Some companies take a mitigation approach to cybersecurity whereby they detect intrusions and attacks, then take steps to stop them in their tracks. This approach was acceptable in the past but, in an era when cyberattacks are escalating in volume, frequency and severity, a mitigation approach can be extremely costly.
The costs of a successful cyberattack include the financial losses that occur as a result of not being able to do business, the cost of getting systems cleaned up, and back up and running, and the potential costs associated with lost data. Now, with the Australian government’s mandatory notifiable data breach scheme and Europe’s impending General Data Protection Regulation, the importance of protecting data has grown.
These new pieces of legislation are set to be followed by others around the world. One thing they all have in common is significant fines for failing to prevent a data breach or failing to notify the affected individuals and appropriate government bodies of the breach. This adds a new facet to the cost of cyberattacks.
This doesn’t take into account the reputational damage that can be done to a company that suffers a security breach. Regardless of the reason behind the breach, if customers believe their data isn’t safe with a company, they’ll cease doing business with that company. Over time, the loss of customer confidence can be devastating to a business.
With so many significant and realistic risks attached to cyberattacks, it stands to reason that preventing these attacks from happening altogether is safer and more cost-effective than looking to mitigate them once they’ve happened.
Encouragingly, recent research by Palo Alto Networks found that cybersecurity budgets in Asia–Pacific are sizeable. Three-quarters of APAC organisations devote 5%–15% of their total IT spend to cybersecurity. China, India and Hong Kong are leading the way, and budgets are on the rise.
However, simply throwing money and resources at the problem isn’t necessarily the best way to proceed. Companies will be better off leveraging systems that automate threat detection and response actions, to preserve budgets and human resources for where they can add more value.
Unfortunately, 58% of organisations in APAC believe that detecting and responding to threats is more important than preventing threats. This is despite the obvious benefits associated with stopping threats before they can affect the company.
To take a cybersecurity prevention approach, organisations should start by instilling a culture in which security is everyone’s responsibility. This includes implementing training programs to educate employees about potential threats and ways to avoid putting the organisation at risk. This training should be conducted regularly to keep security top of mind, and to let employees know about new and evolving cyberthreats.
Making cybersecurity awareness a key performance indicator for employees will demonstrate that the company is serious about security and determined to protect the company from attacks.
Businesses should also implement cybersecurity tools and technologies that identify threats and prevent them from becoming a reality. And they should willingly share information about cyberthreats with other companies in the industry to help create a kind of herd immunity to ongoing, escalating and zero-day threats.
Companies that look to prevent attacks rather than simply mitigate them won’t necessarily be completely immune, since cybercriminals are sophisticated and determined. However, a prevention mindset will harden the company’s security posture, making it a less attractive or easy target for cybercriminals. This will help businesses avoid the significant costs and business disruption caused by a successful cyberattack.