3 Ways Modern Business Is Failing at Cybersecurity

Modern businesses are failing at cybersecurity. Some blame expensive new technology and limited resources, which are preventing businesses from adapting to rapidly-evolving cyber threats. Unfortunately, the real culprits may be the business leaders themselves, many of whom take a largely reactive rather than proactive approach to cybersecurity.

It’s difficult to determine the next big threat, so many cybersecurity professionals must address issues as they arise. This practice is a dangerous method for handling cybersecurity. The global economy is becoming more dependent on internet-connected devices and rawer data streams than ever before. Executives and stakeholders must be prepared to correct the three major failures we’ve identified in even the most seasoned and successful modern businesses.

Number One: Blaming the Mounting Costs of Cybersecurity

Business owners must view cybersecurity not as an optional chore, but as a crucial component of their enterprise risk management program. Worldwide spending on cybersecurity has dramatically increased over the past decade, reaching $75 billion in 2015. In three short years, the cybersecurity industry’s value is expected to reach or exceed $170 billion.

According to PWC’s 2016 Global Information Security Survey, cybersecurity incidents rose by nearly 40% across all business sectors. Among the companies surveyed, close to 70% of all data breaches resulted in $100,000 of losses or more. Nearly 1/5 of all breaches resulted in damages in excess of $1 million.

This explosive growth stems from several sources:

  • Growing amount of data. Information is one of the most valuable commodities on the planet, and businesses are scrambling to obtain as much relevant consumer data as possible to target advertisements and remain relevant in a rapidly expanding global marketplace.
  • Increasing number of connected devices. Mobile technology has given rise to a world in which almost every adult carries a smartphone or other mobile device everywhere they go. Technology has not only grown smaller and more portable, but also more sophisticated. Mobile technology has evolved so much so quickly that smartphones today are powerhouses compared to models only a few years old.
  • Evolving business practices. Companies are broadening their horizons in terms of marketing and customer outreach. It’s more important than ever to consistently connect with consumer bases and remain part of the public conversation, so companies are generating more content more quickly. Many companies have also embraced the younger workforce who value flexibility over structure, and bring your own device policies are now commonplace in the modern business world.
  • Increasingly sophisticated cyber-attacks. As IT security grows, so do the methods hackers and criminals use to breach it. Every new defense only lasts as long as it takes to break it, and cybersecurity innovators are constantly searching for new methods for outsmarting their opposition and keep company data secure. The number of cybersecurity incidents continues to increase.
  • Emerging technology. New technological concepts, such as the Internet of Things, mean new opportunities and concerns for businesses. The Internet of Things is the concept of connected devices such as smartphones, appliances, and wearable devices like smartwatches supplying consumer data to manufacturers and advertisers.

The costs of cybersecurity don’t only extend to development of new defenses. Successful breaches are costly, and the value of information has sharply escalated the cost of a data breach. A successful data breach can result in lost revenue, legal costs for resulting lawsuits, angry customers that refuse to patronize the business in the future, and a damaged reputation.

Most states now have data breach notification laws that require businesses to notify individuals whose information has been accessed in a data breach. Failing to comply with state data breach notification laws can cost businesses dearly. In Florida, covered entities (which includes most businesses) that fail to notify individuals whose personal information was accessed in a data breach within 30 days may be fined up to $1,000 per day for the first 30 days, and $50,000 for each additional thirty days – up to $500,000 total.

Number Two: Reactive vs. Proactive Cybersecurity Practices

Cybersecurity has been a dance between cybersecurity professionals and cyber-criminals, but the former has, for the most part, been reactive: it has grown increasingly more difficult to protect against unknown threats as cyber-attacks grow more complex and hackers gain access to more powerful tech. Cybersecurity is forced to react to new threats, and technology is outpacing their ability to be proactive and create preventive cybersecurity measures.

Indeed, PWC’s 2017 Global State of Information Security Survey revealed that just over half (51%) of companies surveyed actively monitor and analyze threat intelligence to help detect risks and incidents. Less than half of companies surveyed conduct vulnerability (48%) and threat (47%) assessments.

