By Peter Daisyme
It’s a common misconception: Having a ton of the latest technology is the solution to all of your cybersecurity challenges (which are likely to only get worse this year and beyond). Just throw more tech at the problem, and it will–somehow–go away.
If only that were true, it would be an easy way to prevent an enormous threat to the revenues of many businesses, big and small. Cybercrime caused estimated losses ranging from $445 to 608 billion last year, according to a joint report from McAfee and the Center for Strategic and International Studies.
Erecting firewalls and upgrading code to ensure your tech is keeping up will help. But technology alone cannot protect you from these risks. Ryan Dodd, founder of Cyberhedge, a cyber risk assessment firm, explains, “Adding more technology is not the answer to this problem. In some cases throughout the years, the false sense of safety from a new security technology has made the situation worse.”
Instead, Dodd, who has been developing proprietary risk models as an institutional investor for more than a decade, suggests focusing on putting the right protocols and security measures in place so that your cybersecurity efforts can scale with your company.
What’s the right way to go about that? Let’s take a look at a few basic steps that will lower your cybersecurity risk.
1. Have a “red alert!” plan ready.
While you should always hope for the best, you must plan for the worst. In other words, don’t focus all of your efforts on preventing an attack–it’s likely one will occur eventually no matter what you do. Yes, invest in prevention, but also implement incident response training to be prepared to detect and handle an attack when it occurs.
Done right, that’s a multifaceted approach. IT may spring into action to contain the breach, possibly by shutting off access to networks and/or patching the affected systems–anything to block hackers from having further access to sensitive data. But it’s not just a problem for IT to deal with; effective response planning must be comprehensive and coordinated. Management also plays a critical role in the moment-to-moment unfolding of a cyberattack and its aftermath, as details are uncovered and communicated effectively to key stakeholders.
2. Educate your team.
Getting caught flat-footed is all too common following a cyberattack. That makes for bad PR and misses an opportunity to contain the damage before it becomes more severe. Yet the Ponemon Institute found that only half of the companies surveyed felt that current employee training adequately reduces noncompliant security behaviors.
Susan McReynolds, vertical strategy manager for CenturyLink, underscores the importance of pervasive cybersecurity education in the healthcare industry. “With more potentially vulnerable endpoints and an expanding attack surface, security should be wired into any healthcare organization’s DNA, rather than being siloed to a specific group or department,” she advises. Cybersecurity is every employee’s responsibility, and this is true for more than just the healthcare sector.
To avoid being surprised and unready, all of your employees should be educated about your company’s cybersecurity risk, how a cyberattack could affect your business, what processes are in place to prevent an attack, and how to handle one if it occurs. To do that, take stock of how prepared your company is now. Run internal phishing tests and work to root out existing vulnerabilities.
3. Make sure your budget invests in your efforts.
Although good organizational culture, best practices, and company-wide awareness may be top of mind on your first day of launching a new cybersecurity preparedness initiative, it’s all too easy to fall into complacency, offloading the concern to IT. To improve your odds of winning against cybercriminals, take a holistic approach to your endeavor. You’ll need to build in cybersecurity actions throughout the year and make cybersecurity prevention and detection efforts a permanent line item in your budget.
And your budget needs to reflect more than just your throwing money at the latest tech solutions. Include the costs of training, employee time, documentation, consulting or leading of workshops by third-party experts, and new cybersecurity-related marketing strategies that assure your stakeholders of your commitment. This needs to be a long-term and substantial investment.
Cybercrime is a threat that is not going away anytime soon. The good news is that by cultivating the right culture now–rather than later–you can prepare your company to prevent attacks and effectively deal with the ones that will almost inevitably occur. Leaders that do this right will be well-positioned to lead their company through the challenges of data breaches and other hacks, while strengthening the business’s value at the same time.