Are Cybersecurity Audits a Hassle or a Blessing in Disguise?
Cybersecurity audits do not deserve a bad reputation. Yet, company leaders brace themselves for costly “gotcha” moments, and employees grumble about navigating layers of safeguards before they can do their jobs. But this attitude misses the point: a cybersecurity audit can be a multimillion-dollar blessing in disguise.
The cost of failure
Cyberattacks are on the rise to the tune of one every 39 seconds. For small and medium businesses, the average cost of a data breach is $3.9 million. For large, publicly traded companies, the average soars to $116 million.
Costs can go far beyond actual losses to cybercriminals. There is potential damage to company brand and reputation. An Arcserve study found 25 percent of people will switch brands after a single ransomware attack. Customers whose data was compromised are likely to leave and never return. Potential customers may think twice about bringing their business to a company that suffered a breach. According to Comparitech, share prices fall an average of 7.27 percent after a breach.
Nonetheless, more than three-quarters of organizations have no cybersecurity incident response plan, even though more than half experienced a known attack in the last year. Today, every company has a big digital footprint. Everything from customer identities to workstation IP addresses is stored in the cloud and may be vulnerable to attack.
When cybersecurity is not routinely monitored, attacks can go unnoticed. Many companies take six months or more to realize their data was compromised. In that time, cybercriminals can do untold harm—stealing and selling data, siphoning funds, even installing ransomware.
If an auditor finds vulnerabilities, companies face fines and penalties. As unpleasant as that may be, it is nothing compared to what they might have suffered had a cybercriminal discovered the weak spot first.
Good tools can’t cure bad processes
Many leaders focus on protecting physical assets because they can see the threat. Doors can only be opened by scanning a badge, cameras are trained on server rooms. Digital threats are harder to visualize. Managers can’t see if employees are sharing passwords or neglecting to log out of their workstations.
Tools to monitor digital activity and warn management of possible attacks are often underutilized. A company with the best software in the world can still be oblivious to a data leak if the software’s alerts feature was never switched on. Some companies invest in tools to prove to auditors that they are in compliance, but the tool is never fully implemented. It gathers dust until the next audit is on the horizon.
Two years ago, Cybersecurity Ventures predicted companies would spend more than $1 trillion globally on cybersecurity by 2021 yet would still lose $6 trillion a year to cyberattacks. If protection is truly the goal, companies cannot buy their way there with increased IT spending.
The danger from within
Despite the risk, many companies have a short-sighted view of cybersecurity. They establish the bare minimum needed to pass the audit and assume they are safe. In these organizations, employees often become lax about security protocols once the audit has passed, then ramp up again when the next audit is due.
This attitude, which focuses on the audit regulations rather than on criminals, can be dangerous. Complacency leads to people letting down their guards, though cybercriminals are working hard 24/7 to find new ways to crack the minimum-security measures required to pass an audit.
Even sophisticated companies can be guilty of making cybersecurity an IT issue. But as clever as hackers have become, infiltration through direct attack happens in only about 5 percent of cyber breaches. The other 95 percent are due to human error. Criminals attack companies at their most vulnerable point—their people.
The best cyberattacks are deceptively simple. Despite years of warnings about phishing attacks, when unsuspecting users are sent malware in the form of an innocent-looking link or download, auditors are seeing a rise in successful phishing. Today’s phishers aren’t blasting out emails at random. They are analyzing whatever data they can find such as the user’s subscriptions and frequently visited websites. The malware is then served up in an ad or email so well-crafted even a security expert might take a moment to realize it’s not real.
Third-party attacks on physical assets are also on the rise. It’s frighteningly easy to imitate a copier repairman and get access to an office’s printer or copy machine. There, a clever scammer can find all kinds of information about the documents that have come through that machine.
The attitude shift that makes cybersecurity a priority comes from the top down. If leadership walks the walk and demonstrates that cybersecurity is more than an IT issue, employees will see it as part of the company culture.
Employees often view security protocols as obstacles getting in the way of them doing their jobs. When security is not monitored and emphasized, they will engage in habits like sharing passwords or holding open secure doors for the people behind them.
It’s human nature to look for ways to cut corners or skip steps. Frame taking security measures like locking the door before leaving the house. It’s an extra step that may slow you down, but if you skip it, bad things can happen.
Officers often tell auditors they dialed back security protocols because of worker resistance. But that is exactly the time to step forward and be a leader. Listen to employees’ concerns and meet them halfway. If they object to 10 new procedures, agree to move forward with five and gradually introduce additional procedures as the old ones become familiar. Unlike a “my way or the highway” attitude, this approach builds goodwill between employees and management. When they feel invested in the company’s security, employees will take a more active role in preserving it.
Cybersecurity hinges on corporate leadership taking a big-picture view and making a pre-emptive strike against cybercrime. Leaders who view auditors as allies rather than adversaries feel comfortable asking for advice on what more they can do to make their company secure. Those companies that go above and beyond will have a marked advantage over those that make themselves easy pickings for cybercriminals.
FNU Divyanka
FNU Divyanka is a senior cybersecurity consultant. She has a master's degree in Information Systems from Penn State University in addition to multiple Privileged Access Management certifications like CyberArk Certified Delivery Engineer. For further information, email divyankahooda@gmail.com.
Verizon reported that, at least in the US, less than 30 percent of attacks are human error (which is still a lot) making more than 70 percent due to infrastructure weaknesses. It’s true that making all employees “cybersecurity aware” is important, but investing in technology protection is at least as important.