In 1927 Lt. Col. J.L. Schley famously wrote: “It has been said critically that there is a tendency in many armies to spend the peacetime studying how to fight the last war”. The idea that Mr. Schley was conveying holds true in a theatre of war he never would have a considered: Cyberspace. Many organizations are still spending and preparing for what they faced 3 years ago. However, in a world that is changing more rapidly every year, this strategy is not just inefficient, it’s dangerous. Just within the past 2 years, we have seen the dramatic rise of a litany of ransomware strains that specifically target the education and healthcare sectors. In this same period, few organizations have considerably increased their cyber spending while many have actively worked to reduce it in the name of cost savings. Safety in this brave new world of hyper-connectedness not only requires but demands constant adaption.
In many cases, organizations operate under the mistaken assumption that their information security controls and spending are adequate because they have not suffered a breach yet. However, for a company that fails to invest in even basic cybersecurity, a breach is bound to occur, it just becomes a matter of time. The identity theft Resource Center reported that in 2017 there was a record of 1579 breaches which exposed over 150 million sensitive records. Ransomware, Phishing, and other cyber attacks continue to increase year over year. Investing in cybersecurity is not just a smart move, it could make a difference worth millions of dollars.
The dangers of taking a reactive approach to cyber-security are numerous. Organizational leaders have all too often viewed the costs associated with a competent information security program as an unnecessary and extraneous expense. However, in this new age, cyber-security must not be viewed through the lens of cost minimization at the price of efficacy. Instead, it must be understood as a product such a business liability insurance. When an organization underspends on its cybersecurity program it is substantially increasing risks to its Information technology infrastructure. For a company with an insecure network and only a few, disorganized security controls a breach becomes a question of when not if.
A proactive approach to securing critical information can significantly reduce risk at a very moderate cost. Proactive cybersecurity involves creating and maintaining a coherent security program with logical controls and a rational system of access to sensitive information. Technologies such as log monitoring, vulnerability scanning, intrusion detection, and firewall maintenance do not take major investment but substantially reduce the chance of a catastrophic cyber attack. Likewise, employee training on how to avoid common threats such as email phishing campaigns cost almost nothing but could save millions. Taking a proactive approach to cybersecurity is necessary given the nature of the threat, the only question is if companies will make the investment.