Recently, cybersecurity breaches and attacks have become increasingly common and sophisticated, posing a significant risk to organizations of all sizes and industries. These range from high-profile data breaches at major corporations to ransomware attacks on critical infrastructure. The consequences of a security compromise can be devastating, both financially and reputation-wise.
Despite this, many organizations neglect, or still struggle to prioritize cybersecurity and allocate the necessary resources to protect themselves from potential threats.
Why is that so?
In this article, we’ll explore some of the reasons why organizations refuse to prioritize cybersecurity and the consequences of doing so. Thanks to MWENDA NDIU for valuable input on this.
- Cost
Investing in cybersecurity measures can be expensive, particularly for small or mid-sized organizations who usually have limited resources. Many companies are reluctant to allocate funds towards #cybersecurity and chose to focus on other ‘pressing’ financial concerns, such as product development or marketing. Additionally, cybersecurity is an ongoing investment, requiring regular updates and maintenance to keep up with its evolving nature.
What is hidden in all this is that the cost of a cybersecurity breach can and usually is far more significant than the cost of preventing it. According to a report by IBM Security, the average cost of a data breach in 2021 was $4.24 million. This includes costs such as legal fees, fines, and lost business. By investing in cybersecurity measures, organizations can reduce their risk of a security breach and potentially avoid significant financial and reputational damage.
- Lack of Understanding
Some organizations do not prioritize cybersecurity because they lack an understanding of its importance. Cybersecurity is a complex and technical field that can be difficult to understand for those without a background in IT security. Threats are constantly evolving, requiring ongoing education, awareness and training to stay up-to-date. Some organizations may not have dedicated IT security personnel, and cybersecurity training may not be a priority for their employees.
To address this, organizations can invest in cybersecurity training and awareness programs for employees at all levels. By increasing understanding and knowledge of cybersecurity, organizations can create a culture of security and encourage employees to prioritize cybersecurity in their daily activities.
- Complexity
Cybersecurity is a complex and ever-evolving field that requires expertise and ongoing attention. Some organizations may find it challenging to keep up with the latest threats and best practices, which can lead to a lack of investment or a sense of futility. Implementing effective cybersecurity measures requires a multi-layered approach, involving network security, data protection, and access control, among others.
To overcome this complexity, organizations can work with cybersecurity experts or managed service providers (outsourcing) to assess their current security posture and develop a comprehensive cybersecurity strategy. By partnering with experts in the field, organizations ensure that they are implementing the most effective security measures and staying ahead of emerging threats.
- False Sense of Security
I’ve found that there are organizations that believe that they are not at risk of a security breach, or that their existing security measures are sufficient to prevent an attack. They have a perception of invincibility. This leads to complacency and a lack of preparedness in the face of potential threats.
To avoid a false sense of security, organizations need to conduct regular risk assessments and vulnerability testing to identify potential weaknesses in their security posture, which are always there. This should be followed by steps to mitigate these weaknesses and improve their overall security posture.
- Cultural or Leadership Issues
In some cases, an organization’s culture or leadership may be a barrier to prioritizing #cybersecurity. Some may prioritize other goals or values over cybersecurity, such as speed of product development or cost reduction. Additionally, leadership may not view cybersecurity as a critical issue, which results to a lack of investment or attention.
To address this, organizations need to prioritize cybersecurity as a fundamental component of their business strategy. This includes appointing a Chief Information Security Officer (CISO) or similar executives to oversee cybersecurity initiatives and ensuring that cybersecurity is integrated into all aspects of the organization. Leadership should be educated on the importance of cybersecurity and its potential impact on the organization’s reputation and bottom line.
What are the Consequences of Ignoring Cybersecurity?
As is already known, security breaches result in financial losses, legal fees, and fines, as well as reputational damage that can impact customer trust and loyalty. A security breach also disrupts operations, leading to downtime and lost productivity.
The consequences of a security breach can be especially devastating for small or mid-sized organizations, which may not have the resources to recover from a significant financial or reputational hit.
On matters reputation, a recent survey by Kaspersky found that 27% of consumers would stop using a business’s services if their data was compromised in a cyberattack. This can cost you up to millions in dollars of revenue.
