Is your business cybersecurity ready?
Find out where your business lands on the cybersecurity readiness scale
If cybercrime were a business, its annual earnings – $500 billion – would rank third nationally among major corporations.
By 2020, cybercrime is projected to cost the global economy $2.5 trillion. Meanwhile, over 2 million new malware attacks are launched every day – and threats you thought were over, like WannaCry, are still out there.
As unnerving as the facts are, there’s another fact you should know: you can become cybersecurity ready, prepared to deal with attacks when they hit and even evade them before they strike. The steps are outlined in a new AT&T-sponsored research report by IDC, Cybersecurity Readiness: How "At Risk" Is Your Organization?
Levels of cybersecurity readiness
For the report, IDC surveyed over 800 C-level IT and line-of-business executives in large and mid-sized companies around the world. Their research identified four distinct levels of preparedness against cyberattacks.
- Passive: Little C-level involvement. Infrequent policy and procedure reviews or third party risk assessments. Breaches go largely unnoticed.
- Reactive: C-suite relies on IT for security expertise. Reviews and risk assessments occur quarterly. Breaches handled as they happen.
- Proactive: C-level pays closer attention to security. Current attacks are confronted; future ones anticipated. Reviews and risk assessments occur monthly.
- Progressive: Deep C-suite involvement. While defending against possible breaches, the value of data that might be taken is reduced. Reviews and risk assessments are ongoing.
In addition to establish the different levels, the report offers real-world recommendations:
1. Start at the top
Like any vital element of a corporation’s culture, cybersecurity readiness must permeate every level of an organization, starting with the board of directors and C-suite executives.
IDC found that 60 percent of Progressive companies reported their top leadership paid “very close” attention to security issues, with daily briefings and a “hands on” attitude. That attitude makes it clear to mid-level management and employees that policies should be adhered to, best practices followed, and key assets identified and protected.
To nurture the necessary involvement of upper management, CIOs and CISOs need to stop “speaking geek” in the boardroom and present new cybersecurity investments in terms of ROI, improved productivity and higher profits (there really is a correlation).
2. Assess risks to avoid disasters
Beyond the dollars-and-cents costs that make headlines, every breach deals less quantifiable damage to your brand’s reputation and your customers’ loyalty. Two more reasons why frequent risk assessments and reviews should be an essential part of your organization’s overall cybersecurity stance.
Not surprisingly, IDC found that the most security-ready organizations performed risk assessments and reviews almost continuously. That may sound like an overreaction, but in a world where new risks emerge every day (remember all that malware?) it’s really nothing more than cold common sense.
3. Learn what third-party providers can provide
First, they free up your in-house IT talent to handle critical day-to-day functions. Second, as cyberthreats and solutions continually evolve, third parties bring the up-to-date knowledge and expertise that few in your organization have the time to acquire. Finally, the most security-ready companies have found an impartial third party is the best candidate to perform thorough risk assessments.
Yet even near-continuous assessments are a waste of time unless they lead to substantive change. Progressive organizations aren’t shy about updating procedures, adopting new strategies and investing in the most advanced security solutions.
4. Defend the 20 percent that matters most
Learn the lesson military strategists have known for centuries: defending everything is the surest way to lose everything. Especially since SaaS, cloud, mobile and bring-your-own-device (BYOD) platforms have rendered any “perimeter defense” impossible.
Instead, using asset inventory and data classification tools, identify the data that matters most to your company and your customers. It will amount to no more than 20 percent of your total assets. These are your company’s crown jewels, deserving the effort and expense of the latest security technologies. Lesser assets might be entrusted to a managed security service provider.
5. Invest. And then invest again.
Like any other aspect of your business, plowing money back into cybersecurity – especially in defense of that 20 percent – will only pay off. IDC discovered that Progressive organizations are in the habit of upping their security spend by as much as 40 percent every year, compared with more Passive concerns that settle for a 17 percent increase.
Right now, the most security-ready companies are investing in advanced threat detection and mitigation solutions, vulnerability management, data security, web security and even cloud application security brokers.
Get the whole story
While only 16 percent of companies can be considered Progressive in their approach to cybersecurity, there's no reason that percentage can't grow. For the full story, view the full report, Cybersecurity Readiness: How "At Risk" Is Your Organization?