By Evan Ramzipoor, Workflow contributor
Despite rampant cybercrime, many organizations have failed to invest more than the bare minimum in cybersecurity or do so without a clear strategy.
About a third of business leaders say they don’t have the C-suite support they need to adequately invest in cybersecurity, according to a May 2022 ThoughtLab survey co-sponsored by ServiceNow. In fact, when respondents were asked what cybersecurity concerns worry them the most, a lack of support and prioritization of cybersecurity was at the top.
Larry Clinton, president of the Internet Security Alliance, says business leaders have been deferring cybersecurity investments for years. “Over the 20 years I’ve been in cybersecurity, executives have constantly said they’re going to wait for ‘the big one’ to hit before investing more money in security and thinking hard about strategy. Well, the big one has already hit,” he says, citing the 2017 Equifax data breach, one of the largest data breaches in history, which compromised the personal information of 150 million people.
More recent examples include the increase in cyberattacks during the pandemic; ransomware attacks like the Colonial Pipeline hack, in which a Russia-linked cybercrime group took down the largest oil pipeline in the U.S.; and the log4j vulnerability, which left companies in diverse industries scrambling to patch their systems last December. Because so many systems and assets are connected, and companies have so many programs and devices on their networks, attacks always have the potential for wider-reaching impact. For this reason, the U.S. Federal Trade Commission issued dire warnings about future threats and pledged to take legal action against companies that didn’t learn lessons from these repeated attacks.
Percentage of business leaders who lack C-suite support to adequately invest in cybersecurity.
Cybercriminals have demonstrated their ability to penetrate the vast majority of the networks and systems we use every day. For example, it takes most hackers around two days to break into the average company’s internal systems by guessing an employee’s password or bypassing the company’s security, according to a 2021 report by cybersecurity firm Positive Technologies.
Moreover, new technologies and business models are making it harder for IT departments to secure assets ranging from computers and phones to medical devices, manufacturing systems, and cloud applications. “Digital transformation and cloud computing are fabulously cost effective—but very risky,” says Clinton.
Related
Given that digital operating and business models are increasingly required for business success, this is a risk worth taking, argues Barbara Kay, who has worked in security and risk management for close to 20 years and currently leads risk, security, and ESG product marketing at ServiceNow. “We have enough experience to understand the likely risks,” says Kay. “The issue is making it a key element of transformation planning and implementation, so risk management is baked in from the beginning, not retrofitted.”