For as long as I have been in security, there’s been one reaction after a company gets breached, and that is they suddenly see the value in security and a budget to support it, magically appears.
Sadly, this is all too common with companies that consider security an afterthought, or those that place it at the bottom of their IT budget.
Security is like mandatory insurance such as automotive insurance, or other insurances such as theft, vandalism, natural disasters and even life insurance that are left in the optional category and deemed less important. When disaster strikes, we all know what the outcome of that looks like.
Cyber security measures, whether it be training, phishing, vulnerability assessments, technical or compliance audits, monitoring or penetration testing are all things to be considered in your security plan. They each play a role in determining how “prepared” you may be in the event of an attempted security breach or hack. All these measures can increase your resilience to an attack, yet many companies choose to gamble and forgo them to save capital for other expenditures. Then, when they are compromised, they realize that despite thinking they were safe or off the radar of the hackers, they are now just a statistic, like many others.
To make matters even more economically painful, the companies that have been compromised, likely have to shell out more capital to cleanse their networks, and investigate how the culprits got in and what they may have accessed, or stolen. This is of course, assuming that they’re not locked out of their computers due to a ransomware attack, because that’s a whole different story.
For those of you that feel we are fear mongering, you’re correct, but you also must accept that we are being as factual and real as it gets. There is no room for mixing words and watering down the reality and bite of a cyber-attack. Big or small they can be devastating, and we would be remise if we didn’t speak the truth about it. For 24 years, we have seen companies make the same mistakes when it comes to cyber security.
Here are some, in no particular order.
- IT guy, who has been nominated the security guy for the company is not confident in determining what security measures he or she should consider, so little (or nothing) gets done, but tells the boss they’ve got it handled. They eventually become a statistic.
- Upper management is focused on business development and spending money on marketing, sales and other things that make the company money and uphold the corporate image. They place little to no value in spending money on IT let alone security. You can guess the rest. No budget approval.
- IT guy that has just received budget approval goes out and blows the entire budget on some well marketed cool aid, produced by a cash bloated security vendor that makes promises, and nearly guarantees that their product does everything… he buys it, hackers walk through it. Another stat for the records.
- Well-meaning CFO becomes directly involved in the procurement process of the IT security budget and decides based on affordability what the IT guys needs to buy. IT guy gives up and accepts defeat and does what he’s been told. You guess the rest.
- Budget talks come around, and security is the last topic of a long day’s discussion. The security team or IT team presents their budget, and it’s a sizeable ask. They try their best to explain the importance of the product or service they want the budget for, but all management hears is blah blah blah, and only understands the dollar ask. Since he doesn’t see the value in it, he denies it or (this is a classic) it gets put off until the next budget talks….. a true recipe for disaster.
These mistakes are just some of the many we have learned about after a company discloses how or why they think they got breached. The reasons are most always the same.
Here are some suggestions to consider to bolster your security.
Security measures are a must have. Security needs to be near the top, if not on the top, of all IT budget discussions. It is the foundation that all infrastructure, software and hardware need to be built on. It is your insurance that will save your corporate bacon.
We suggest that if you are not a security professional, that you seek the advice of one before you begin to consider the security products or services your company would need.
Spread your budget out over as many sound security solutions as you can. There is NO silver bullet or “set and forget” product or service out there. Trust us on this one.
If you are an IT guy, tell your boss some horror stories before you present your budget. He may connect the dots and realize that if they don’t loosen up and spend on security, they could be the next horror story being talked about.
Do not leave the IT budget (security) until the end of the budget discussion. Turn the agenda upside down because THAT’S how important it is to discuss and approve.
Respectfully decline or diminish the input of a person that knows nearly nothing about IT Security, and instead provide them with opportunities for learning.
Call us and let us have an introductory call with management to tactfully explain to them what’s going on in the underbelly of the internet, and why they need to act now to protect their company’s, and employee’s livelihood. We welcome a call out to become involved in discussions where appropriate or possible. We do this with our partners daily for free. Yes, for free. A 30 minute conversation about security is a good investment of your time, and of ours.