A data breach can cost an organization an average of $3.86 million, according to the 2020 Cost of a Data Breach Report by IBM. The report also found that it takes an average of 280 days to identify and contain a breach, giving cyber criminals ample time to steal data and cause damage. This is even more longer and costly for smaller organizations that cannot afford a large cybersecurity budget.
Ignoring cybersecurity can also result in legal liabilities. In 2020, the California Consumer Privacy Act resulted in fines of $2.5 billion for violations of data privacy regulations. Similar data privacy regulations are being implemented in other regions, and organizations that fail to comply may face significant fines and penalties.
Cybersecurity risks are not going away anytime soon, and as the world becomes increasingly interconnected and reliant on technology, the potential attack surface for cybercriminals is only growing. Organizations that fail to prioritize cybersecurity are putting themselves at risk of a security breach, which can have far-reaching consequences.
So, what can be done?
- Leadership Commitment
The first step to prioritizing cybersecurity is for the organization’s leadership to commit to it. The executive team should prioritize cybersecurity and ensure that it’s integrated into the organization’s overall strategy. This commitment should be communicated throughout the organization, from the top-down.
In 2017, Equifax suffered a massive data breach that affected over 147 million people. The company’s CEO was later criticized for not prioritizing cybersecurity, despite warnings from the company’s security team. A lack of leadership commitment to cybersecurity can have severe consequences, as evidenced here.
- Employee Education and Training
Employees are often the weakest link in cybersecurity, but they can also be a key defense. Organizations should provide regular education and training to employees on cybersecurity best practices, such as strong password management and how to spot phishing attempts.
In 2019, a phishing attack targeted the City of Tallahassee, Florida, and resulted in the theft of over $400,000. The attackers gained access to the city’s network by tricking an employee of a third party vendor into providing their login credentials. Regular employee education and training on cybersecurity best practices can help prevent these types of attacks.
- Cybersecurity Risk Assessment
Organizations should conduct regular cybersecurity #risk assessments to identify vulnerabilities and risks. I cannot emphasize enough the need for this. It helps organizations to develop a prioritized plan for addressing cybersecurity risks based on their potential impact.
In 2020, SolarWinds suffered a massive data breach that affected multiple organizations, including the U.S. government. The attackers gained access to SolarWinds’ software build system and inserted a backdoor that allowed them to access customer networks. A cybersecurity risk assessment could have identified vulnerabilities in SolarWinds’ software build system and helped prevent this attack.
- Strong Security Controls
These are technologies like #firewalls, intrusion detection and prevention systems, and anti-malware software. These controls should be regularly monitored and updated to ensure they are effective.
For example, in 2017, #WannaCry #ransomware infected hundreds of thousands of computers worldwide, including those of the UK’s National Health Service (NHS). The attack exploited a vulnerability in Microsoft‘s software that had already been patched, but many organizations had not updated their systems.
Strong security controls, such as timely software updates and patches, can help prevent an attack like this.
- Incident Response Plan
An organization’s incident response plan should include procedures for detecting, responding to, and recovering from a #cyberattack.
In 2021, Colonial Pipeline suffered a ransomware attack that shut down its pipeline for several days. The attack caused gas shortages and panic buying in several states. A well-developed incident response plan can help organizations respond quickly and effectively to a cyberattack and minimize the damage.
- Regular Security Audits
Security audits work to ensure that the cybersecurity controls and processes of any organization are effective and up to date.
In 2018, Marriott International suffered a data breach that affected over 500 million customers. The attackers had access to Marriott’s network for four years before being discovered.
Regular security audits can help identify vulnerabilities and prevent attacks from going undetected for long periods.
Conclusion
Organizations need to understand that cybersecurity is not a luxury or an optional extra, but a fundamental requirement if they want to thrive in today’s digital world. Ignoring it is not only irresponsible, but it’s also extremely risky, as cyber threats continue to evolve and become more sophisticated each day.
The consequences of neglecting cybersecurity can be devastating and long-lasting. Organizations that prioritize cybersecurity are not only protecting their own interests but also those of their customers, stakeholders, and the wider community.
It’s time for organizations to wake up and take cybersecurity seriously. The cost of ignoring it is simply too high, and the risks too great to be ignored. By investing in cybersecurity measures, organizations can not only safeguard their operations but also demonstrate their commitment to protecting the digital ecosystem we all rely on.
