Cyberattacks are common enough that a new breach can quickly feel like old news. But for businesses that suffer such an incident, a cyber intrusion won't become old news for a very long time. The road to recovery is invariably a rocky one, and it gets harder the smaller your company is. Many small- and medium-sized businesses won't ever recover from a breach. So why aren't companies doing more to stop them?
A lack of cybersecurity urgency among businesses
If there's a rainstorm, do you take an umbrella outside? If there's ice on the sidewalk, do you watch your step? If there's a breach on the horizon, do you defend your enterprise? These are all questions to which the clear answer is "Yes." Yet many businesses aren't treating cybersecurity with the urgency it deserves. This is a big problem, since according to a recent Forrester study, "at least 60 percent of organizations will suffer a security breach" in 2015. That is not the kind of statistic businesses can afford to ignore, yet many do.
Perhaps the biggest problem surrounding organizations and cybersecurity is a lack of planning. After all, tools like email encryption can't be retroactively applied. If your business' email account gets attacked, no amount of email security after the fact will erase the reality that the breach happened. And that can have a lasting - and sometimes even irreversible - impact on customer loyalty. As the Forrester paper asserted, the lack of an incident response plan is one of the key reasons why breaches happen.
"Incident response is one of the most overlooked areas of information security," Forrester stated. "It is impossible to prevent every breach, and when they do occur, [security] pros find themselves inadequately prepared to respond."
But as a recent ZDNet article argued, a dearth of incident response plans may not be such a large factor in contributing to the scale of breaches. Instead, the ZDNet piece asserted that the big pain point for most organizations is the inability of IT staffers to "respond under stress" when a cyberattack occurs.
"IT folks are not first responders," cybersecurity professional Mike Murray told ZDNet. "First responders are trained for crisis and disaster, IT people are not."
So then what is the best solution for organizations? Get better response plans? Train IT workers to act like firefighters? If you haven't guessed already, in the realm of enterprise security, there is no one solution.
Giving business security the attention it deserves
It's time for most organizations out there to re-frame how they view cybersecurity. No, it is not something that's optional. Yes, it should cover every aspect of the business network. And yes, without the proper defenses in place, an attack will happen. But the scary prospect of getting breached can be easily countered by the relative ease of defending your business. Here are some rules to follow in mounting a comprehensive network security policy:
- Be a leader in security - don't delegate the task to employees. It is not the responsibility of the employees to keep a business safe from attack - it is the job of the enterprise's administrators and the plan they choose to implement, as WIRED has pointed out. Some companies will hold extensive training sessions in the hope of instilling every employee with the cybersecurity knowledge that will prevent an attack. But that is no real plan at all, because, as the WIRED article suggests, to expect a suitable level of defensive computing from lay person users "is laughable." Instead, businesses need to enact a plan and set of defensive tools that all employees can actually follow.
- Defend every point of network entry with two-factor authentication. There are likely many different ways to gain access to your business' network, and every one of these should be guarded with multifactor authentication. The past year has proven that passwords - no matter how complex - are highly breachable, and that one of the only safe ways to guard a network platform is to have an additional identity-verifying wall that someone who hacked the network would not be able to bypass.
- Make sure your security matches your technology. If you are like most businesses out there, you're already speeding to adopt new technologies. But the race to adopt new and cutting-edge technologies can be detrimental if it's not matched by a commensurate boost in security. If, for instance, your business ups its mobility and incorporates a bunch of tablets into its network, that's fine, so long as those tablets are protected with resources that stop intruders in their tracks.
Cybersecurity needs to become a bigger priority among enterprises of all types and sizes. But the move toward more proactive protection does not have to be a cumbersome one. By putting business-defending tools like multifactor authentication in place, an enterprise can move toward greater overall security.