Companies are spending more than ever on cybersecurity but, despite a plethora of new security systems, they continue to be vulnerable to attacks, which are not only becoming more numerous but are also taking a greater financial and business toll on organizations.
This is happening, I believe, because companies are approaching cybersecurity in the wrong way.
Even though logic suggests that the more a company spends on cybersecurity systems the better protected it will be, there is no correlation between the two. What’s more: Increased cybersecurity spending often has the unintended effect of providing a false sense of security.
To truly protect themselves, organizations need to get past the belief that the more money they spend, and the more security systems they implement, the better protected they will be. True security comes from looking at IT systems as hackers would and implementing heavy protection at the most vulnerable points of these systems – the points most attractive to infiltrators. By considering the tactics hackers are most likely to use, organizations can protect their most important assets.
For many organizations, this requires an adjustment of perspective along with a reconsideration of what “security” means to them. These steps are crucial:
1. Analyze and prioritize digital assets
The best defense starts with an analysis of an organization’s assets and the potential costs of an attack from a business perspective. For example, an attack that would take an organization off-line for several hours while a site is restored from backups (and while customers complain about a lack of access on social media) is an attack that organizations need to put a great deal of effort into preventing. Meanwhile, an attack that compromises servers containing unused or old applications is less of a worry.
If an organization has limited resources, it’s clear where those resources should be allocated. Therefore, decisions about which assets should be protected first and foremost must be based on their importance and value to the business. These are decisions that an organizations’ leaders – and not just their IT teams – need to make.
2. Think like hackers
Understanding a hacker’s psychology is essential. Hackers seek out the highest quality assets that will provide the lowest level of resistance. If they find an “obvious” misconfiguration on a server that contains customer data or intellectual property, that is the server they will attack – and likely be successful.
To prevent attacks, organizations need to put the lion’s share of their security efforts, resources and budget into protecting that server and creating more barriers to accessing it. Attacking a server with several defense layers is more work, so hackers are more likely to concentrate on an easier target. The priority for the organization must be to set up defenses for key assets, so that hackers direct their attention elsewhere.
3. Constant review and adjustment
A vulnerability of the “spend to defend” attitude is the tendency to believe that the security system that the organization has spent so much on is taking care of the problem. But threats are constantly evolving, and many existing security systems have not been tested to check if they can beat them.
Many cyber security plans do not take into account the fact that modifications should be made and changes implemented often. A good security plan needs to be constantly reviewed and updated. Most organizations plan and execute a long-term plan, and do not build-in the agility and flexibility that is needed for the updates that should be made on a continuous basis. That must change.
The details and minutiae of cyberattacks and their remedies can be eye-glazing – and given the size and reach of today’s IT systems, it’s impossible for even the most competent security teams to cover every breach target. Throwing money at the problem won’t solve it; to protect themselves, companies need to spend wisely, maximizing the efficiency of their cybersecurity investments to ensure that their key assets are as well protected as possible.