Preventing a cyberattack is more cost-effective than reacting to one and we have seen that many boardrooms still are not willing to assign the needed budget. Too many organizations still are not willing to spend money on preventive cybersecurity because they view it as an unnecessary additional expense. Later, find they have to spend much more budget dollars recovering from a cyber incident after they get hacked.
Cyberattacks like ransomware, business email compromise (BEC) scams, and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim. The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place. Often, this is something many organizations only fully realize after it is too late. Unfortunately, the person who may have recommended the preventative purchases gets fired as part of the post-breach clean-up.
"Organizations do not like spending money on preventative stuff. They don't want to overspend, so a lot of organizations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up," Chris Wysopal, co-founder and CTO of cybersecurity company Veracode stated in a recent interview. It's then that they realize that they could have spent less if they had prevented the attack, he said: "A lot of organizations are going through that right now."
As an example, an organization might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network then there is the additional costs associated with investigating, remediating, and restoring the IT infrastructure of the whole business after the incident.
"Just the ransoms that organizations are paying, if they don't have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it's getting more expensive across the board for the organizations because of the threat," said Wysopal.
Even for organizations that do have a well-thought-out and documented cyber security strategy, training, hiring, and retaining staff can still pose a challenge because of the high demand for employees with the required skills. The supply and demand issue is not going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organizations from attacks. "One thing I would like to see is cybersecurity become part of every IT or computer science students' training, so that they had some understanding of cybersecurity as a professional, whether it's building and managing systems in an IT environment or building software," he explained.[1]
If IT or development staff have at least some understanding of cybersecurity, that can help organizations, particularly smaller ones that might not have a big budget. "I'm really pushing for that to be part of the curriculum and I've been working with a few colleges to make that part of the computer science curriculum," Wysopal said.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed. Do you have hot-back servers at another location?
- Engage a database security firm and review all locations and access points. Monitor and update access and levels. Does everyone need access to everything, all of the time?
- Implement 2-Factor authentication-company-wide.
- For USA companies, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Join an industry ISAC or ISOA that welcomes and allows cyber threat sharing and defense strategies, some of these are free or at a nominal annual membership fee.
- Update disaster recovery plans and emergency procedures with cyber threat recovery plans. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants. And require the IT team to review and approve all software and devices, set some standards.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Dark web investigations, is your network access already for sale? What is the sales value of the data you are storing to buyers on the dark web? Are you an attractive target?
- Ensure that all software updates and patches are installed immediately. No exceptions.
- Engage the services of a company that can inform you of targeted cyber threats against your organization that has the features to enter these threat IPs into your SIEM daily for blacklisting.
- Purchase cyber insurance coverage.
- If you are presented with a ransom demand, remember the cyber actor may have already checked out the coverage amounts of your insurance and will demand the total amount or more. Do not open the demand email immediately, as the time clock for payment will begin.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers proactive solutions to protect your networks. Cyber intelligence is a needed key for your overall cyber security. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.zdnet.com/article/too-many-bosses-are-reluctant-to-spend-money-on-cybersecurity-then-they-get-hacked/
Comments