By Isaac Kohen, VP of R&D at Teramind, provider of behavior analytics, business intelligence, and data loss prevention (“DLP”) for enterprises.
getty
After years of unfathomable cybersecurity incidents, including expensive data breaches, disruptive ransomware attacks and costly phishing scams, executives and board members are no longer willing to sit by and hope for the best.
For many companies, the potential costs and far-reaching consequences of cybersecurity failure have become too much to bear, and they are ready to take meaningful action to respond.
According to a Gartner survey of Boards of Directors, 88% of respondents consider cybersecurity a business risk, and 66% intend to increase cybersecurity spending to enhance their defensive postures in the years to come.
While companies assess the appropriate amount of cybersecurity spending differently, they can’t afford to miss the mark on how they allocate these resources. In an uncertain economic environment, leaders need to know that their strategic investments will impact their defensive posture.
For leaders grappling with these difficult decisions, here are three ways to invest in cybersecurity now and in the future.
1. Invest in people.
When it comes to protecting company data and IT infrastructure, a company’s own people are often the most significant cybersecurity risk.
Verizon’s most recent Data Breach Investigations Report (download required) found that 82% of data breaches involve the human element as people undermine cybersecurity by falling for social attacks, making mistakes and misusing company data.
That’s why insiders, people with legitimate access to a company’s IT infrastructure and data, are the right place to begin any cybersecurity investment. While some insiders act maliciously—intentionally stealing, exposing or destroying data—most people undermine cybersecurity by accident.
In other words, most people don’t have cybersecurity top of mind as they go about their day-to-day work activities. This must change, since the average employee is protecting credentials to company accounts, millions of data points and other sensitive information.
However, only one-fifth of organizations allocate financial resources to insider threat prevention, which makes an investment in people the natural first step for companies looking to leverage their resources effectively.
Fortunately, investing in insider threat prevention doesn’t have to break the bank as awareness training, best practice refreshers and accountability mechanisms can significantly improve employee readiness.
2. Invest in processes.
Cybersecurity and digital hygiene best practices can prevent many cybersecurity incidents before they begin. Unfortunately, most organizations and employees fall woefully short of these standards.
For example, 70% of people report using the same password for more than one account, while 21% say they use it for every account. Moreover, one employee survey found that more than half of employees don’t believe personal technology poses a cybersecurity risk.
At the same time, only one-third of organizations require two-factor authentication on user accounts, despite its proven threat-mitigation capacity.
In response, companies should invest in cybersecurity processes, establishing internal best practices that promote digital hygiene. This includes:
• requiring routine password changes
• activating two-factor authentication on all accounts
• regularly reviewing account settings to maximize data protection
• establishing data management norms
• instructing employees to use company devices for accessing company data.
Notably, recent research by the Harvard Business Review found that process and policy violations are often propelled by stress. As the report helpfully explains, “much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.”
Companies should be aware of this dynamic when developing and implementing cybersecurity processes, ensuring that their approaches and action steps don’t unnecessarily burden people, exacerbating this dynamic and further undermining cyber-readiness.
3. Invest in software.
Too often, companies expect their cybersecurity or IT teams to manage a rapidly expanding threat landscape. As a result, nearly 80% of cybersecurity teams say they cannot effectively monitor all vulnerabilities.
In some ways, this is understandable. Cybersecurity personnel are in high demand, so attracting and retaining top talent can be incredibly challenging.
However, the increased workload without additional resources is causing burnout in cybersecurity teams at a critical time. It’s estimated that 54% of security professionals want to quit their jobs, so businesses must now find ways to support their teams.
Software solutions can help. Increasingly capable technologies powered by artificial intelligence and machine learning can help detect threats and better analyze alerts, ensuring that IT teams only respond when needed.
Investing in the right software with the right capabilities to address the right vulnerabilities can effectively bolster cybersecurity teams and organizational defensive readiness, ensuring that teams and companies are ready to protect against existing and emerging threats.
Many companies may be uneasy about allocating financial resources to cybersecurity during a period of economic uncertainty. In this case, an ounce of prevention is worth a pound of cure. With the cost of a data breach surpassing $4 million and consumer and regulatory sentiment firmly against companies that can’t or won’t protect data, the consequences of failure are much more expensive than preventative measures.
Furthermore, by allocating resources effectively, companies can mitigate the cost of prevention, ensuring they receive the best possible return on investment.
Cybersecurity is an urgent priority for business leaders, shareholders, customers and clients. Effectively allocating resources is critical to an effective response.
