’t properly protect consumer data. In the UK, British Airways was hit with a record $230 million penalty, while Equifax agreed to pay a minimum of $575 million for its 2017 breach in the US.
With the industry calling for an Americanized version of Europe’s GDPR, businesses should be prepared for the pace and amount of fines to increase in 2020. With the cost of fines rising, security will be forced from a business afterthought to a mainstream issue.
If your board hasn’t already taken notice of the evolving cybersecurity and regulatory landscape, they should. According to research by Infosys Knowledge Institute (IKI), nearly half (48%) of corporate boards and 63% of business leaders are actively involved in cybersecurity strategy discussions.
In response, the CISO role must evolve from the squeaky wheel to a strategic advisor. Security leaders must be ready, willing and able to assemble and execute a sound security strategy that includes the right talent, services and technologies to defend against today’s sophisticated threat environment.
7: Your employees aren’t held accountable for cybersecurity
Human error still remains one of the greatest threats to your organization’s well-being. With just 3 in 10 employees currently receiving annual cyber security training, it’s all too easy for enterprising con artists or email scammers to circumvent even the most cutting-edge digital safeguards.
Ninety-one percent of all company breaches come from phishing. While email security tools can provide a first line of defense against phishing, the best way to prevent a phishing breach is to treat cybersecurity as workplace culture issue, rather than an IT issue.
For this type of cybersecurity initiative to be a success, you must not only weave good security habits into the fabric of your organization, but also hold employees accountable and responsible for corporate security. Formal security training programs can help teach employees how protect themselves and the company against cyberattacks, but changing the attitudes and habits of your workforce can be more challenging. For this you will need to properly leverage change management models to successfully build an all-inclusive security culture.
Attackers are getting smarter, attacks are occurring faster and incidents are becoming more complex. It’s now guaranteed that virtually every modern organization’s high-tech perimeters will eventually be breached. If you are still haphazardly or reactively approaching security with disconnected point tools, manual processes and inadequate staffing, be prepared to spend most of 2020 fighting cybersecurity fires.
As we move into an era of increasing connectivity, cybersecurity is a business-critical, extremely dynamic, massively scalable and highly specialized discipline. In 2020, you must be prepared to embrace AI and autonomous services, implement real-time cybersecurity tools and encourage every person on staff to play a role in combating online threats.
As cybercriminals become more innovative, make sure your executive team is aware of the full financial and operational impact that a data breach can have—and be ready to present a clear cut strategy on how to manage the risk using a multi-faceted approach to cybersecurity that leverages a robust set of adaptive security measures.
Your strategy should include a range of measures—with security software, vulnerability management and employee training topping the list of ways your organization can increase its resilience against cyberattacks in the year and years ahead.