5 myths impacting your cybersecurity posture and business risk management strategy

A common adage among security experts is that businesses need to prepare for when, not if, a breach attempt occurs. Yet amid the pace of digital transformation and technology evolution, it can be difficult to know if your cybersecurity and risk efforts are aligned with what is relevant to your business. It can also be an uphill battle to convince budget-holders to invest in cybersecurity when so many other needs seem more pressing.

To help combat both challenges, here are five common cybersecurity myths and steps to take if your company needs a deeper look at its technology and practices.

Myth 1

On high-pressure projects, security can be dealt with later

One misstep that we see repeatedly is not planning for security requirements—and cybersecurity’s brethren, compliance and risk—from day one on high-profile digital transformation projects. Typically, those stakeholders in the earliest stage focus on business requirements, budget and timing. But if security and risk experts can’t contribute to the design of the solution from the get-go, your organization could face deep financial impact redesigning the solution or accept security risks.

Solutions that aren’t well-architected and purpose-built for your organization’s needs lead to workarounds and bolted-on fixes that increase costs, delay launch dates and cause security or compliance gaps. Worse yet, these “fixes” turn into new technical debt that IT must manage and update—a key problem that should be solved by digital transformation, not worsened. Further defeating the purpose, clunky security integrations can limit digital transformation benefits like seamless interoperability, holistic views and automation.

Ask yourself:

• Who needs to be at the table for every technology modernization initiative?
• Do we have in-house expertise that can balance security and compliance needs with business requirements?

Myth 2

My company isn’t a prime target for cybercriminals

Another common misperception is that cybercriminals only target large multinationals, as only giant breaches of consumer data typically hit the news. Today, every business is a technology business—and financial gain is the key driver of cybercrime. No matter your industry or size, if you have systems that can be exploited for fraudulent purposes or seized for ransom, your business is a target.

Most cyberattacks are crimes of opportunity. While a few cybercriminals (usually state-sponsored) may aim for the big leagues, thousands of others prefer businesses with easily exploitable systems, poor access management and employees who are less savvy about phishing and other social engineering crimes.

Ask yourself:

• How much money will we lose if our systems go down for a day? For a week? For even longer?
• How much reputational damage will we suffer due to a customer data breach?
• Can the business weather regulatory fines or a ransomware demand?

Myth 3

Our cloud providers and SaaS solutions provide all the security we need by default.

Today, most technology providers tout their security capabilities, from encryption to access management. And while these security features are available for use, cloud and software-as-a-service SaaS) security features are not enabled by default. You need to configure security features to align your technology solutions with your business risk appetite and compliance requirements.

To safeguard against cyberthreats and breaches caused by human error, your security architecture, system configurations and monitoring capabilities must provide in-depth visibility across your networks and devices, hybrid and multi-cloud environments, SaaS solutions and your own software and apps. It must ensure you’re meeting regulatory requirements, as well as the security standards expected by your partners and clients. And it should be built based on a risk framework so that your critical data, technologies and processes are protected. It’s up to you to find your company’s weakest points before cybercriminals do, and the security provided by SaaS and cloud vendors won’t cover all your needs.

Ask yourself:

• Is my business making the most of built-in security features in my tech stack?
• Where are the weak links in my business processes that fraudsters could exploit?
• Is my current security architecture meeting regulatory requirements?

Myth 4

Cyber insurance will protect my company should a breach or incident occur.

While cyber insurance can be an important investment to back up your security efforts, it isn’t the quick path to protection that some may assume. While the volatile 2022 cyber insurance market has stabilized, prices are still high, capacity is limited and payout limits are judicious. Insurers have enacted stricter baseline control standards for customers. Should your company file a claim, a third party will audit your security program to ensure it meets the criteria you claimed when you applied or it will refuse to pay.

So, yes, cyber insurance can help protect your company from monetary losses due to a cyber incident but only if your security posture is strong enough to meet required standards. That’s why it’s critical to get your security house in order before seeking insurance.

Ask yourself:

• Can you meet cyber insurance underwriting requirements?
• Do you have a cyber disaster recovery plan in place to minimize losses and downtime should an attack occur?

Myth 5

Our security/IT team is handling security with a business risk-based approach.

Today’s complex technology environments require deep and broad skillsets that are challenging to fill amid talent shortages and tight budgets. Purchasing cybersecurity solutions isn’t enough. Due to knowledge gaps and a lack of resources, it’s common for security tools to be misconfigured, poorly integrated, and infrequently monitored. IT departments find themselves managing a security stack that provides more complexity than value.

Even more critically, IT departments often take a checklist approach to security, rather than the business risk lens required for a strong security architecture. Whether this is due to a lack of expertise, access, or time, the result is the same: a limited, siloed security approach that leaves businesses open to mistakes, exploitations, and breaches of their most critical systems.

Ask yourself:

• How many digital transformation projects or new system implementations has your company undertaken where cybersecurity was not discussed before going live?
• How many tools are in your security stack? Is it too many for your staff to manage?
• How is your business addressing cybersecurity risks caused by your own people, such as lax remote work security practices and social engineering naivete?
• Does your security team have expertise in your business processes, current technologies, and industry?