The costs and consequences of a data breach or cybersecurity incident have never been more severe. According to the FBI’s recently released Internet Crime Report 2020, cybercrime resulted in $4 billion in losses last year, a low estimate that still encapsulates the incredible value lost to threats actors. For small businesses, the costs can be catastrophic. As Vox reports, 60% of small businesses will close after a data breach, underscoring the high-stakes bottom-line nature of cybersecurity.
Fortunately, business leaders are taking notice and are beginning to make cybersecurity an organizational priority. A recent survey on C-suite cybersecurity trends found that nearly 20% of CEOs consider cybersecurity risks to be the most prominent threats facing their organization for the next three years. Similarly, 75% of business leaders see cybersecurity as a top priority as they recover from the recent pandemic.
However, there is a meaningful difference between acknowledging a problem and taking action to repair it. Too few businesses are taking cybersecurity seriously when it comes to implementing an adequate defensive posture. A report by the UK’s National Cyber Security Centre (NCSC) discovered that many boardrooms fail to actively prioritize cybersecurity until after a cybersecurity incident occurs. As the agency’s CEO, Lindy Cameron, notes, “Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking.” This is true for companies around the world.
In this environment, where should SMBs invest their time and money to most effectively address this hazardous cybersecurity environment? For many organizations, the next steps include pursuing workflows and solutions that identify risks, defend data and evolve alongside emerging threats.
Today’s threat landscape is expansive and frightening. However, while shady bad actors from distant parts of the globe target businesses with phishing scams, ransomware and other cyber attacks that threaten operational continuity, data privacy and financial viability, the most prominent and controllable risks are much closer to home.
A company’s own employees represent a significant cybersecurity threat as employee negligence and human error play a critical role in many data breaches and cybersecurity incidents. Unwitting employees often support malicious external actors with a profound impact on the company’s defensive posture, including:
- Malware delivery. Ninety-four percent of malware is transmitted through email.
- Network access. Eighty percent of reported security incidents began with a successful phishing scam.
- Cybersecurity preparedness. Sixty percent of data breaches exploited vulnerabilities with existing patches.
Meanwhile, accidental data transfers, poor password management and other employee-level factors make companies more vulnerable to cybersecurity incidents. Therefore, IT leaders need insights into their organization’s digital ecosystem to identify potential risks and develop adequate solutions.
In other words, data and insight-driven identification and detection strategies are the first steps toward understanding the controllable threat landscape and preventing a cybersecurity incident.
Of course, companies don’t just want to identify risk. They want to prevent relevant threats and secure their IT infrastructure. To achieve this, boardrooms, C-suite executives and cybersecurity teams will need to focus on the most potent risks — from insider threats to misconfigured databases — to enhance their defensive posture to meet the moment.
This should begin by addressing your in-house vulnerabilities. With so many data breaches caused, in part, by employees, companies can defend data by enhancing their educational and oversight protocols.
For instance, employee monitoring that harnesses user behavior analytics can empower companies to identify employees who might be vulnerable to a phishing scam, allowing leaders to direct teaching and training to mitigate the risk. (Full disclosure: Employee monitoring is among my company’s key provisions.) Similarly, cybersecurity software that restricts data access, movement and manipulation can ensure that data is available on a need-to-know basis, reducing opportunities for negligence or accidents to undermine data security.
Notably, busy teams can harness the power of automation to streamline these defensive efforts, automatically identifying potential risks and taking steps to reduce their potency in real-time.
Ongoing data protection and cybersecurity require continued attention and vigilance. As threat patterns continue to evolve, companies need to update their defensive efforts accordingly. For example, more than half of legal and compliance leaders recently identified third-party vendors during the pandemic as a significant new cybersecurity threat. In response, companies can incorporate third-party vendors into their cybersecurity strategy to address an emerging threat before it becomes an imminent problem.
To be successful, leaders will need to evaluate ongoing internal behavior and emerging external trends to develop dynamic best practices that keep data secure.
It’s clear that, too often, companies fail to adequately invest in cybersecurity until it’s too late. Fortunately, recognizing and responding to this priority doesn’t necessarily mean significantly expanding the company’s cybersecurity budget or implementing exhaustive oversight procedures.
Rather, by focusing in house on practical, achievable changes, companies can make meaningful improvements to their defensive posture and make cybersecurity an organizational priority, empowering them to operate with confidence in a troubling digital landscape.
Originally published in Forbes