by
Michelle Lange
| Oct 31, 2018
Fear factors into cybersecurity planning in lots of ways, from the anxiety of hiring outside help to the dreaded idea that good security is financially beyond reach. Couple that with chilling stats on the number of attacks that happen per day and the average cost of those attacks, and you’ll start to understand why people continue to act on fear when it comes to cybersecurity. Here are four ways fear creeps into cybersecurity planning.
A World Where No One Is Safe
It’s widely reported that there’s a cybersecurity attack every 39 seconds, which leaves people with the fear that your number is going to come up at some point. Seth Robinson, CompTIA senior director of technology analysis, said that under that unease lies an even more terrifying truth.
“It begins to indicate the number of people who are performing attacks, and the motivations that they have for creating attacks,” Robinson said.
The ease with which criminals can attack is also aided by automation.
“You can use [artificial intelligence (AI)] to create botnets or multiple kinds of attacks that allow them to scale up and scale beyond what they used to do,” Robinson said. “The number of attacks any organization is going to see is going to go up.”
The Crippling Cost of Loss and Prevention
What does it cost to recover from a cyberattack? Some say $50,000, which Robinson thinks is a conservative estimate, even though it’s a terrifying sum to the top brass at a small company.
“If you’re [a small-to-mid-sized business (SMB)] with an annual revenue of $2 million, $50,000 is a big chunk,” Robinson said. “And if this is the average cost of attack, what should your average investment be?”
There’s no defined best practice on how to calculate cybersecurity spending. The big guys are known to spend millions — $11.7 million a year according to Accenture — leaving SMBs to sweat about what should be spent on cybersecurity.
Nearly 60 percent of enterprises are letting the fear of high prices keep them from hiring an outside security firm, according to the new CompTIA security report, 2018 Trends in Cybersecurity: Building Effective Security Teams. Those high costs are a barrier keeping them from hiring outside security firms.
The Devil You Know
Security is uncharted territory, and people get frozen in fear when it comes to hiring the right security team, even though it’s almost essential these days.
“Companies are definitely getting to the point that — unless they’re a huge enterprise — they’re not going to have that in house. They’ll have to lean on outside firms for at least part of it,” Robinson said.
There’s more complexity to cyberattacks, and the threat of disruption has risen. Those intensifying factors are pushing companies to a crossroads: hire a known managed service provider (MSP) that might not be up on the latest cybersecurity tools or trust a new group with your company’s most private data.
“It’s the devil you know versus the devil you don’t,” Robinson said.
The Risk Monster Lives Inside Us
The old security mindset was highly defensive. You build a secure perimeter and keep bad stuff on the outside, Robinson said. But there has been a shift in mindset, and today, cybersecurity is more proactive than ever.
“You have to be more aware of what’s happening within the infrastructure, and as your investments are going up, you need this data to show why the investment is paying off, why we need the right skills in house or partnered, and here’s how the team is performing,” he said.
Metrics are essential, but a lot of companies are scared they don’t know how to track the numbers. Going back to the recent CompTIA security report, there’s uncertainty tying security metrics to corporate health, insufficient skill for tracking and understanding metrics, and confusion around which metrics to use.
Because so much risk is coming from inside the house, IT teams need to step up and add value. Show companies what metrics will make the difference, and teach people why prevention is so important.
“Human error is the leading cause of cyberattacks, but companies aren’t fully addressing what to do about human error in terms of education,” Robinson said. “A lot of this falls to the IT team, so it’s your chance to add value. Build a plan to educate the workforce, roll it out and make sure it’s effective.”
You can make yourself more valuable, too, by earning a cybersecurity certification like CompTIA Cybersecurity Analyst (CySA+). IT certifications show that you’re trained to tackle today’s biggest cybersecurity concerns and that you can add value in the business of technology.
Michelle Lange is a writer and designer living in Chicago.