Why are there still cybersecurity incidents?

Why are there still frequent, expensive and embarrassing cybersecurity incidents? With all the investments organizations are making to strengthen their defences, and all the media attention devoted to incidents, you’d think everyone has received the message and taken action to eliminate the possibility of more incidents. I’m surprised by the recent headlines that say otherwise:

1. Petro-Canada payments systems largely restored in the wake of a cyberattack: Suncor
2. Indigo admits the cyberattack was ransomware, employee data accessed
3. Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach
4. Indigo lost $50M last year, in large part due to the February cyberattack

What is causing management inaction about cybersecurity?

These incidents keep happening because it’s difficult for management to know how high their cybersecurity risk is and how far it needs to be managed down. There’s no silver bullet for eliminating the threat. Management often falsely believes that:

1. The IS department is managing the risk.
2. Its organization is too small or not attractive to potential attackers.
3. Media articles about cybersecurity incidents exaggerate the consequences.

Also, management is continuously under conflicting pressures, including:

1. Shareholder pressure for higher returns.
2. Competitors claiming to offer lower prices.
3. Customers not wanting to pay higher prices.
4. Employee pressure for higher pay.
5. IS leadership claiming that the cybersecurity sky is still falling after record spending on defences.
6. Suppliers wanting or needing to raise prices.
7. Management desires to preserve their bonuses by keeping costs down.

In this demanding business environment, management is reluctant to spend money on cybersecurity defences that appear to offer little return. In too many cases, this inaction has produced disaster.

What are the consequences of management inaction about cybersecurity?

You want to avoid these consequences of inadequate cybersecurity defences:

1. A headline about your cybersecurity lapses creating reputational damage among customers and suppliers, leading to loss of business.
2. The cost and business disruption of cleaning up after a cybersecurity incident.
3. Loss of revenue due to operational disruption.
4. The likelihood of an investigation and a fine from a regulatory agency.
5. Market share losses when theft of intellectual property creates competitors.
6. Tarnish to your carefully cultivated, stellar executive reputation

Even though the cost of prevention often feels high or even outrageous, it’s significantly cheaper than the cost of addressing the consequences of a cybersecurity incident.

What should management do about cybersecurity risk?

Start by conducting a cybersecurity risk assessment. This work creates facts that trump opinions, hunches, gut feelings, and denial.

The findings of a cybersecurity risk assessment will tell you:

1. What defences are working well. That fact builds confidence that some cybersecurity defences are working.
2. What defences need strengthening. Those findings form the basis for an action plan to reinforce specific cybersecurity defences.
3. What potential defences don’t exist. These items form the agenda for discussing additional cybersecurity defences to implement. No organization needs to address all the items on the list to lower cybersecurity risk.

The findings move the cybersecurity discussion from generalities about risk and cost to multiple specific, granular actions where management can concretely assess the value and cost.

What does a comprehensive cybersecurity risk assessment consist of?

Too often, management asks IS leadership for an opinion about the sufficiency of cybersecurity defences. No matter how confident management is in its IS leadership, that opinion, without supporting data, is dangerously misleading.

Determining what a comprehensive cybersecurity risk assessment consists of should include the following considerations:

1. Is an internally-developed cybersecurity assessment sufficient? An internally-developed risk assessment framework will not have the benefit of the contribution of many experts. However, it may be better tailored to your organization’s risks and priorities. It’s often better to base the risk assessment on a well-established cybersecurity framework.
2. What cybersecurity framework will it use? Select a framework appropriate for your industry and the organization’s size.
3. Who will conduct the cybersecurity risk assessment? Audit department employees do not have the requisite technical expertise. Someone from the IS leadership team may be tempted to produce an overly optimistic set of findings. The objectivity of an external consultant may provide sufficient value.
4. Who will participate in the cybersecurity risk assessment? Typically the individuals in the IS department that have a role in cybersecurity operations.

For more information about well-established cybersecurity frameworks, please read this article: Top 11 cybersecurity frameworks in 2023.

For a description of what a low-effort but comprehensive risk assessment entails, please watch this video: Assess your SMB cybersecurity defences at warp speed.

Acting on the findings of a competently conducted cybersecurity risk assessment can significantly enhance your organization’s cybersecurity defenses.

What ideas can you contribute to help organizations reduce the risk of cybersecurity incidents? We’d love to read your opinions. You can share that with us below. Select the checkmark for agreement or the X for disagreement. In either case, you’ll be asked if you also want to send your comments directly to our editorial team.