How to Invest in Cybersecurity?
An increasing number of companies worldwide have come to realize that cybersecurity is an important factor in the running of a successful business. A recent study done by Accenture reported that the average annual cost of preventing cybercrime in 2017 was $11.7 M, a 23% increase from 2016. As a result of this knowledge, companies have scaled up their investments in defending against cyber attacks.
However, many of these investments do not gain traction. In fact, in the same study, Accenture also discovered that each company with cybersecurity program experiences 130 breaches per year, a 27.4% increase from 2016. With this in mind, a reasonable question for companies to ask is: what are the most efficient investments to make in order to be protected from cyber attacks?
In the interview below, Alexey Stoletny, Managing Director at Sigma Software Inc. (USA) and cybercrime expert, shares his view on how to make the most out of your investment.
Alexey, research shows that, in many cases, a company itself makes cybercrime possible. Can you name some of the most common mistakes companies make when creating and implementing a cybersecurity strategy?
One of the most common and critical mistakes companies make is focusing solely on the technical aspect of cybersecurity. For example, let’s say a company spends thousands of dollars on network perimeter security, investing in the best firewalls, intrusion detection systems, web application firewalls, and so forth. After such a large investment, that company would expect to see results; however, instead, a security breach happens. Why? Because the company has neglected to provide its employees with proper training.
Cybersecurity is a holistic system: a separate solution will not help that much, instead, companies need to apply a set of measures. One such measure is training employees, making them aware of what security is and how it works. Keep in mind that "a chain is only as strong as its weakest link," if that weakest link is company’s people, then it’s likely the breach will be due to their lack of preparation.
Many companies realize that cybersecurity is a complex issue; in order to implement it correctly, they need to find a security organization capable of success. However, when choosing a partner, companies often make the mistake in assuming that cybersecurity solutions are comprehensive and suit any business. In fact, the threats that advertising company may be exposed to differ from those in, say, aviation, or e-commerce, telecommunications, healthcare, or construction. If your cybersecurity partner doesn’t have experience in your particular industry, then there is a greater chance that their solutions won`t meet your expectations and won`t be efficient in preventing breaches.
Furthermore, an important detail many companies forget to consider is who their potential attackers might be, where they come from, and what consequences the breaches may have on their business. Imagine that you use an internal system to store all of your sensitive data, and that this data is not accessible from the outside, as it has solid protection in place from any external breaches. Even with strong security in place, some good questions to ask are: Where might any attackers come from? Are they internal or external attacks? What happens if there are data leaks? How much will it cost to fix any issues? How much of a loss will there be from potential opportunities? Knowing the answers to these kinds of questions, and approaching security with them in mind, a company will be able to build a wall that will be hard to break.
Finally, another common mistake is investing in security just to be compliant with some standards. Being compliant won`t keep your company safe from attacks. What companies should do is evaluate their risks: some breaches can cost a fortune and a reputation, while others may not affect their business much.
There is no bulletproof protection plan, there can be thousands of different risks, but there is no need to try to eliminate every one. Instead of trying to cope with all risks, what can help is a better understanding of the matter, companies should know what they are protecting, evaluate how this protection measure will help overall, and if the protections is worth the cost or not.
Where do most companies fail in expecting danger? What would you advise in these situations?
Many companies do not expect “social attacks,” meaning breaches from their employees, partners, customers, trusted persons.
A good concept to follow is to always “assume breach.” Given today’s threat landscape, a company should acknowledge that a breach has either already occurred, or that it’s only a matter of time until it does. “Assume breach” is a mindset that limits the trust and assumes both internal and external tools, applications, services, and people are not secure and probably already compromised. It’s a very useful approach.
We all remember the incident with Facebook last year. Surely, Facebook had a serious cybersecurity strategy in place. In your opinion, what might have happened? And why do companies, even those as influential as Facebook, let such incidents occur over and over again?
What many people do not realize is that no company can consider itself to be completely secure. There is no such company that cannot be hacked, and no security plan can guarantee safety from every attack. Furthermore, with technology continuing to advance, new opportunities for cybercrime appear every day.
In regards to Facebook, they had a strong technical strategy, but I think they underestimated “social attacks.” They made the mistake of granting access to sensitive information to the wrong people, without having implemented proper controls to that part of their security.
Finally, what does Sigma Software offer companies in regards to cybersecurity?
Sigma Software provides comprehensive security services: we advise on security strategy, create a solution that meets security requirements, run audits, and carry out incident responses.
In our work, we do not focus on the bulletproof approach, instead, we focus on making attacks unprofitable by continuously running assessments, pentests, red team exercises, as well as, applying the “assume breach” approach, developing incident response (IR) playbooks, and by conducting trainings, both on security and on new GDPR.
Finally, similar to what I mentioned above, Sigma Software is a security partner with expertise in a vast array of markets, and, as such, we can advise on the most suitable solution for your unique company.