According to the FBI’s 2021 Internet Crime Report, there were 847,376 cybersecurity complaints last year, representing almost $7 billion in business losses. That’s an increase from 301,580 claims representing $1.4 billion in losses in 2017. This, despite the fact that businesses and governments spend billions of dollars to fight these attacks. Microsoft alone spends about $2 billion annually to address cybersecurity.
Why then, despite the big brains and big budgets of the most stalwart organizations, are businesses continuing to fall prey to these breaches? Unfortunately, for a number of reasons.
Cybersecurity may not (yet) be a board-level concern
Is cybersecurity a standing agenda item in your board meetings? Do board members fully understand your organization’s cybersecurity risks and the steps you’re taking to minimize those risks? Are board members themselves aware of how their own actions—or inactions—could be putting data and systems at risk?
Sadly, the answers to these questions at many organizations are “no,” “no,” and “no.”
More organizations today, though, are recognizing the impact of data breaches, the potential damage to customer trust and heavy financial losses forcing boards to take notice. Some have ramped up reporting requirements and created new job roles like DPO—Data Protection Officer—reporting directly to the CEO or even the board.
Leaving security awareness and training to the IT department
Most security awareness leaders are IT pros that thoroughly understand the systems they’re responsible for and the risks those systems face. What they don’t so readily understand, though, is how to convey their messages in a way that will resonate with non-security people.
Experts of any kind are stymied by the fact that they can’t unknow what they know. Consequently, they can’t fully understand what others don’t know—or how to best convey information in a way that is understandable, meaningful, and impactful.
Effective communication requires techniques that those in marketing and communication roles may be better positioned to deliver, yet they’re not often called upon as collaborators in the process.
Security awareness needs to be a company-wide endeavor, not the sole responsibility of the IT department.
The crooks keep getting craftier
As technology becomes more sophisticated and companies invest in the latest controls to protect systems and data, cybercriminals continue to devise new ways of subverting those defenses. But crooks aren’t just focused on technology. In fact, they’re far more focused on people. Why? Because as security technologies make it harder and harder to hack into systems, cybercriminals increasingly look for another way in. And that other way usually involves tricking someone into letting them in.
The human factor
“Social engineering” is a term used to refer to techniques used by cybercriminals to manipulate people into providing confidential information or performing harmful actions like clicking on bogus links in a text or email: That’s phishing pure and simple. Cybercriminals know that people represent the greatest vulnerability within organizations precisely because they are susceptible to deception, influence, and extreme disinformation.
Companies let their guard down
As companies invest heavily in technology, communication, and training to reduce cybersecurity risk and as they begin seeing the positive impact of those efforts, they may let their guard down—not paying as much attention to the risks, not communicating as often, or failing to ensure that new employees (or employees in new positions) are receiving the information and training they need.
Cybercrooks only need to be successful once to achieve their goals, but companies need to be successful 100% of the time to avoid being compromised.
Consider this: security is subject to the same natural laws that govern the rest of the universe. Entropy is real… we move from order to chaos. And that means your organization is always either building security strength or allowing atrophy.
Lack of a strong security culture
Security culture is the ideas, customs and social behaviors that impact an organization’s security. A strong security culture is a must-have to combat the continuous threats that all companies are subject to. Employees’ security awareness, behaviors and the organization’s culture must be assessed regularly. Policies and training programs should be consistently updated to address the changing threat landscape. Failure to do so puts companies at risk of data theft, business interruption, or falling victim to ransomware scams.
The brutal truth is that data breaches aren’t going away. And because they aren’t, companies must build and sustain a strong security culture to remain continuously attuned to a constantly changing threat landscape and to minimize risks.
Let’s face it: there will always be risk and no organization will be entirely free from security threats. But that doesn’t mean they should lower efforts to improve and evaluate processes, communicate with and train everyone in their organization, and remain vigilant. It’s a process, not an event.