Why are there still cybersecurity incidents?

What happens when management ignores cybersecurity risks?

Why are there still frequent, expensive and embarrassing cybersecurity incidents? With all the investments organizations are making to strengthen their defences and all the media attention devoted to incidents, you’d think everyone has received the message and taken action to eliminate the possibility of more incidents. I’m surprised by the recent headlines that say otherwise:

• Petro-Canada payments systems largely restored in the wake of a cyberattack: Suncor
• Indigo admits the cyberattack was ransomware, employee data accessed
• Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach
• Indigo lost $50M last year, in large part due to the February cyberattack

What, you may be asking, is causing management inaction about cybersecurity?

Photo by Shamin Haky

Related Stories

How to reduce cybersecurity risks during digital transformation

Five more ways to reduce cybersecurity risks during digital transformation

Assess your SMB cybersecurity defences at warp speed

These incidents keep happening because it’s difficult for management to know how high their cybersecurity risk is and how far it needs to be managed down. There’s no silver bullet for eliminating the threat. Management often falsely believes that:

• The Information Systems (IS) department is managing the risk.
• Its organization is too small or not attractive to potential attackers.
• Media articles about cybersecurity incidents exaggerate the consequences.

Also, management is continuously under conflicting pressures, including:

• Shareholder pressure for higher returns.
• Competitors claim to offer lower prices.
• Customers do not want to pay higher prices.
• Employee pressure for higher pay.
• IS leadership claims that the cybersecurity sky is still falling after record spending on defences.
• Suppliers want or need to raise prices.
• Management desires to preserve their bonuses by keeping costs down.

In this demanding business environment, management is reluctant to spend money on cybersecurity defences that appear to offer little return. In too many cases, this inaction has produced disaster.

What are the consequences of management inaction about cybersecurity?

You want to avoid these consequences of inadequate cybersecurity defences:

• A headline about your cybersecurity lapses creating reputational damage among customers and suppliers, leading to loss of business.
• The cost and business disruption of cleaning up after a cybersecurity incident.
• Loss of revenue due to operational disruption.
• The likelihood of an investigation and a fine from a regulatory agency.
• Market share losses when theft of intellectual property creates competitors.
• Tarnish to your carefully cultivated, stellar executive reputation

Even though the cost of prevention often feels high or even outrageous, it’s significantly cheaper than the cost of addressing the consequences of a cybersecurity incident.

What should management do about cybersecurity risk?

Start by conducting a cybersecurity risk assessment. This work creates facts that trump opinions, hunches, gut feelings, and denial.

The findings of a cybersecurity risk assessment will tell you:

• What defences are working well. That fact builds confidence that some cybersecurity defences are working.
• What defences need strengthening. Those findings form the basis for an action plan to reinforce specific cybersecurity defences.
• What potential defences don’t exist. These items form the agenda for discussing additional cybersecurity defences to implement. No organization needs to address all the items on the list to lower cybersecurity risk.

The findings move the cybersecurity discussion from generalities about risk and cost to multiple specific, granular actions where management can concretely assess the value and cost.

What does a comprehensive cybersecurity risk assessment consist of?

Too often, management asks IS leadership for an opinion about the sufficiency of cybersecurity defences. No matter how confident management is in its IS leadership, that opinion, without supporting data, is dangerously misleading.

Determining what a comprehensive cybersecurity risk assessment consists of should include the following considerations:

• Is an internally developed cybersecurity assessment sufficient? An internally developed risk assessment framework will not benefit from the contributions of many experts. However, it may be better tailored to your organization’s risks and priorities. It’s often better to base the risk assessment on a well-established cybersecurity framework.
• What cybersecurity framework will it use? Select a framework appropriate for your industry and the organization’s size.
• Who will conduct the cybersecurity risk assessment? Audit department employees do not have the requisite technical expertise. Someone from the IS leadership team may be tempted to produce an overly optimistic set of findings. The objectivity of an external consultant may provide sufficient value.

Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.

For interview requests, click here.

The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.

© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.