What Organizations are Mistaken about Cybersecurity?

Cybersecurity then becomes an afterthought of the business strategy being formulated or business decisions being taken. The danger of this is that their chief information officers (CIOs) or chief information security officers (CISOs) are always in the catch-up mode trying to identify and patch cybersecurity holes, which leaves their organizations constantly vulnerable to cyberattacks. This must be changed if organizations want to stay ahead on cybersecurity. It is important to realize that cyber security is not an IT issue but a strategic issue. It is an integral part of the business. CEOs need to push cybersecurity higher on their agenda and directly consult their CIOs or CISOs in making key business decisions. Forward-looking CEOs are already making cybersecurity as part of their customer value proposition.

3. Hackers only go after core systems: Strong defenses for core systems are essential but not sufficient to protect organizations from cyberattacks. The recent 2016 DDoS attack on Dyn exposed a serious problem of cybersecurity for internet-of-things (IoT) devices. Attacks on Target and Wendy’s earlier, which involved third-party vendors, was also a stark reminder for organizations to look at cybersecurity from a complete ecosystem point-of-view. It is critical for organizations to ensure that the vendors they engage with have robust security controls to minimize their vulnerability to cyberattacks. A single lax security control of a single vendor can be detrimental to their entire organization.

4. Cybersecurity threats are mainly external: It is not uncommon to see that many organizations put enormous effort into dealing with external cybersecurity threats and little into internal ones. However, IBM found in the 2016 Cybersecurity Intelligence Index that the biggest threat may reside right inside their organizations. A whopping 60 percent of cyberattacks were in fact carried out by insiders with 75 percent of them involving malicious intent and the remaining inadvertent actors. These numbers should be a wake-up call for organizations which have not paid enough attention to internal cybersecurity threats. More dangerously, insiders, unlike outsiders, have extensive knowledge and direct access to the systems, making it difficult to detect. In addition to that, they can also erase evidence to impede any possible investigations.

5. It is too costly to invest in cybersecurity: Cost is one of the reasons why some organizations are reluctant to invest in cybersecurity. Advisory firm Gartner reported that worldwide spending on cybersecurity is estimated at $90 billion in 2017 and would reach $130 billion by 2020. However, not investing in cybersecurity can be even more costly. Cybersecurity is a $440 billion problem, and it is expected that cyberattacks would cost the world up to $6 trillion by 2021. This does not take into account damages which can’t be measured by dollars and cents, such as loss of corporate reputation and customer confidence. Besides, organizations should also realize that digitization comes with greater productivity and efficiency. Part of these gains should be invested in cybersecurity. In other words, cybersecurity is an inseparable part of digitization investment, and no organization can use cost as an excuse to compromise on cybersecurity.