Opinions expressed by Entrepreneur contributors are their own.
Today’s cyber threat landscape is elaborate, fast-paced and continuously evolving. The complexity of such threats has raised the predictions that the total cost of cybercrime will exceed $8 trillion by the end of 2023. It includes, for example, the money stolen by cybercriminals, the subsequent investments in security tools and services, and the money spent on ancillary activities such as staffing, remediation, legal fees, fines and more.
So, why do many organizations still fail to see cyber hygiene or even cybersecurity as a boardroom priority, even in 2023? Many business leaders, especially small to medium-business leaders, fail to perceive themselves as targets. From their perspective, spending more on cybersecurity is a wasted effort, and those resources can be used elsewhere.
On average, companies worldwide only allocate around 12% of their IT budget to IT security! Thus, persuading the boardroom to invest in cyber hygiene can be challenging. However, while it is hard to implement and even harder to maintain, these habits, security practices and solutions help make the world safer. And that is where every organization needs to start.
Reviewing the numbers
Looking back at just a year, cyberattacks worldwide have shown a 38% increase in 2022 compared to 2021. The attack on the Australian health insurance provider Medibank, the data breach on the Los Angeles Unified School District (LAUSD) or even the social engineering hack on games company Rockstar are just a few of the thousands of data breaches happening all over the world.
Interestingly, these breaches, like most, could have been prevented with good cyber hygiene. Furthermore, the examples I chose demonstrate that attackers seem unconcerned with a company’s size, location or industry. Yet, even with cyber threats like data breaches, phishing scams and ransomware, cybersecurity investments fall short.
Over the last few years, we’ve made great strides in security, especially following the global pandemic. Still, a study conducted by Foundry shows that 9 out of 10 security experts still believe their organizations are not prepared to address the risks of a cyber-attack.
Investing in cyber hygiene: a checklist
So, what can we do? Establishing a strong and resilient cybersecurity architecture demands deploying security measures on multiple fronts such as data, devices, employees and network. Any elementary security architecture must include solutions to enforce strong password policies, protect data in transit and at rest, identify and protect against attacks and regularly back-up mission-critical data. This seems excessive, especially considering how limited the budget is. Yet, acquiring as many tools as possible within your financial limits shouldn’t be your final objective. The most effective strategy results from selecting the appropriate collection of tools after carefully assessing one’s demands and the current level of security precautions. The solutions I’d suggest include the following:
- Identity and access management (IAM) solutions to ensure the right user is linked to the right resources
- Unified endpoint management (UEM) solutions for securing endpoints and managing, patching and updating operating systems and applications
- Extended detection and response (XDR) or Endpoint detection and response (EDR) solutions to detect and mitigate new and existing vulnerabilities
- Remote browser isolation (RBI) for a safer browsing experience
- Firewall as a service (FWaaS) to protect the perimeter less network border
- Additionally, a combined implementation of Zero Trust Network Access (ZTNA) or Software Defined–WAN (SD-WAN) can provide faster connections, improve latency and secure your remote workers.
Also, it would be wise to select solutions that already have established interconnections among them. This would offer more centralized and seamless access, thereby reducing the workload on your IT administrators and saving you from recruiting larger teams.
Alternatively, some vendors offer multiple tools in a combined package. For example, Cisco Umbrella offers RBI, SD-WAN, and much more, Hexnode provides IAM and UEM capabilities, and Okta gives you both ZTNA and IAM. Make sure to carefully examine such vendors and the integrations between them before finalizing your architecture. In my experience, customers have always preferred a consolidated approach because, economically or due to staffing, they can’t handle the complexity of multiple solutions.
Roadblocks along the way
We are all aware that the financial facet of any venture will inevitably be difficult. Assuming that the aspects mentioned above identify with your company’s objectives, the following query would most likely be regarding the return on investment. It might be challenging to locate the facts and data needed to identify the advantages of cybersecurity hygiene. I would suggest reviewing the financial implications of previous data breaches and comparing those numbers against the investment cost. You will discover that the latter dwarfs the former sum.
Another hurdle is the monotony associated with good security hygiene. A robust security architecture requires periodic observation, maintenance and upgrades. This is often a bit boring, especially for non-tech-savvy investors, entrepreneurs and leaders. Additionally, the repetitious nature might cause inaccuracy and personnel exhaustion. The only solution is to clearly communicate the necessities of cyber hygiene and make them understand that security is an ongoing process rather than a one-time stop. Also, using tools to automate tasks and setting reminders can help employees stay on track without it being a bother.
The recession bound to happen this year will surely put an even tighter hold on the already stretched budget. However, being the victim of a cyberassault during such trying times would be a far scarier reality. As business leaders, we must pay close attention to the hazards and repercussions of a cyberassault in our organization. Thankfully, many businesses are unwilling to face the risks associated with losing client data and having production or operations halted due to a system breach. If they do, it is either out of ignorance or a lack of a thorough understanding of the entire process.