Two critical aspects of cybersecurity that warrant immediate attention are the lack of risk understanding and assessment and the absence of preventative action taken.
Businesses are at risk – and they know it. The problem is that, as the amount and severity of cyber threats continue to grow, it is becoming more challenging to uncover and implement the best strategies for safeguarding computer networks and systems.
The RSA just released its second annual Cybersecurity Poverty Index survey results, revealing that 75 percent of organizations are at significant risk of cybersecurity incident and risk exposure – and that the majority of respondents are struggling with their incident response programs and capabilities. Research has indicated that the firms most likely to take serious action to resolve and mitigate the growing threat of cybersecurity are ones that have already been attacked. Beyond that, many are using a fragmented, patchwork approach. Less than a quarter of the survey participants rated the security preparedness of their organizations as being mature. And even more concerning is the fact that nearly half said their IR capabilities are “nonexistent.”
Confusion about cyber threats
Contributing to the issue is that many are still in the dark about exactly how cyber risks can damage their business. Without a thorough and proper understanding of the robust cyber threats plaguing their organizations, it is extremely difficult for companies to implement effective risk mitigation plans. The RSA report noted that the inability to identify, understand, assess and catalog the risks can – and does – often result in firms making the wrong cybersecurity investments. For example, instead of focusing on developing a sustainable, long-term and cost-effective plan for IT security, some are opting for temporary solutions that don’t adequately address or prevent the real issues at hand.
An incident response plan shouldn’t only be prioritized after an attack.
“This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing. We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action,” said RSA President of The Security Division of EMC Amit Yoran.
The RSA study highlighted two critical aspects of cybersecurity that warrant immediate attention. The first is the lack of understanding concerning the risks – and the severity of them – and the second is the absence of preventative action taken, especially among organizations that have not yet been breached. But how can this issue be fixed?
It is important to note that the people and teams mainly tasked with and responsible for handling – and preventing – cyber threats are IT professionals. However, in most organizations, these employees are only able to leverage so much power and influence. And while this is likely going to change as the issue of cybersecurity continues to threaten all aspects of a business, if a company wants to enforce the best possible defense strategy it is imperative to have C-level support.
“Cybersecurity isn’t just an IT issue; it’s a business threat.”
Of course, this is easier said than done. The problem presents somewhat of a twofold issue: some of the key players who have a critical role in cybersecurity initiatives are often the ones who understand the area the least. This concept was recently expanded upon by Mark Athitakis in an article for Associations Now. He explained how executives’ “disengagement from the problem” can further perpetuate the risks that their company faces. Cyber safety needs to be implemented, exercised and prioritized from the top down. And one of the first steps in achieving that goal is to facilitate stronger collaboration and communication between C-suite and tech teams. When it comes to cybersecurity, it is crucial that corporate leaders stop treating it like an IT issue and start perceiving it as what it really is – a business threat.
One of the ways this goal can be achieved is through proper training and education. At The National Cybersecurity Institute, we provide courses specifically tailored to management level professionals, such as the Cybersecurity Awareness for Managers & Supervisors Course, as well as the C-Suite and Board Level Course, which are just eight and three hours, respectively.
Given the intensity and growth of the threats being highlighted every day in cyber security news, it is becoming increasingly difficult – and illogical – for organizations to ignore the responsibility they have to take preventative measures against cyberattacks. The time and investment it takes to build a stronger incident response plan are not nearly as much as what businesses will likely be forced to deal with if they experience a breach.
PR Newswire (2016, June 14). RSA Research: 75% of Organizations are at Significant Risk of Cyber Incidents. Retrieved from http://www.prnewswire.com/news-releases/rsa-research-75-of-organizations-are-at-significant-risk-of-cyber-incidents-300284168.html