If you have yet to see a cybercrime statistic that convinces you that cybersecurity needs to be more than the domain of the IT department or cybersecurity contractor, here are a few to consider.
- Juniper research puts the cost of cybercrime for 2019 at $2 trillion
- So far this year 10 billion records may have been subject to data breaches
- Spending on cybersecurity is estimated to reach $10 billion by 2027
- Cybint says 60% of companies have experienced cyber attacks
- 65% of security professionals expect to be dealing with a major breach in the next 12 months
- The average cost to recover from a cyberattack for a company with over $1 billion in revenue is $4.6 million up from $3 million in 2018
- Half of cyberattacks are targeted at small businesses but many invest less than $500 in cyber security
- A cyberattack on a small business costs $200,000 on average and 60% go out of business within six months of an incident
- And, according to the 2019 Official Annual Cybercrime Report (ACR) a business will fall victim to a ransomware attach every 14 seconds
Increasing sophistication of attack vectors adds to risk
Some of these eye-opening statistics and more were published by CPO Magazine, others by TechBeacon and CNBC. Europol just released its latest report where it says cybercrime is getting bolder and increasingly focused on businesses. Cyber attacker’s tactics are becoming increasingly sophisticated, so much so that you could even be attacked by a drone, or by an attacker using social engineering or artificial intelligence to trick you. The statistics are scary, but the threat is great.
What should a cybersecurity strategy include?
To prevent cyberattacks and to cope with an attack if it occurs, a thorough and planned cybersecurity strategy is essential. Here are just a few elements such a strategy should include:
- Comprehensive assessment of threats, vulnerabilities and current infrastructure
- An evolving cybersecurity plan with continuous reassessment of risk
- The appropriate level of cybersecurity software and systems including firewalls, antivirus and anti-malware, for your business and industry
- Frequent vulnerability checks, software updates and patches
- A focus on data privacy including compliance with GDPR and other emerging global regulation
- Special attention to cloud systems and IoT devices which create new risks
- Ensuring third-party vendors have a cybersecurity strategy to match your own to minimize supply chain risk, another growing threat
- Constant monitoring for new threats locally and globally
- Adopting a culture of cybersecurity
- Ongoing employee training and a company-wide program of cyber security awareness
Our focus is cybersecurity culture and security awareness
It’s these last two points we’ll talk about in more depth, after all they are our focus here at The Defence Works. A Forbes Insight/Fortinet survey this year of 200 CISOs found that companies with an enterprise-wide strategic approach to cybersecurity saw better results. And, the study found of the highest priorities for cybersecurity funding this year, 14% of CISOs declared theirs was “creating a culture of security,” 14% said hiring more staff, and 13% said “better security training of employees.”
United Airlines CISO Emily Heath says:
“Too often security puts themselves in a corner, with the weight of the world on their shoulders. And it really is the entire organization’s responsibility.”
Heath explains that cybersecurity “resides across the whole organization” telling Forbes that to build its culture of security awareness, United Airlines created “cyber ambassadors” and “friends of security” adding:
“We talk to our employees in very real terms about what cyber actually means so that it’s relevant to them within their job. So we have an entire team of people who focus on the cultural aspects of embedding security within United’s operations and within our education and awareness team.”
The cliche is that “employees can be the weak link”, but the reality is that they can be your strongest defence
Most successful cyber attacks have an employee at their origin, one who unsuspectingly gets manipulated or makes a mistake, though there can be malicious actors internally too. With cyberattacks often occurring via vectors such as phishing attacks it is vital that every employee within an organisation both understands cyber risk and buys in to a corporate wide cybersecurity strategy. The answer to both these tasks, coupled with deploying security systems and software, is a culture of cybersecurity which includes cybersecurity education and security awareness.
– Check out our hilarious security awareness training series:
Achieving a cybersecurity culture
SecurityIntelligence writes that a culture of cyber awareness is attainable and that CISOs would stress less if they were confident the whole of their organisation was cyber risk aware. A culture of cybersecurity should include:
- Expecting mistakes
- Not punishing errors
- Building morale
- Regular training
- Achievable, company-wide goals
And, of course, security awareness training. Not convinced? Try 5 Ways Security Awareness Training Prevents Cybercrime.