Organizations are under an ever-growing host of threats. We’re seldom as safe as we think. Information Security Forum’s Steve Durbin outlines some standard beliefs it’s time to call into question.
While the internet is an essential business conduit for countless organizations, it also harbors many serious security threats. Cybercrime is positively thriving in the midst of a pandemic that has caused major disruption across the globe. The specter of state-sponsored attacks, the rapid proliferation of connected devices and the difficulty of securing disparate networks spanning countless cloud services has fostered an ideal environment for cybercriminals.
Business losses due to cybercrime data breaches are expected to top $5 trillion by 2024, according to Juniper Research – an increase of almost 70 percent from 2019. With 5G networks on the horizon offering greater connectivity and speed, the threat of targeted campaigns by cybercriminals looms large, and concerns about the damage malicious insiders can wreak are growing.
Complicating these threats, and throwing up barriers to solving them, are some widely accepted business paradigms that need to be challenged.
1. Overreliance on Technology Over People
Digital transformation has progressed rapidly across the business world, and it has brought many benefits, but the rush to embrace technology as a panacea for all problems has led to overreliance upon it. Organizations will happily set aside big budgets for security software, but – with skilled professionals in short supply – they may lack the internal knowledge to configure it properly and extract maximum value from it.
The reality is that people are often the easiest way for cybercriminals to gain access to data. The success of social engineering scams and the major role phishing plays in infiltrating networks points to a need to invest less in technology and more in people. It’s not enough to have strong security policies in place; companies must ensure that employees are fully cognizant of the guidelines.
Security awareness training should be regular and compulsory for everyone. Follow-ups and mock phishing tests can provide valuable data on whether the training is sinking in properly and highlight candidates for further work. Particularly now, when more people than ever before are working at home (often in insecure environments and using personal devices), instilling good security hygiene is vital.
2. Faith in Business Continuity or Disaster Recovery Plans
Many organizations believe the best way to get through a crisis is with a business continuity plan, and the importance of disaster recovery plans is widely accepted. The problem with putting a lot of faith in business continuity plans is that they rarely cater to long-term problems. The focus is usually on dealing with a bump in the road and then returning to “normal” as swiftly as possible. But what if the goalposts have moved? How do organizations adjust to a new normal?
While it does make sense to plan for different scenarios, it’s crucial to foster genuine agility and resilience in a business. All employees, not just security professionals, should be empowered to assess, highlight and proactively tackle security risks before they develop. Businesses must be adaptable, which requires a flexible mindset and the ability to change gears and throw out false assumptions based on emerging evidence.
3. The Board Always Knows What’s Best
Corporate boards should contain plenty of experience and wisdom, but business leaders are every bit as susceptible to common worries as the rest of us. While boards may perform admirably in familiar situations, setting a course based on past experience, what happens when businesses sail into uncharted waters? The idea of the omnipotent board can lead to disaster.
To combat this, organizations should maintain a clear and concise vision of business-critical functions. It must be transparent what data, resources and systems are essential. Everyone in the company must take responsibility for protecting this valuable core and weigh in with their opinions. The idea of boards shutting themselves away and issuing commands without proper input from everyone concerned is deeply flawed. Security must be woven into the fabric of the organization so that it is factored into the daily life of every employee.
4. Compliance with Regulations Means the Organization is Secure
As technological disruption has gathered pace over the last few years, regulators have struggled to keep up. It is a legal duty to ensure compliance with regulatory frameworks, but it is not a guarantee of safety and security. For global businesses, there’s a complex, ever-evolving set of regulations to keep up with. Focusing too much on compliance as an end goal can cause companies to take their eye off the ultimate motivation, which is to secure data.
Adhering to legal regulations is not optional, and no business can afford to ignore them, but leaving security planning up to external institutions and regulators is risky. Businesses should adapt an integrated approach, ensuring compliance, but also approaching risk management from an educated perspective with the right talent prizing business critical functions at the forefront.
These assumptions will be deeply entrenched at many organizations and may prove difficult to challenge, but they must be challenged if companies are to secure a healthy future in such uncertain times.
Steve Durbin is Managing Director of the 
