Systemic cybersecurity crisis looms
The number of large-scale, highly damaging data breaches over the past few years has led some to believe the market is on its way to another systemic crisis, similar to the Great Recession.
Corporate greed, lax risk management procedures and insufficient oversight by regulators contributed to the 2008 financial crisis. Likewise, the perception that cybersecurity is just another cost center coupled with organizations’ tendencies to implement bare minimum security measures could be paving the way for a systemic cybersecurity crisis.
+ Also on Network World: How CISOs should address their boards about security +
There is a widespread notion that cybersecurity is one more hurdle for executives to deal with that drains company resources. Cisco surveyed more than 1,000 executives, and 74 percent of participants said the main purpose of cybersecurity is to reduce risk rather than enable growth. This ideology that cybersecurity is costly, hinders productivity and is maintained based on a company decision maker’s level of paranoia is not just inaccurate, it is harmful. As a result, many organizations underinvest in their cybersecurity programs, implementing minimal security measures that may be obsolete in a few short years as cyber threats evolve and new attack vectors emerge.
Compounding this problem is security vendors’ tendency to market their products as the cure-all for cybersecurity. With cost as a deciding factor for purchase decisions, many organizations will choose to partner with a vendor that promises to “solve” cybersecurity, believing that the solution will sufficiently protect their organization without additional resources. However, cybersecurity is not something that can be solved by simply adding a layer of protection. Instead, cybersecurity should be an ongoing initiative that impacts the entirety of an organization, not just the IT department.
How to prevent a cybersecurity crisis
To stave off a potential security crisis, the way we view cybersecurity must change. A good way to look at it: Just like an extremely fast car needs high-quality brakes, a great business needs a solid cybersecurity program. Brakes are not meant to slow you down unless you need them to. With a well-executed cybersecurity plan in place, a business can successfully grow and scale, without compromising security. Security must be a core component of an organization’s business, and leaders must understand the ongoing role it plays throughout the development and distribution of their products and services. This means security policies should be integrated across departments and the various technologies employed, from a company’s CRM system to its HR database.
A solid cybersecurity plan enables organizations to protect both corporate and customer information, while enhancing productivity and efficiency. For instance, keeping security at the heart of product development can help ensure the development process stays on track, preventing costly delays.
Additionally, incorporating cybersecurity into the business plan can protect a company’s bottom line. Publicly traded companies risk losing billions of dollars following a catastrophic cybersecurity breach. In fact, a study by CGI and Oxford Economics revealed that cyber attacks have shaved more than $50 billion off the value of company shares in recent years. The idea that shareholders could collectively lose billions of dollars should be enough to make organizations view cybersecurity as a business imperative.
Because it is highly probable that an organization will fall victim to a data breach at some point, it is wise to be as prepared as possible for that attack. Having a cybersecurity program in place can minimize the damage. Similar to insurance, companies without an effective plan in place will pay a premium, facing both financial and reputational repercussions. That said, cyber insurance providers have emerged with nearly 70 carriers on the market now.
However, given the evolving nature of technology, an organization’s network, systems and methods for securing these assets change, which means their cyber risk changes. As a result, determining the appropriate policy is challenging. Additionally, the cyber insurance market is brand new, so the offerings are questionable at best. It is much more advisable to focus on implementing and maintaining a strong security program instead.
In an increasingly connected world, where businesses rely on technology and innovation to succeed, developing an enterprisewide cybersecurity program must be a priority. Without one, organizations could face irreparable consequences. Beyond the corporate impact, the economic impacts of cyber threats are staggering. And while alarming, this should encourage organizations of all sizes to address cybersecurity at the leadership level, establishing a culture of security across the business.