Four ways mediocre enterprise security can cost you money—and more
Cybersecurity spending worldwide is estimated to reach well over $120 billion in 2019—and most analysts predict steady growth after that. There’s a reason why companies are investing so heavily in security: Experts predict that cybercrime will cost global business several trillion dollars over the next few years.
The scale and scope of the problem is truly vast. But even more concerning is the growing prevalence, sophistication and disruptive power of cyberthreats. Phishing and ransomware attacks are on the rise. Tools created by military intelligence are being leaked for anyone to use. And entire cities have been affected by cyberattacks.
In short, while enterprise in general is taking cybersecurity seriously, the numbers seem to indicate that there is a long road ahead. And a good first step in creating stronger, more secure organizations is to raise awareness of the true costs of subpar security to enterprise (costs which may not always be obvious at first glance).
In this article, we’ll take a deeper dive into the problems created by mediocre enterprise cybersecurity—and provide some recommendations for how your organization can respond to the evolving threat landscape.
1. The bottom line
The first and most obvious cost of poor security is financial—and every company is at risk. In one study, more than half of all businesses surveyed reported coming under attack. And it’s not just large organizations that suffer: Small businesses are attacked in similar numbers, and even schools have been targeted.
Suffice to say, it’s not a matter of if your company is going to be attacked, but when. And if your security isn’t up to the job, it’s going to hurt. Dealing with a cyberattack isn’t cheap: The average cost of a single successful attack comes out to over $1 million.
2. Hidden costs
Many reports on the cost of cybercrime to business focus on direct, measurable damage: things like downtime, labor, and remediation costs. But there are other, subtler costs that shouldn’t be overlooked.
To begin with, in addition to the initial impact, there are long-term financial effects to consider as well. Data breaches, for example, can result in IP theft. Over time, this can end up costing far more than the attack itself. If sensitive data falls into the wrong hands, all that time and money spent on R&D can go down the drain in an instant.
And analysts point out that there can be knock-on financial effects as well—effects which persist long after a cyberattack. Fairly or unfairly, companies which have fallen victim to cyberattacks may find themselves stigmatized by the market. Enterprises perceived as vulnerable, and therefore poor investment risks, can find it harder or simply more expensive to raise capital. Their insurance premiums often go up as well.
Lastly, if customer information has been compromised in a data breach, there’s the hard-to-quantify but very real cost to a company’s reputation and perceived trustworthiness. Customers can forgive many things, but when their personal data is concerned, many of them won’t give you a second chance.
3. Buy-in and morale
We’ve written before about the cybersecurity skills shortage, and what it means for those considering a career in the field. But it’s also a common cause of inadequately staffed security teams. A lack of skilled security personnel affects everyone in the office—and can lead to serious problems with employee satisfaction and overall compliance with security protocols.
Overextended enterprise security officers may feel unable to keep up with the sheer number of endpoints that they need to worry about. For one thing, today’s security teams face a proliferation of IoT smart devices being brought into offices. And more people are now choosing to use Macs at work, which are often less familiar to enterprise security personnel than Windows machines and may therefore take more effort to protect.
With all of these challenges, security teams absolutely need their coworkers’ help to keep everyone safe. This is especially true given the fact that many cyberattacks exploit the part of an enterprise’s defenses that infosec workers can’t control: human beings. Phishing attacks and social engineering are frequently the means by which hackers gain their toehold in an otherwise secure network.
But your average team member in sales, supply chain, marketing, or HR is already stretched to their limits with their own work. They are likely to see cybersecurity as falling outside of their job description—and wonder why they can’t just fire up their MacBook and get to work without someone harassing them about password managers or scanning PDFs before opening them.
The worst-case scenario is a frustrated team that doesn’t want to hear another lecture on phishing awareness or creating strong passwords—and security officers who feel like they’re fighting a losing battle without any help: obviously a costly workplace dynamic in terms of employee satisfaction and cooperation.
4. Longer remediation times
If you’ve purchased poorly supported security products or if you don’t have a robust backup system in place, recovering from a successful cyberattack can take much longer than it should. Excessive remediation timelines are costly, both in terms of lost productivity and revenue as well as customer dissatisfaction and employee frustration.
The issue of backing up systems and files is especially relevant at a time when ransomware attacks are increasing in frequency and severity. Ransomware is malicious software that encrypts files or locks users out of their systems until some form of ransom is paid. These attacks are particularly devastating because once they have taken place, there is little that anyone can do about them, short of paying the ransom or simply abandoning the affected data—unless crucial files and systems have been safely backed up somewhere else.
While experiencing a ransomware attack can be scary, having a strong plan for creating backups of core files, systems, and databases can go a long way to mitigating the damage caused and getting up and running again quickly.
What can an organization do to improve cybersecurity?
1. Make security a team effort
Leadership can and should take an active role in communicating the message that cybersecurity is everyone’s job. Every employee, from intern to C-suite executives, should know and be expected to adhere to the company’s standards for data security.
It’s important to consider how to communicate this message most effectively. Rather than presenting cybersecurity an exercise in rule-following and compliance with protocol, educate employees on the risks that a cyberattack can pose to their own work.
When people become aware of the very real danger of a ransomware attack—and realize that they won’t make many sales with a hard drive full of encrypted customer records—they may be more enthusiastic about backing up their records or taking that phishing awareness training.
2. Invest in training
Even if you have a well-secured network and a strong security team, your organization can fall prey to relatively unsophisticated cyberattacks. It doesn’t take military-grade malware to cripple a business: Just a single employee falling for a phishing attack or succumbing to social engineering.
If you’re in leadership yourself and you want to make security a part of your company’s culture, provide your employees with the tools and knowledge they need to keep themselves—and the organization—safe.
Your local security team will be more than happy to offer suggestions for training activities and materials, and may be able to assist you or HR in organizing learning sessions and workshops.
3. Protect vulnerable endpoints
Many enterprise security teams are well-equipped to handle traditional threats. But changes in technology, along with the behavior of malicious actors, have created new vulnerabilities, and security personnel need to move quickly to address them.
To offer one example, cybersecurity researchers have noticed a marked uptick in malware specifically targeting macOS machines—and Macs are increasingly common in offices due to employee demand. Yet many of these same employees still cling to the outdated mindset that “Macs don’t get viruses”. They may, consequently, be less cautious than they should be while working on their macOS machines.
Security officers who have spent most of their careers protecting Windows or Linux systems will need to find a way to integrate macOS security into their overall defensive strategy—the sooner the better.
How can SecureMac help?
If you’re a manager or infosec worker looking to improve the cybersecurity posture of your organization, we may be able to help.
Whether you have a question about an aspect of macOS security or a more general query about how to offer basic cybersecurity training to non-technical staff, we welcome you to write to us at firstname.lastname@example.org. We’re always happy to answer questions from our readers, either in private emails or as topics on our weekly Checklist podcast!