Are Your Customers Cybersecurity Ready?By Jacob Hill, Lead Marketing Manager, Security, AT&T
Are Your Customers Cybersecurity Ready? by Jacob Hill, Lead Marketing Manager, Security, AT&T
If cyber-crime were a business, its annual earnings – $500 billion – would rank third nationally among major corporations.
By 2020, cyber-crime is projected to cost the global economy $2.5 trillion. Meanwhile, over 2 million new malware attacks are launched every day – and threats thought to be over, like WannaCry, are still out there.
As unnerving as the facts are, there’s another fact your customers should know: they can become cybersecurity ready, prepared to deal with attacks when they hit and even evade them before they strike. The steps are outlined in a new AT&T-sponsored research report by IDC, Cybersecurity Readiness: How “At Risk” Is Your Organization?
Levels of cybersecurity readiness
For the report, IDC surveyed over 800 C-level IT and line-of-business executives in large and mid-sized companies around the world. Their research identified four distinct levels of preparedness against cyber-attacks.
• Passive: Little C-level involvement. Infrequent policy and procedure reviews or third party risk assessments. Breaches go largely unnoticed.
• Reactive: C-suite relies on IT for security expertise. Reviews and risk assessments occur quarterly. Breaches handled as they happen.
• Proactive: C-level pays closer attention to security. Current attacks are confronted; future ones anticipated. Reviews and risk assessments occur monthly.
• Progressive: Deep C-suite involvement. While defending against possible breaches, the value of data that might be taken is reduced. Reviews and risk assessments are ongoing.
In addition to establish the different levels, the report offers real-world recommendations:
1. Start at the top
Like any vital element of a corporation’s culture, cybersecurity readiness must permeate every level of an organization, starting with the board of directors and C-suite executives.
IDC found that 60 percent of Progressive companies reported their top leadership paid “very close” attention to security issues, with daily briefings and a “hands on” attitude. That attitude makes it clear to mid-level management and employees that policies should be adhered to, best practices followed, and key assets identified and protected.
To nurture the necessary involvement of upper management, CIOs and CISOs need to stop “speaking geek” in the boardroom and present new cybersecurity investments in terms of ROI, improved productivity and higher profits (there really is a correlation).
2. Business must assess risks to avoid disasters
Beyond the dollars-and-cents costs that make headlines, every breach deals less quantifiable damage to brand’s reputation and customer loyalty. Two more reasons why frequent risk assessments and reviews should be an essential part of an organization’s overall cybersecurity stance.
Not surprisingly, IDC found that the most security-ready organizations performed risk assessments and reviews almost continuously. That may sound like an overreaction, but in a world where new risks emerge every day (remember all that malware?) it’s really nothing more than cold common sense.
3. Business should partner with a 3rd Party
First, consultants free up in-house IT talent to handle critical day-to-day functions. Second, as cyber-threats and solutions continually evolve, third parties bring the up-to-date knowledge and expertise that few in a business have the time to acquire. Finally, the most security-ready companies have found an impartial third party is the best candidate to perform thorough risk assessments.
Yet even near-continuous assessments are a waste of time unless they lead to substantive change. Progressive organizations aren’t shy about updating procedures, adopting new strategies and investing in the most advanced security solutions.
4. Organizations should defend the 20 percent that matters most
Learn the lesson military strategists have known for centuries: defending everything is the surest way to lose everything. Especially since SaaS, cloud, mobile and bring-your-own-device (BYOD) platforms have rendered any “perimeter defense” impossible.
Instead, using asset inventory and data classification tools, businesses should identify the data that matters most to the organization and its’ customers. It will amount to no more than 20 percent of total assets. These are the company’s crown jewels, deserving the effort and expense of the latest security technologies. Lesser assets might be entrusted to a managed security service provider.
5. Invest. And then invest again.
Like any other aspect of a business, plowing money back into cybersecurity – especially in defense of that 20 percent – will only pay off. IDC discovered that Progressive organizations are in the habit of upping their security spend by as much as 40 percent every year, compared with more Passive concerns that settle for a 17 percent increase.
Right now, the most security-ready companies are investing in advanced threat detection and mitigation solutions, vulnerability management, data security, web security and even cloud application security brokers.
While only 16 percent of companies can be considered Progressive in their approach to cybersecurity, there’s no reason that percentage can’t grow. For the full story, share the full report with your customers, Cybersecurity Readiness: How “At Risk” Is Your Organization?