Cybersecurity has been getting a lot of attention with major breaches being announced almost weekly, followed by news articles on record compliance fines and litigation settlements.  So why aren’t we getting better at cybersecurity?

  1. Assumptions.  Many organizations are moving into the cloud, and therefore assume that means that all of their cybersecurity needs are being met by the cloud provider.  While some aspects will be covered, others – especially those related to compliance requirements, may not.  C-Levels and Boards assume their IT resource(s) are handling cybersecurity.  However, true cybersecurity includes informed business decisions around risk, and the related policies, procedures, and technical controls.  IT cannot execute on this alone.
  2. False sense of security.  Businesses see a healthy spend on IT hardware, software and staff and feel that they are protected.  It’s important to confirm that the investments are following a cybersecurity program with a layered approach so you aren’t protecting some areas of risk (like the perimeter) while leaving others exposed (inside threats, lack of monitoring for detection, no incident response plan).
  3. Neglect.  Many of the attacks that have succeeded relied on security flaws that have been patched for months, some for years.  The vendors identify a security issue and release patches in a timely manner, but these patches are not being applied and that leaves organizations needlessly vulnerable to disruption.  In fact, lack of maintenance is where failure most often happens.  If known vulnerabilities are not addressed, compromise will eventually occur.