A truism among security professionals is that it’s a matter of when, not if a cyberattack will impact your business. This reality has certainly been on display in recent months, as several headline-making ransomware attacks hit major companies, including Colonial Pipeline. In that attack, the nation’s gas supply was temporarily impacted, and Colonial paid more than $4 million in cryptocurrency as a ransom.
Experienced security leaders know how devastating cyberattacks can be beyond just headlines and bad PR. As the Colonial incident showed, a successful attack can be a productivity-killer and can cost millions of dollars in mitigation and recovery. In IDG’s new Global Intelligence Report on Cybersecurity, 46% of the more than 2,700 organizations surveyed suffered economic damage from a cyberattack, with measurable impact ranging from work interruptions or production downtime (47%) to a complete shutdown of the business (15%).
While it’s inevitable that a cyberattack will hit your business at some point, many occur simply because of a lack of security hygiene. Many security leaders seem resigned to this fact: 63% of survey respondents expect risk potential to increase over the next 12 months because of employee negligence.
“You have to focus on overall good hygiene. If you don’t look at your full control set, you’re going to get blinded by something,” says Katie McCullough, CISO at OneNeck IT Solutions, a provider of IT and security services. “You have to know where you’re at, holistically, in tight alignment with your control framework.”
Size doesn’t matter in security
Security breaches and cyberattacks are a problem for companies of all sizes, not just the Fortune 500 or large multinationals. In fact, smaller businesses may be more vulnerable, as they are often forced to be frugal with security staffing and funding, but they face the same kinds of threats as a much larger company. It’s an unfair fight, which is why it’s critical for security leaders at these organizations to spend time assessing risks and understanding their business’s unique risk profile.
“You can’t get so wrapped up in the news that you’re only focused on one threat at a time. You’ve got to be prepared for any threat, and that comes with daily diligence and stringent cyber hygiene,” says McCullough.
McCullough recommends taking the time to assess your specific risks, working with business units and leadership to ensure security spending is prioritized on the most critical business risks and functions. A focused approach to planning and budgeting for ongoing improvements to your security posture will yield better results than a reactionary strategy that focuses on cleaning up after an attack takes place.
While security funding is not limitless, it is essential. A risk assessment, combined with better cybersecurity hygiene, will help you to maximize your investments while minimizing risks. In the ongoing fight against bad actors, proactive security best practices and prevention are the best defense.
Learn more about best practices for maintaining a secure environment so you can focus on growing your business.