Whether you’re the CEO of a fast growing start-up or a veteran enterprise executive, it’s easy to get overwhelmed by the number of online threats posing real risk to your business. Technologies are getting more complex, attackers are becoming more sophisticated, and stories of massive hacks, data breaches and privacy issues are all over the news.
As a long-time chief security officer and practitioner, I’ve helped hundreds of start-ups, international businesses, governments and regulators improve their cybersecurity architecture to build and maintain customer trust. Over the years, I’ve seen some fantastic approaches to risk mitigation and some not-so-fantastic approaches.
What’s clear to me is that businesses that take a holistic approach and build cybersecurity into their strategy from the start, end up more successful down the line. This approach gives them a key differentiator to gain customer trust, which in turn gives them access to valuable customer data — and in a data-driven world, that’s gold.
So just how do you keep your business secure so you can build — and avoid losing — customer trust? Here are the four key mistakes that I see companies of all sizes making over and over. These mistakes are so common that simply avoiding them will likely put you ahead of your competitors.
Mistake #1: Trying to boil the ocean
Cybersecurity is fundamentally an unfair game. Defenders are expected to predict and prevent new attack vectors as they arise, while attackers just need to find a single critical vulnerability (or chain together multiple smaller ones) to gain access to the system. Organizations that don’t understand and accept this reality are unfortunately destined to fail.
As a business leader concerned about cybersecurity, one of the worst things that you can do is to try and stop every single attack. It’s critical to understand that perfect cybersecurity is a goal you must always strive for, but ultimately will never reach. Make sure you understand your organizational constraints — be they technological, budgetary or even political — and work to minimize risk with the resources that you’re given. Think of cybersecurity as a game of economic optimization.
Mistake #2: Locking the door and leaving the window open
When a company dedicates most of its cybersecurity resources towards addressing a single area or deploying a specific technology, it is important to ask why. In some cases, it legitimately makes sense in the context of the business. But in most cases, it’s due to other factors such as executive pressure (“one of our senior people heard about this threat at a conference”), internal politics (“we have the budget allocated for this specific area”), or existing commitments (“we spent a lot on this technology and want to use it as much as possible”).
When you’re addressing security risks, think in terms of severity and likelihood. While you hear a lot about high-profile cyberattacks like Stuxnet — complex, multilayered attacks executed by elite hackers working for nation-state entities — the majority of cyber breaches are much more mundane. In fact, you’re much more likely to get hit by something like WannaCry, a relatively simple piece of ransomware that caused $4 billion in damage. It used a publicly known Windows vulnerability that Microsoft had patched months before, but that many companies hadn’t yet deployed.
Start by sitting down with your team and asking if they have a holistic, end-to-end threat model of your business. Encourage them to think about it from the point of view of a hacker: what would they want to achieve and what’s the easiest way to achieve it? Once you’ve identified your crown jewels and the path of least resistance, focus on adding economically efficient obstacles to that path.
Mistake #3: Forgetting to hack yourself
Thinking you’re secure without conducting a “white hat” (ethical) hacking assessment is like putting your product on the market before performing quality tests. You can’t reasonably assert that you’re secure — or report to your board of directors that you are — until you’ve had ethical security researchers try to attack you.
If you don’t have the necessary resources internally, hire professional penetration testers. They look for unpatched software vulnerabilities, test your firewall settings, attempt to install malware on your endpoints, conduct SQL injection attacks on your web properties and use targeted phishing campaigns to try and get inside your network. Test your cybersecurity at least once a year, taking the necessary steps to prioritize and fix vulnerabilities that are identified.
Mistake #4: Leaving security for a future version
Companies are often so focused on getting their product or service out the door that they lose sight of their cybersecurity risk. Fast moving start-ups in particular may feel ‘safe’ because they’re flying under the radar — thinking they don’t have enough data, customer information or money for hackers to care about them — but all of a sudden, their business has grown to the tipping point where it now has value and people are noticing, including hackers.
If you haven’t already established a good cybersecurity architecture, there’s a high likelihood you’re going to be breached. The best defense is to start thinking about cybersecurity as early as possible. That includes drafting a security policy, putting incident response mechanisms in place, and most importantly, assigning responsibility to one specific employee or team of employees. Keep in mind that if everyone is in charge of cybersecurity, then in effect no one is in charge.
Cyberattacks are getting increasingly sophisticated with the potential to cause greater harm in an increasingly complex digital world. The good news is that it’s never too late to fix a mistake.