Cybersecurity has evolved tremendously in recent years. In the early 2000s, digital attacks were isolated. Criminals mostly targeted intellectual property, bank accounts, credit card numbers, and strategic or military information.
Today, cybercrime is everywhere. It’s very well organized and very well funded. It’s a fine-tuned industry that snaps up all of your data, then monetizes it in a multitude of ways. So much so, in fact, that in 2021, if global cybercrime were a country it would have had the third-largest economy in the world, behind the U.S. and China.
Major companies are allocating massive amounts of human and financial resources to deal with these threats and yet they still make headlines every week.
With SMEs, the carnage may not be as well publicized, but it’s even bloodier. Many do a very poor job of assessing the risk of an attack. Their CEOs tend to see cyberthreats as a technical issue and assume that the IT team has “probably” taken care of it.
Many insurers now refuse to offer coverage for cyberattacks because the risk is so high. Simply put, they’re nearly inevitable for any business that uses technology.
The shortage of specialized resources coupled with the rise in attacks has created a craze for cybersecurity. Some organizations working in related fields see this as a great way to make a quick buck. By simply tweaking their websites, they become “specialists” even though they lack cybersecurity experience and expertise.
Individuals are in on it, too. New “cybersecurity specialists” pop up nearly every month. Unfortunately, these specialists tend to propose magic solutions that block all attacks. They’re like snake-oil salesmen peddling the magic potion that will let you lose 20 pounds without moving or changing your diet. It’s incredibly tempting, which is why many tech-savvy people will fall prey to the illusion of ease.
What to do?
Many businesses aren’t entirely sure how to go about buying cybersecurity solutions. Yet the rise in attacks, the pandemic, insurer demands, Bill 64, and the migration to cloud-based solutions have put them in a position where they must act. So, who should they believe? The person who’s selling a “plug-and-play” solution that will block 99% of attacks? r the consultant who’s asking them to pay to assess their current situation? IT teams are often very small, yet their technological environments have become infinitely more complex with the rise of cloud computing and working from home. It can be temping to put off the decision for a while by having someone assess your current situation. It buys you a little time.
And the promise of a system that takes no effort to install or maintain—one that can be bought the same way you’d buy a printer—holds quite a bit of appeal. Even though it sounds too good to be true, the tech making the decision is taking the word of a vendor from a well-known company.
Senior management washes its hands
Cybersecurity is still seen as a commodity on par with phones, printers, and email. Even today, when I talk to CEOs, some of them tell me that they have people to manage the technology side of things. Unfortunately, these same leaders are caught off guard when an attack hits them.
Response procedures are non-existent, communications with customers and suppliers are haphazard, and getting systems back up and running (if it’s even possible) can take weeks. Of course, this has major consequences for a company’s finances and reputation. Just look at Sunwing. They’re probably still in crisis management mode.
Senior management must be involved
There is no “magic wand” that can fully protect you from cyberattacks. ackers can strike at any number of points in your system. You need to work with your supplier to identify these points and protect them. And even once you’re protected, it may still be possible for bad actors to get in. You need to be able to detect the breaches and repel them quickly while limiting the fallout.
There are thousands of cybersecurity solutions out there, but most cover a very specific area. The result is a patchwork system, where each solution raises the total cost of the company’s cybersecurity. And each solution needs to be installed, integrated with the other systems, monitored, and maintained around the clock. It’s a complex balancing act that requires specialized expertise.
You don’t need to pay to have your cybersecurity maturity assessed if you don’t have the basics. Personally, I consider it a very poor investment. Why pour thousands of dollars into a report when you already know the results?
And what are those basics, exactly? To start, you need to implement multi-factor authentication, identify sensitive data, and provide centralized protection for emails, workstations, and servers. If you haven’t done that, it needs to be a priority. After all, if your vehicle doesn’t have brakes, you don’t need a 91-point inspection to tell you they’re necessary.
Cybersecurity isn’t just a matter of technology, either. Senior management needs to be involved in choosing a trusted partner, as well as the escalation and response procedures to an attack. The effectiveness of incident reporting and response procedures will significantly influence how much damage is done by an attack. If a major incident occurs, senior management will need to make quick decisions. If nobody’s prepared, they won’t be effective and the damage will be much greater.
The cybersecurity tax
Unfortunately, cybersecurity can’t be bought like a printer, server, or phone. Cybersecurity is now an investment that all serious businesses will need to make.
t’s become part of the cost of doing business. It’s critical to learn about the field by joining forces with a trusted partner. They’ll ask you questions about your business, what you want to protect first, and what your remediation and escalation procedures are if an incident occurs.
These are fundamental questions that you will need to be able to answer or have the right guidance to find the right answers, and quickly.