Here at Arctic Security, we try to avoid writing FUD (fear, uncertainty, doubt) articles as people are quite tired of that – and rightly so. We always try to bring something concrete and pragmatic to the discussion. Sometimes, though, you do need to hear the grizzly details to get the full picture. This is one of those times. So, while the next paragraph isn’t fun, it’s the truth.
The past five years of industry reports makes for grim reading. Cybersecurity-related risks and associated damages have increased exponentially. Reports from the US show a reported breach about every 10 seconds in 2021, up from every 40 seconds in 2016. Materialized security breaches are increasing in cost by 15% year-on-year. Cyber insurance shows similar development, and we have heard of annual premiums increasing by 200% or more, primarily due to ransomware. Annual cybersecurity-related costs are predicted to surpass USD 10 trillion by 2025. That is an unimaginable amount of money, time, and resources.
On its face, the situation sure does seem dire. The financial costs and likelihood of a breach are increasing exponentially. Naturally, most businesses agree that increased protections are necessary. But in practice, companies can’t meet this new situation by expanding their cybersecurity budgets exponentially to balance the risk. It’s a tough choice, nobody is doubting that. Free surplus cybersecurity money cannot simply appear out of thin air. In practice, any new resources that get added to your cybersecurity end up coming from other parts of your business, often the IT department. Exceptionally few companies are willing to sacrifice growth or revenue generation investments in order to move resources into their cyber defenses.
Arctic Security has thought about this problem for some time now. We have looked at the available solutions and have come to a different conclusion than many in the industry. Rather than advocating for figuring out how to justify exponential spending on cybersecurity, we believe that the answer is more affordable and effective cybersecurity solutions. When your cybersecurity spending is a fraction of your IT budget (probably, if your company is on the small side), this means that investing in top-of-the-line solutions and managed services may not be feasible. Even the starter plans for these types of security solutions may be outside your budget, even though it has been well documented that most of the economic damage from cyber incidents can be traced to not having security basics in order.
So… what can you do? How can you significantly improve your cybersecurity posture without breaking the bank? Here are our top three suggestions:
- Invest in a genuine understanding of your IT assets and their security implications
Why does it take months to determine whether you were affected by vulnerabilities found in Log4J, VMware, Exchange, Pulse Secure, and hundreds of other commonly installed software solutions that were vulnerable in 2021? Most companies don't know what issues they have or if they should be concerned. Nowadays, this is often called External Attack Surface Management (EASM). Getting this right is basic groundwork, but it must be done. And one of the best things about it? It can teach your IT staff an awful lot about cybersecurity. We made our free service Asset Discovery and Assessment for exactly this reason. Give it a try and get to know your assets like never before.
- Invest in cybersecurity training for the people you already have
Hiring for cybersecurity positions is difficult, frustrating, and expensive. Entire categories of security problems arise from software deployed and configured without paying proper attention to the risks. But this isn’t rocket science – your IT staff and developers will be able to understand the concepts. Offer them security training. There are many descriptions of organizational security essentials, and the material compiled by NCSC-UK on their cyber essentials resource is a great starting point.
- Invest in getting visibility on the known security problems within your infrastructure
Unknown problems keep us up at night, but known issues are something you can fix right now. Taking care of the security basics is already a task for IT, but it only takes a little bit of help to notice these problems. Most of the security problems in production systems are not discovered until something terrible (or strange) happens, and someone complains about a service. Systematic monitoring will reveal many of these. You can run periodic vulnerability scans or use continuous monitoring, which is exactly what our early warning service Arctic EWS does. You can try a one-month free trial right now.
Our proposals are cost-effective because they don't require significant up-front investments. You can achieve most of them by dedicating more IT staff time to security work, increasing the commitment as you go. Even continuous monitoring can be affordable, as we seek to demonstrate with our efforts to make it accessible to most companies that care about their cybersecurity.
Having these basics in place is the solid foundation for more advanced defenses. You will have a much better baseline for measuring your progress when you begin implementing them.