Even though the number of cybersecurity incidents has been rising steadily for several years, there’s been an even more significant uptick in cyberattacks since early 2020. From my perspective as a chief security officer who has managed IT integrations across multiple acquisitions, it’s clear that a lot of business leaders still don’t fully appreciate the enormous risk that cyberattacks present.
If you think you might be in that category, here are four big things you should know about cybersecurity today. Hopefully, they’ll help change how you approach business risk management.
1. Cyberattacks have become increasingly sophisticated
Cybercriminals are no longer individual actors using rudimentary tools to target individual businesses. They’ve become much more sophisticated in terms of their tools, methodologies, and ability to customize ransomware packages. And they’re leveraging cryptocurrencies such as Bitcoin to help ensure they make money.
In the case of ransomware, it’s more profitable than ever for cybercriminals to infiltrate an IT system, lock down the data, and extract a ransom payment. Or, in the case of extortionware, cybercriminals are now publicly exposing stolen data if companies don’t agree to pay the ransom. This nefarious escalation can be extremely problematic if your business handles financial data or personally identifiable information that’s subject to compliance or regulatory mandates.
2. The threat landscape is getting wider
Based on information shared from US national intelligence agencies, we now know that some nation-states are attempting to disrupt critical US infrastructure, especially in the energy sector. After the ransomware attack that shut down the Colonial Pipeline, it should be crystal clear just how fragile our infrastructure is from a cybersecurity perspective.
Even though that attack impacted a large number of consumers, we’re fortunate that the damage wasn’t even more widespread. This attack also highlights why you now need to worry about your vendors, partners, and entire supply chain as well. The recent data breaches at SolarWinds and Kaseya illustrate a shifting mentality as cybercriminals seek ever-larger targets. If they can infiltrate your service provider’s systems, they might also be able to penetrate your company’s systems.
3. Detection and response are more critical than ever
Just three to four years ago, the common approach to cybersecurity was all about preventing attackers from getting inside a safe perimeter. If you had a mature cybersecurity organization, you could be relatively successful in defending your assets.
However, that approach isn’t nearly as effective these days, and you can’t assume your defenses will work. In fact, you should assume that they won’t work and you will experience an attack if you haven’t already. That’s why it’s so much more important to be able to detect and respond to an attack in real-time, utilizing tools such as extended detection and response (XDR). It’s also important to implement asset monitoring on a 24/7/365 basis. Anything less can lead to coverage gaps and security vulnerabilities.
4. Cybersecurity must be a board-level priority
IT teams are doing the best they can to ensure security, given their resources and budget. But cybersecurity shouldn’t be just an IT issue—it should have oversight at the highest level of the company.
If you have a board of directors and investors, you should have cybersecurity oversight at that level, just as you do for financials. In the past few years alone, many boards have created a charter for responsibility and oversight. And, speaking of financials, be wary about anyone trying to reduce the cybersecurity budget. The companies that tend to cut cybersecurity budgets likely haven’t experienced a breach. In contrast, any company that has endured an attack realizes why the cybersecurity budget must remain a high priority.
What you can do today
The best thing you can do as a business leader is be realistic about cybersecurity across your organization. If you don’t have a mature security practice, you at least need a reliable incident response plan. After all, it’s more a matter of when—not if—you’ll experience an attack. And, if you don’t have the internal resources and expertise to handle cybersecurity, your next step should be looking for a reputable cybersecurity services provider to supplement your own team.
