Your cybersecurity plan may be doing more harm than good
Companies are spending more to prevent cyberattacks, but not getting results. Why, and what can you do better?
(page 1 of 2)
According to a recent World Economic Forum report, cyberattacks are the third-highest risk to businesses based on likelihood — behind extreme weather and natural disasters. Yet, Gartner, a global research and advisory firm, predicts business spending on information security and cybersecurity tools and services to rise another 8.7 percent to a total of $124 billion in 2019.
How is it that we’re not seeing a decrease in cyberattack likelihood when businesses and organizations are spending more than ever to combat them? Christopher Gerg, vice president of risk management at Madison-based Gillware, a data recovery and risk management firm, says it’s all in our approach. “When you are really concerned about your organization’s cybersecurity, it’s easy to get in the habit of following the trendiest, latest products in hopes of alleviating that worry. But, what happens is businesses implement the latest and greatest tools without covering some very basic fundamentals. It’s like installing a premium sound system in your car but forgetting to put air in the tires.”
So, what are the best ways for businesses to spend time and money protecting themselves?
Except for rare cases where someone has it out for a company and wants to see them specifically damaged, or if a business is a bank or payment processor and has money to be stolen, the greatest information security threat to a business is malware, notes Gerg. Specifically, ransomware. “The reason is simple. The attacker is after money.”
Ransomware is a specialized evolution of viruses, worms, and trojans. The malicious software enters the environment through vulnerable computers attached to untrusted networks — think of coffee shop Wi-Fi networks or the public internet — or because someone clicks a link or opens a file in a malicious email from an attacker, tricking the recipient into thinking it was legitimate. The software then encrypts the important data on the system and attempts to infect other computers on the same network. A message may appear on the computer saying that your machine’s data is locked away and demands a ransom be paid using cryptocurrency like bitcoin, which is commonly untraceable. The requested ransom amounts have increased significantly in the past years, says Gerg, as the cybercriminals’ ability to interrupt the business of entire companies before being noticed has improved.
We live in confusing times
Unfortunately, the solutions put in place to mitigate these cyber risks are often just muddying the waters.
“First, and with the best of intent, governments and organizations have created laws, certifications, and requirements to protect payments, personal data, privacy, and communication,” explains Gerg. These regulations are typically a hodgepodge of letters and numbers that mean little to the average observer — things like PCI-DSS, PCI-DSS, PCI-3DS, PA-DSS, P2PE, AICPA Trust Services Criteria, FedRAMP, GLBA, Sarbanes-Oxley, FISMA, FERPA, GDPR, PIPEDA, CCPA, HIPAA, SSAE-16, SAS-70, SOC2 Type x, and more.
“Very often these laws and requirements do not account for the real-world technical challenges, edge conditions, interpretation, and applicability,” Gerg says. “Add on top of that a myriad of best practice frameworks, each written differently, written to fit a specific law or requirement, written to address the needs of a particular industry, or written to try to address every possible organization or situation.”
Further adding to the confusion are the multitude of businesses selling solutions claiming to remedy a company’s vulnerabilities, when most only address the tip of the iceberg, if anything at all. “Gap analysis, risk scores, audit readiness, monitoring tools, management tools, antivirus, antimalware, anti-spam, encryption, authentication and authorization tools, the cloud — each of them expounding on how they are built on proven technologies, or that they are better because they are new and disruptive,” says Gerg. “What results is what we call the ‘whack-a-mole’ scenario: multiple point solutions that each cost money, take time to manage, and provide questionable benefit when taking the complexity — and IT department’s limited availability — into account.
“And did I mention that there’s a shortage of qualified information security experts, despite many [people] claiming that they are experts?”