Invest Now, Save Later: The Best Business Strategy Against Cyber Attacks
The key to mitigating cyber risk is a shift in mindset — from a reactive to a proactive approach — along with a corresponding investment.
It’s no secret that the consequence of a cyber breach can be significant fiscal damage to an organization. Last year alone, the cost of global incidents totaled more than $45 billion, according to the Internet Society.1
Beyond fiscal loss, cyber breaches also pose serious risks to corporate reputation and customer trust; in extreme cases, it can even lead to the demise of an entire enterprise. That was the unfortunate fate of the American Medical Collection Agency, which was crippled by losses so severe following a hacking incident last year that its parent company filed for Chapter 11 protection.2
While the current cyber threat landscape is unnerving, organizations may be encouraged to know that a majority of breaches can be averted with advanced planning. The same Internet Society report shows that a remarkable 95 percent of the 2018 breaches were in fact preventable.
With this knowledge in hand, why don’t more organizations take a proactive approach to cybersecurity? One rationale points toward outdated thinking. Many companies still operate from a defensive posture in an attempt to save money. They concentrate their resources on building tall walls and responding to incidents. Although both are important aspects of a defense-in-depth strategy, they are still only pieces of a holistic system security plan and are inadequate for achieving the goal of a robust cybersecurity strategy.
Because allocating digital dollars is difficult — especially when an organization lacks strategic cybersecurity direction — the simple solution is to forgo upfront investment and trust the perception that in-place security is good enough. Companies that follow this line of thinking are in for a rude awakening: Responding to a breach is typically more expensive than preparing in advance.
Effective mitigation of cyber risk requires a shift in mindset — from reactive to proactive — along with a corresponding move toward investment in risk reduction. With a structured strategy prioritized to achieve impactful gains, organizations can go from patching and updating to a culture of continued improvement and maturation that is fiscally balanced to meet specific cybersecurity needs.
How to Get Started
The first step toward proactively addressing cyber risk is developing a formal cybersecurity strategy. At its most basic, that means having a plan. You need a prioritized approach that includes making decisions with foresight versus implementing temporary solutions.
This methodology should go beyond technical issues and include strategic concepts as well. Proactive security is not just about passive scanning for threats and setting up firewalls. It’s about developing a detailed game plan involving your people, processes and technology.
Assessing the following areas, among others, is imperative: policy and procedures, network design and structure, assets, people, and strategic implementation.
Gaining an independent evaluation of these areas can be challenging, however. That’s where a third party can help — by providing an unbiased evaluation that includes designing and implementing a tailored and prioritized strategy. Through this objective and effective approach, you’ll gain a true foundational understanding of your existing network capacity in comparison to industry best practices and identify the risk from potential gaps.
Who, What, and Where?
As part of your cybersecurity strategy, developing a robust network map is essential. The goal is to create a holistic view of your organization’s cyber components by identifying all devices connected, along with their network interactions. Unless you are aware of the critical value your technology plays in maintaining business operations, you’ll find it very difficult to implement an effective cyber strategy.
Want more insights from our latest content? Click here to subscribe based on your specific area of interest.
But knowing what you have is only half the battle. You also need to determine where each device lives, what it is connected to, and who has access to it. These are key building blocks in developing a comprehensive cybersecurity program that will continuously improve in its capacity to prevent breaches and secure the network. You’ll also reduce latency in discovering unauthorized access and failed attempts.
Mitigating risk should always be a driver for change in the governance process. Cyber risk management is no different. Indeed, embracing cybersecurity as a risk category and incorporating best practices and policies into your organization’s cultural foundation provides the underpinnings of an effective cyber risk mitigation program.
Just as organizations assess risks to their financial, reputational, and operational well-being, risks from cyber threats should be considered among these categories.
With buy-in from senior executives, companies can firmly establish the required proactive cybersecurity mentality, driving essential cross-department collaboration and cooperation. Cultivating a proactive team who takes it as their personal responsibility to secure the organizational assets leads to better cyber threat detection and prevention.
Continue to Improve
The issues facing organizations today are complex and ever changing, requiring continued evolution and adaptation. With cyber risk, the pace of change is notably higher. More frequent assessment of existing policies and procedures is key to keeping pace.
By having an external, independent organization assess your cybersecurity program, you will gain an unbiased and holistic assessment of your existing network security program and risk profile. As the cyber threat landscape continues to mature, so should your cyber risk mitigation strategies.
All organizations are vulnerable to cyber risk. Effective and tailored breach prevention measures can help preserve your corporate reputation, operations, and financial standing.
© Copyright 2019. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
Senior Managing Director