Here's Why Organizations Everywhere Struggle with Cybersecurity
Corporate data breaches continue to cost companies millions of dollars per incident, yet many IT teams are still struggling to provide robust cybersecurity.
This article originally appeared on VMBlog.
According to PwC, the number of worldwide cybersecurity incidents rose by 38% in 2015, the largest increase in any of the 12 years the firm has conducted its Global State of Information Security Survey. Those hoping the high numbers of 2015 were an outlier or a fluke will be disappointed by recent research that suggests the annual global cost of cybercrime will double from $3 trillion in 2016 to $6 trillion in 2021.
The average cost of a single corporate data breach currently stands at around $3.6 million (though as Target found out the hard way, it can be much, much higher) and the Ponemon Institute places the odds of any given corporation suffering a data breach at around one in four.
Part of this shockingly high risk can be attributed to the sheer volume of threats companies face — the average North American enterprise receives anywhere from 10,000 to 150,000 alerts from its cybersecurity systems every day. But much of the blame rests with the simple fact that large-scale cybersecurity is extraordinarily complex and, to be blunt, most organizations aren’t very good at it.
Understanding the Complexity of Corporate Cybersecurity
Cybersecurity is a very complex field, largely due to the fact that the internet and the threats it tends to come with are immense and difficult to grasp. The most foundational principles of cyberspace diverge significantly from those of the physical world.
Concepts that are critical in real-life security, such as distance, borders, and proximity, are all completely redefined in a nodal network where communication occurs at the speed of light. When it comes to securing a physical site, it’s almost always clear where the perimeter is located, where potential threats may appear, or from how far away a potential threat may come. On the web, distance is more or less meaningless. The borders of an organization’s IT realm are defined more by routers and firewalls that can be just as easily hacked by a malicious actor working next door as one working halfway across the world.
Another major pitfall of corporate cybersecurity is the underdeveloped law, policy, and best practices surrounding it. As hard as it is to believe, the internet has only existed in a recognizable form for around 25 years, and it’s been evolving nearly constantly throughout that time. Consequently, the broader cybersecurity community is still searching for answers to a wide range of very big, very impactful questions.
For instance, how should cybersecurity responsibilities be shared between government authorities and private actors? In the physical world, governments secure their national borders and leave specific site security protocols up to individual owners. Is this the model we want to follow online? Should the government be charged with closely regulating ISPs in order to ensure that internet infrastructure itself is as secure as possible, then leave everything else up to companies?
There are dozens of similar questions that have yet to be answered, and the ability of the cybersecurity community to address these issues in the years to come will play a definitive role in shaping the future of the internet as we know it.
And yet, regardless of how advanced our networking infrastructure becomes or how precisely we regulate online activity, effective cybersecurity will ultimately always come down to people. As the Harvard Business Review puts it, “Firms need to balance technological deterrents and tripwires with agile, human-centered defences. These vigorous, people-centric efforts must go beyond the oft-discussed ‘tone at the top’ — it [sic] must include a proactive leadership approach with faster, sharper decision making.”
This focus on people makes plenty of sense, as a single weak password can lead to millions of dollars worth of data loss. When it comes to cybersecurity, a company is only as strong as its weakest link, meaning employee education is a crucial component of ensuring that a company’s carefully constructed protocols are followed once they’re put in place.
A Cause for Hope
In the end, securing a large network entails countless steps taken by just about every stakeholder in an organization. From rooting out rogue access points to protecting IoT devices to managing network permissions, modern cybersecurity is an overwhelming endeavor, one with which even experienced IT teams can struggle.
Fortunately, there are a variety of cybersecurity experts with whom organizations can partner. Whether an organization needs a straightforward network security audit or is looking for a sustained managed services relationship, it should have no trouble finding an industry expert ready and willing to deliver exactly what it needs to keep its IT infrastructure secure.