In Cybersecurity, Complacency is a killer

In the face of the mounting cybersecurity challenge, with hackers and malicious actors seemingly able to bring down entire countries at will, protecting a business seems an impossible task to many people – and a wasted expense. Why bother spending time, effort and money on cybersecurity, if it’s all just a matter of time?

The sentiment, though destructive, is understandable. Many businesses feel like they are facing an uphill struggle. In the first six months of 2019 alone, cybercrimes have caused $2 trillion in damages, and 87% of organisations say that they don’t have sufficient budget to meet their cybersecurity needs – not to mention the knowledge or resources.

The irony is that it is this despondency and complacency about cybersecurity which has led to the situation – it’s exactly what these bad actors want. The moment we abandon security is the day we hand over the keys to the kingdom. Sure, the barbarians are at the gates right now but there are a multitude of solutions we can implement to drive them back.

Complacency is your enemy too

Many organisations stick to only the basic technical solutions, thinking they will be enough to protect them from standard threats, and that anything else will just be an expensive, futile measure against an unstoppable force. But lax attitudes like this are only making things worse.

Most skilled hackers are able to overcome these rudimentary solutions with ease, particularly as new, often unprotected IoT devices are brought onto the network without a second thought. Research from Altman Vilandrie & Company found that in 2017 48% of US companies with IoT devices were breached. Cybercrime is evolving, this is true, and new threats are developing every year. But this is no reason not to give up on technical solutions – especially the simple ones, such as ensuring all devices connected to an organisation’s network are protected.

People power and the power of people

It’s also crucial not to forget the human element of cybersecurity: it’s not all just battles between distant attackers and technical systems. Hackers are employing new tactics involving advanced social engineering to deceive users into divulging sensitive data, clicking on insecure links, or otherwise letting them inside the business’ defences. Of the 3,800 publicly disclosed breaches in the first six months of 2019, Kroll estimates that 88% of these were caused by human error and Kaspersky say it could be as high as 90%.

These figures go beyond staff too, which adds another layer of complexity to the problem. Every customer who engages with your organisation online represents another connection point and potential vulnerability. TechRepublic found that 50% of Internet users would click a link from an unknown sender while Verizon estimates that 92% of malware is still delivered via email. Humans continue to be the biggest obstacle to robust cybersecurity.

It’s with this human element that the vicious circle of complacency has the biggest impact. People believe that no matter what they do they will be hacked, so they don’t take the proper precautions, which opens the door to more attacks, which only reinforces the view that nothing can be done to properly protect themselves.

We need to stop this cycle.

Breaking the wheel of complacency

Cybersecurity professionals talk about the need for a culture of security within organisations. And arguably this should be a societal push, one that involves all of us as business owners, employees, and customers. This step-change must be led by example, starting with organisation leaders and decision makers, who should encourage a ‘secure by design’ strategy.

Companies must make the need for ‘secure by design’ solutions a more prominent aspect of their strategy, not something that is hidden in the IT department. Every employee should be briefed on how they can help the company stay safe, with proper, regular training on how to detect phishing emails and other potentially harmful scams.

Similarly, organisations need to take better stock of their IT departments and any challenges they might be facing, security briefings should become a regular occurrence. If someone was trying to break into your home every single day, you’d want to know what was being done to stop them and how far they’d gotten.

Anything that effects the network of your organisation needs to be fully considered and accounted for. Are employees bringing their own devices, plugging in their own storage drives, or are your teams purchasing new IoT equipment without informing the IT department? All of this needs to be taken into account and IT should have strict protocols in place to deal with any additional connection points brought into the business.

Security is only a problem when it doesn’t work; when everything is fine, we rarely hear anything. This needs to change. At present, the most high-profile cases of cybersecurity failures are the data breaches that make headline news, but even these run the risk of becoming too common to hold the public’s attention. In fact, a survey by CyberArk found that 31% of organisations would prefer to pay fines for not complying with regulations, rather than investing in security reforms. But this only stands to leave them open to repeated attacks.

If we are to truly overhaul our cybersecurity infrastructure and keep ourselves safe from these increasingly dangerous attacks, then a culture change is needed now. We will need a concerted and organised pushback to enforce new and higher standards for cybersecurity all across the globe.

For a thorough examination of what you can do to ensure your organisation is protected and your team doesn’t become complacent, make sure to read our whitepaper ‘Secure by Design: A Roadmap to Cybersecurity Success’.