COMMENT
The cyber threat landscape is evolving at the speed of light with increasingly complex, obscure and targeted attacks on third-party vendors. While highly recognizable brands remain prime targets, attacks are now hitting organizations that previously didn’t have to worry as much about cyber threats.
For example, according to “Data Breach Investigation Report 2023” (registration required), companies with fewer than 1,000 employees and those with more than 1,000 employees face similar challenges. Researchers identified 699 incidents with 381 confirmed data disclosures for small businesses and 496 incidents with 227 data disclosures data confirmed for large companies.
As if the growing number of attacks weren’t worrying enough, the costs of a data breach continue to increase every year. According to “Cost of a Data Breach Report 2023” (registration required), data breaches cost an average of $4.45 million in 2023, a 15% increase over three years. Meanwhile, in recent years, the inflation rate has averaged between 3% and 6%.Small businesses are already struggling to overcome these economic increases: with the cost of a data breach double or higher than inflation, a single data breach can jeopardize a company’s overall revenue goals .
Perfect storm
In response to the increasing volume, complexity and impact of data breaches, governments and regulators continue to implement and enforce more stringent compliance requirements. To meet these compliance requirements and offer customers assurance about their cybersecurity posture, small businesses already struggling with low revenues and operating margins must spend more money on security technologies and controls. As a CISO or C-level executive trying to balance business growth, compliance, and security today, you may feel like you’re facing the perfect storm.
For these senior leadership members struggling to achieve growth and protect data, finding cost-effective cybersecurity investments that stay within conservative budget constraints can seem difficult and nearly impossible.
Balancing business productivity innovations, such as artificial intelligence, with responsible security is a prime example of the tension executives face. While AI promises better decisions, automation, and more efficient use of personnel, it also requires unprecedented access to data to function properly, like a big flashing “attack me” sign for threat actors.
Historically, organizations wait for an incident to occur and then purchase a security tool to respond. However, Today’s threat landscape requires a proactive mindset, as there are countless potential intrusion points and actors, from petty thieves to hostile nation states, attempting to access sensitive data or make a political statement. With computing resources now largely in the cloud rather than neatly contained on-premises, the scope of what CISOs must seek to protect has essentially doubled. As organizations deploy Software-as-a-Service (SaaS) applications to ensure productivity and business continuity, they exponentially expand their attack surface with new access points such as APIs. Essentially, a single small business can feel like they are managing security for multiple companies as each line of business, from sales to marketing to accounts payable, creates its own digital ecosystem.
The skills gap among security professionals adds further tension to CISOs seeking expert guidance for proactive strategies. They face talent shortages along with skyrocketing software costs, stringent compliance standards from multiple regulatory bodies, increase in cyber insurance premiums or even denial of coverage and the possibility of personal liability, with regulators and prosecutors taking punitive action against executives in the event of incidents such as data breaches. To drive growth and innovation as they navigate this intricate minefield, companies are increasingly relying on automation and artificial intelligence.
Align business goals, security
While automation can help streamline redundant processes, AI has done just that potential to facilitate detection and response workflow, integration-friendly security tools that provide a real return on investment remain critical. By integrating security tools and quantitative KPIs into daily processes, small businesses can more precisely align their business goals and security posture.
Calculators and metrics that clearly translate technical capabilities into concrete savings and risk reduction numbers help justify purchases to dubious C-level executives. Senior leadership teams are responsible for ensuring the company remains solvent, which means they need to understand how security metrics impact their financial bottom line.
Additionally, they need to understand the coverage their security investments provide. Disconnected technologies can create security gaps and blind spots, putting them at risk of data breaches. To solve this problem, even small businesses need to consolidate solutions across multiple internal, security, fraud and IT teams. This way, they gain insights into security and privacy coverage and are able to identify future investments that will add value to their programs, making it easier to obtain approvals for new products.
Of course, that’s easier said than done. The cold hard truth is that our new normal is one of high complexity balanced by myriad internal and external stakeholders in an ever-accelerating threat environment.
Both senior executives and CISOs must reconcile this reality and adapt processes appropriately. Business innovation must continue despite ever-evolving threats. While quality vendors can provide support, cybersecurity remains a stormy sea for leaders to navigate. But with collaboration, focus and proactive planning, organizations can stay afloat, even if the waters remain choppy.