It seems like a crazy statement: how can spending more money on cyber security not make your business more secure? Surely your business should be more secure than those businesses that spend any money at all? A recent study released by IBM and the Ponemon Institute show that while the investment in cyber security tools and resources has risen, their effectiveness to combat a cyber attack has not increased by the same amount. How can this be? Shouldn’t a larger investment mean better cyber security? The problem is that the spending seems to be unfocused. Too often, many different types of software are purchased without regard for compatibility, who will deploy it, how it will be deployed and when. Lack of breach planning also problematic. 74% of respondents to the Ponemon study said their cyber security planning leaves much to be desired: they either have no plans, ad-hoc plans, or inconsistent processes. In addition, among those who have adopted a response plan, only a third have created a playbook for common attack types to watch out for during daily operations. So, what should your organization do to solve this problem? I propose these three easy steps:
- Have a plan. Have a security response plan that takes into account what types of threats your business could be facing and how to mitigate those threats.
- Security policies and procedures need to be put into place that address your business risk and the ever-changing threat landscape. Practice how you will respond to breach scenarios. Also, policies and procedures surrounding privileged access, remote access and multi-factor authentication are just some of the places to start when building out cyber security best practices.
- Deciding what tools you need that address the above, ensuring they are compatible with each other, and having someone in your organization that has responsibility for managing and updating the tools are also very important. To purchase software that isn’t being deployed or not being used to its fullest potential is just a drain on resources. The same is true for cyber security staff.