The Wall Street Journal recently posted an article on anticipated increases in cybersecurity spending for defensive techniques and tools in 2020. The article captures a disheartening reality considering that small and midsize companies often just buy a tool, rather than seek to manage their risk.
Small companies are hit hardest by data breaches. Our own research has shown that, despite a continued increase in spending, smaller firms are feeling the weight of data breaches 70 times more heavily than larger companies, at an average of 3.4% of their revenue per incident. Beyond data breaches, these firms also are increasingly targeted for low-level attacks, such as business email compromise and cyber extortion, which are now the two largest sources of insurance claims in some markets.
As a security practitioner and a U.S. Air Force cyberspace operations officer stationed at the NSA, I saw the same trend of victims mismanaging cyber risk by trying to buy more things. Ironically, spending more can be counterproductive to the goals of better security, as some organizations race to buy a tool that inevitably requires more spending on staff resources, training and integration just to get it working correctly.
Instead, small and midsize organizations should take the following steps to improve their cyber risk management.
1. Prioritize investments in cybersecurity.
One of the best places for any organization to start is to invest in understanding its broad IT/cyber risk exposure. A cost-effective way to do this is to explore cyber insurance with trusted risk advisors. The insurance industry has the potential to be a huge driver of better cybersecurity by helping organizations understand their risk and adopt better cyber hygiene. The path to reducing cyber risk is not necessarily about spending more, but spending where the risks are, and using everything at an organization’s disposal more effectively. This is particularly important for small and midsize organizations, whose time and resources to fully understand their exposures are limited.
2. Enhance cyber hygiene.
This term refers to the practices that system administrators and users undertake to maintain security while working online. Just as poor personal hygiene can increase an individual’s risk of ill health, so too can ineffective cyber hygiene increase an organization’s exposure to cyber losses. Systems and data are more secure when organizations practice good cyber hygiene, such as properly installing and configuring security tools, keeping operating systems and software up to date, updating lists of authorized users, enforcing user permissions and requiring strong passwords, among other measures.
3. Update infrastructure and implement controls, such as multifactor authentication.
A textbook example of why this is important was the Office of Personnel Management breach in 2015. Even though OPM had spent $7 million on security technology, major underinvestments in legacy infrastructure left sensitive information exposed to a breach. This misalignment in OPM’s cyber risk exposure led to my friends’, colleagues’ and family’s security clearance information being left on outdated systems, with weak protection from the hackers. This vulnerability enabled the hackers to steal sensitive data on more than 21 million individuals from background databases. Had more focus been placed on managing the risk of holding this vital information, OPM likely would have invested in updating its infrastructure and controls, as the Department of Defense and Homeland Security did in previous years in response to attacks.
4. Make cybersecurity and risk management work together.
IT and risk management professionals can no longer afford to work in silos. To get the best results for their organizations, they need to work in sync. To do that, they have to combine their strengths and work on understanding each other’s roles. Innovation is happening in cybersecurity as well as cyber insurance, but instead of working in parallel, these fields need to collaborate. Cybersecurity and risk professionals each have distinct skill sets and perspectives. Organizations that combine these enable smarter risk management, better insurance protection and greater cyber resilience.
Our prediction for 2020 is that the security industry and the insurance industry will finally figure out how to start speaking each other’s obtuse languages and learn from the analytics and business innovation happening in both markets. We’ll all be better off.