Cybersecurity challenges
But while most businesses recognise that complete perfection in physical security is neither realistic nor desirable, they often fail to make the same judgment when it comes to their cybersecurity arrangements.
In their quest for perfect cybersecurity, the vast majority of organisations end up with misallocated budgets, poor prioritisation, or completely overwhelmed IT and security teams, resulting in these organisations suffering from cybersecurity paralysis.
Cyber threats
A steady stream of stories relating to cybersecurity and data breaches has caused businesses to enter panic mode
Certainly, cyber threats are a major problem, with the global costs associated with cybercrime predicted to rise to $10.5 trillion by 2025.
However, the steady stream of alarming news stories relating to cybersecurity and high-profile data breaches has caused many businesses to enter panic mode. This is exasperated by the overarching narrative from the media and security industry that “nobody is safe” when it comes to hacking.
Measured and sober risk assessments
While it is true that all organisations are technically “hackable”, it's important that they make measured and sober risk assessments when it comes to their cybersecurity.
They need to look at the bigger picture: cybercriminals tend to focus their efforts primarily on the most valuable and highest-yielding targets. As such, striving for cybersecurity perfection is simply unnecessary for a large swathe of the business community.
Physical and digital security
This is true for both physical and digital security: perfection can easily become the enemy of progress. Ultimately, trying to be perfectly secure is unrealistic and unachievable. Chasing such a goal is likely to cause a massive detriment to both productivity and innovation.
Rather than pursuing perfection, organisations must adopt a pragmatic approach to making themselves less vulnerable and focus their energy primarily on the risks that matter most to cyber criminals. This more measured and strategic approach to cybersecurity is likely to produce the most efficient benefits, while also protecting and ensuring the organisation's capacity for innovation and productivity.
In the grand scheme, most companies will not get hacked
Hackers will select the easiest targets in terms of stealing data or extorting money
It is important to recognise that cybercriminals are rational actors. Hackers will select the easiest targets in terms of stealing data or extorting money.
For instance, unless a new website can generate a large amount of revenue, there is no urgent requirement to make it 'perfectly secure', because the majority of hackers will not be interested in attacking small, unprofitable targets.
Vulnerabilities
But how can a company tell whether they are an easy target or not? Often, businesses will invest in scanning tools that indicate how many vulnerabilities exist within their infrastructure to gauge their current situation.
However, simply knowing the number of vulnerabilities that exist across their websites or systems is only the first step, and is necessarily useful information. If an IT department is told there are 100 vulnerabilities, what should they do with that data? Is that a lot, or is it very little?
How serious are these vulnerabilities and which ones should be prioritised?
Instead, benchmarking can be a more useful metric, by showing an organisation how “hackable” they are compared to their peers. Instead of trying to fix every vulnerability, companies just need to ensure they remain above the industry average for hackability, as this will help decrease the likelihood of an attack as cybercriminals are more likely to go after softer targets.
Also, companies can set milestones in the development lifecycle of their new apps and products to decide the right time to introduce robust cybersecurity measures. This will help organisations prioritise their cybersecurity efforts to maximise their impact.
Walking a tightrope: balancing risk aversion with innovation
Businesses do not allow overzealous cybersecurity measures to harm their capacity to innovate
As the CEO of a cyber security service provider, here is my somewhat controversial opinion: security is not the most important part of any business. Of course, the threat from cybersecurity is rising, so every organisation must implement a robust security strategy.
However, it is also vitally important that businesses do not allow overzealous cybersecurity measures to harm their capacity to innovate, take risks, and embrace new tools and technology. Unfortunately, this is the case within many organisations.
Addressing vulnerabilities
Today, CSOs, CISOs, and IT leaders face many competing priorities within their organisations. They are pulled in multiple directions and are expected to juggle an overwhelming amount of information while also making quick decisions to ensure all vulnerabilities are addressed.
As a result, many are suffering from burnout and are deciding to quit the industry altogether.
Risk-averse approach
Meanwhile, others have adopted “healthy paranoia” in their efforts to defend against the growing number of security threats in existence. This leads them to become resistant to adopting new technology and being extra forceful with their input.
This risk-averse approach is akin to using a sledgehammer to crack a nut: a disproportionate amount of effort that results in unintended negative impacts on other parts of the organisation.
Tunnel-vision approach
While risk aversion can be healthy, implementing overzealous security measures are likely to stifle company culture
While risk aversion can be healthy, and it is in the best interests of a company to invest in cybersecurity, implementing overzealous security measures are likely to stifle the aspects of a company culture that can lead to global success.
A tunnel-vision approach to security that neglects innovation in favour of preventing total disaster could produce a culture without the aptitude for innovation or the appetite for taking chances on new ideas. This will demoralise the workforce, leading to lower productivity as the company is too fearful to take worthwhile risks, all of which are harmful to a company’s long-term survival as it loses market share to more fearless competitors.
Cybersecurity is a marathon, not a sprint
Fortunately, businesses do not need to panic when confronted with the scale of cybercrime, because for most organisation the risks are much lower than they may assume. Security experts can see threats around every corner, and while this is an important skill, it also needs to be kept in check.
Businesses must regularly take a step back and regain a sense of perspective on which risks are real and imminent, and which may become a danger in the future but do not require immediate measures.
Risk assessment
Companies can improve their cybersecurity incrementally, rather than race to fix every vulnerability
Of course, that is easier said than done, but there are tools and services on the market to help organisations assess risk realistically while providing warning of potential threats. This way, companies can improve their cybersecurity incrementally, rather than race to fix every vulnerability as soon as it is discovered.
By equipping IT teams with such tools, companies can take the necessary steps to reduce the risks of a cyberattack in the long term while spending fewer hours and resources on cybersecurity, thus ensuring budgets are spent more effectively.
A balanced perspective on cybersecurity
Security experts and their companies need to think rationally from a hacker’s perspective about which risks will lead to genuine harm and which are purely speculative.