IT security analysts have identified some of the major reasons why modern businesses continue to fail at cybersecurity:

  • Not enough internal emphasis on data security. Company culture plays a large role in information security. It’s crucial for modern businesses to make cybersecurity a consistent focus for employees so they maintain good habits. Internal incidents continue to be the most commonly cited source of data breaches. Not all of these incidents are intentional. While malicious insiders are indeed an area of concern, most cybersecurity incidents originating from employees are due to poor choices, misinformation, or simple carelessness.
  • Almost any business is a potential target. As information grows more valuable and more data is generated, businesses are becoming juicier targets for cyber-criminals. Even small businesses can be targets, and smaller organizations typically don’t have the resources to pour into tight IT security that large corporations have—making them ripe targets for savvy hackers. Additionally, small businesses usually can’t recover from a data breach as easily as a large company, and may go out of business. Overall, government bodies, defense companies, retail organizations, financial institutions, healthcare companies, and infrastructure organizations are at the highest risk for a cyber-attack.
  • CEOs don’t understand the importance of data security. Modern CEOs are involved in almost every aspect of the businesses that they run, and it’s difficult for many of them to retain working knowledge of every relevant facet of their business. Many CEOs have reported that they simply don’t understand the technical end of IT because of its growing complexity. The Chief Information Officer (CIO) and Chief Security Officer (CSO) have risen to greater importance in light of cybersecurity’s growing presence in the business world, and these positions serve to offset some of the responsibility on the shoulders of CEOs.
  • Lack of a clear cybersecurity policy. It might surprise you to learn that many companies simply do not have a clear policy about data security. Modern businesses need to identify the risks inherent to their industry, location, and workforce. Additionally, internal cybersecurity policies are necessary to maintain data security and oversight. Companies must also define the steps necessary to address known or discovered risks, and implement security measures to detect intrusions or breaches.
  • A constantly-evolving battlefield. A proactive approach to cybersecurity is remarkably difficult to establish without a great deal of financial and human resources. Cybersecurity professionals are some of the most highly sought employees for modern businesses in every industry, and the complexity of attacks continues to grow. It’s difficult to identify and assess new threats before they become tangible losses unless you have an experienced, highly trained cybersecurity department with the technology and resources necessary to handle threats.

Number Three: Not Taking Advantage of Free Resources

Businesses must be proactive and flexible about cybersecurity. One example of proactive cybersecurity is adopting the 2014 NIST Cybersecurity Framework. In partnership with leading technology companies, the National Institute of Standards and Technology developed a flexible cybersecurity platform that is now being adopted by both the private and public sectors worldwide.

From the individual looking to secure his or her home private network, to technology giants such as Google or Facebook, comprehensive cybersecurity planning is more accessible than ever before. NIST’s Cybersecurity Framework is available for free at https://www.nist.gov/cyberframework.

In fact, PWC’s 2016 Information Security Survey indicated that the 2014 NIST Framework, along with SANS Critical Controls, is the most frequently followed cybersecurity guideline among the 91% of organizations surveyed that have adopted a risk-based security framework.

The NIST Core Framework is: Identify, Protect, Detect, Respond, and Recover.

  • Identify the threats your business faces;
  • Protect against those threats by training and securing critical systems;
  • Detect the occurrence of a threat through information technology;
  • Respond to the threat to mitigate the damage; and
  • Recover from the threat, and adjust for future threats.

For some business owners, the NIST Framework can be a bit daunting. Fortunately, in November 2016, NIST released a step-by-step risk management guide for small businesses called “Small Business Information Security: The Fundamentals.” Utilizing the Fundamentals is a simpler way for small businesses to adopt basic forward-looking enterprise risk management techniques to start adapting to the ever-changing cybersecurity landscape.

A proactive approach to IT security is a necessity in modern business, but due to the nature of cyber-crime, it’s growing increasingly difficult to stay ahead of the opposition. Additionally, each successful attack must be addressed so future attacks won’t happen, and recoveries from successful attacks are expensive ordeals.

Vigilance is paramount. Business leaders need to make cybersecurity a priority and stay in tune with new trends and changes in the cybersecurity industry. Executives must also maintain a company-wide emphasis on data security at every level of the organization. Since employees continue to be the weakest link in the battle against cybercrime, it falls to company leadership to cultivate a workplace culture that prizes safe habits and prioritizes the security of valuable data.

Sources:

http://www.forbes.com/sites/stevemorgan/2016/05/04/why-ceos-are-failing-cybersecurity-and-how-to-help-them-get-passing-grades/#3170108a553b
http://fortune.com/2016/01/19/americas-cybersecurity-fail/
https://heimdalsecurity.com/blog/10-critical-corporate-cyber-security-risks-a-data-driven-list/
https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#7c4897192191
http://www.visualcapitalist.com/the-cybersecurity-boom/
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
https://www.nist.gov/cyberframework
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

Mr. Haut focuses on litigation relating to commercial litigation, cybersecurity, and privacy law matters. In his final year of law school, Mr. Haut served on the Sherman Minton Moot Court Executive Board, where he helped draft the Moot Court competition problem — exploring issues relating to government searches of electronic devices, cybercrime, and sentencing reform.