The average organization devotes 21% of its IT budget to cybersecurity.
By Stu Sjouwerman, CEO, KnowBe4
With the threat of malware touching more and more organizations, boards are beginning to devote greater resources to cybersecurity. The unfortunate truth is that a successful cyberattack can sink a business. The average remediation cost of a ransomware attack, for example, is $1.85 million, according to a Sophos report. The cost of non-compliance if sensitive data is exfiltrated can also be considerable, and the lasting reputational damage is hard to quantify.
Companies that may have been tempted to gamble in the past are now seeing the financial sense in increasing cybersecurity spend. The average organization devotes 21% of its IT budget to cybersecurity, according to the Hiscox Cyber Readiness Report; an increase that has been driven by a sustained rise in the frequency of cyberattacks recently.
The growing threat
In the last 12 months, the percentage of organizations experiencing a cyber-attack jumped from 38% to 43%, according to Hiscox data, and 73% of those victims experienced more than one attack. A paltry 9% reported they were able to defend the attack with no impact on operations. Stronger defenses and better preparation are required to avoid potential disaster.
Beyond the disruptive impact of ransomware or DDoS attacks, there lurks the even worse threat of a full-blown data breach. It takes 280 days on average to identify and contain a data breach and costs $3.86 million, according to the Ponemon Institute. It’s far better to spend a fraction of that amount to bolster your defenses and harden your security posture.
The question is where to spend it to ensure the greatest impact.
Phishing and BEC attacks
We know that malware can usually be traced back to a phishing attack. Threat actors are increasingly picking their targets and getting smarter about how they approach them. Spear phishing is on the rise and sophisticated attacks employ stolen credentials to attack laterally. If a message or email appears legitimate, or worse comes from a colleague’s account that has been hacked, the risk of someone clicking a link or downloading a file and triggering a malware installation is much greater. The unpleasant truth is that anyone can be fooled. Employees of all levels can fall victim to phishing scams.
Business Email Compromise (BEC) is also a serious concern, with the FBI reporting $1.8 billion losses through BEC, which is a staggering 42% of the cybercrime loss total. Much more sophisticated and targeted at CEOs, CFOs, and other high-ranking executives, BEC can be the result of months of reconnaissance, with attackers building complex infrastructures and hacking multiple accounts in pursuit of a big payday.
Spending effectively to boost security
The temptation to sink any budget increase for cybersecurity into a tool or platform that promises to safeguard your data is understandable, but there’s a better way to strengthen your security. If we accept that security systems can always be bypassed by persuading people to unwittingly grant access, then it’s clear that the best way forward is to educate and empower your workforce.
Security awareness training is crucial because by teaching people to spot the common signs of a phishing attack will develop the muscle memory you want to see.
Establish a baseline before you begin and set targets for improvement with periodic tests, such as mock phishing campaigns, to determine what progress has been made. Test results and any real-life security incidents that occur should be leveraged as learning opportunities and used to inform ongoing training.
Make sure that you combine training with stronger security controls and strict procedures. At the shallow end, you have to provide phish alert buttons to make it easy to report suspicious emails. Reports should trigger an investigation that includes feedback for the employee who flagged the message. Responsibilities, processes, and expectations should be clear and easily accessible for everyone.
To tackle more sophisticated spear phishing or BEC attacks, design controls around funds transfers or sensitive data sharing. By requiring multiple people to sign off on transactions over a certain amount or insisting on in-person meetings or video calls to confirm the legitimacy of data or funds requests, you can prevent major losses. Consider the worst-case scenarios and design controls that will block scammers.
Enlisting your employees
Employees are your most valuable resource. They have the deepest understanding of your business and are invested in helping you strengthen security. Ask for their advice and input to identify the greatest risks and learn how best to safeguard their areas of responsibility. Having an open dialog for prioritizing the assets that need securing will send a clear message and encourages people to take risk management more seriously.
If you educate employees and equip them with the right tools, you can quickly make vast improvements to your cybersecurity stance. Continuous training and a program of attack simulations that emulates real-world threats will deliver tangible benefits.
Ultimately, it’s by enlisting employees that you will squeeze the greatest value from any increase in your cybersecurity spend.
About the Author
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with over 37,000 customers and more than 25 million users. KnowBe4 also offers a KCM GRC platform that provides ready-made templates for quick compliance evaluations and reporting. Centralized policy distribution and tracking helps users remain compliant, as does flagging risky users. Sjouwerman was previously co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at firstname.lastname@example.org or company website https://www.knowbe4.com/