{"id":8940,"date":"2020-07-16T07:57:12","date_gmt":"2020-07-16T07:57:12","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/?p=8940"},"modified":"2023-11-28T13:10:33","modified_gmt":"2023-11-28T13:10:33","slug":"can-you-still-afford-not-to-afford-cyber-security","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/can-you-still-afford-not-to-afford-cyber-security\/","title":{"rendered":"Can you still Afford \u201cnot to afford\u201d Cyber Security?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\n

COVID-19 changes the game: Now is not the time to risk a cyber-attack.<\/em><\/h4>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Earlier ransomware incidents that have affected \u00a0organisations such\u00a0Travelex<\/a>\u00a0in the UK or\u00a0Bouygues<\/a>\u00a0in France profoundly question the way cyber security has been managed \u2013 historically \u2013 in many large firms. And they add their names to an ever growing \u201chall of shame\u201d which already includes British Airways, Marriott, Equifax and \u2013 sadly \u2013 countless others.<\/p>\n\n\n\n

Large firms with multi-million IT and security budgets should not end up in that mess. Period.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Calling in one of the Big 4 firms to \u201csort things out\u201d afterwards will not cut it anymore. At the heart of the matter, is not just the need to \u201cdo things\u201d (protective and layered \u201cdefence-in-depth\u201d measures are well known and have been for decades) but the governance surrounding execution in those firms, the way the prioritisation of security investment was handled over the years, and the cultural and managerial aspects surrounding those.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u201cWe can\u2019t afford this\u201d is an excuse we have been hearing too often with senior executives around security over the years. Many CISOs take it as budgetary constraints. It is simply adverse prioritisation. And if security is not visibly towards the top of the agenda with management, you cannot expect good execution to follow regardless of the investments you make.<\/p>\n\n\n\n

One trait many of the firms affected recently by cyber security incidents had in common (pre COVID-19), was their relatively good economic health. Those were not failing businesses chronically losing money or drastically challenged by digital disruption, as could have been the case for example in the retail sector. They were healthy and established market players churning up healthy profits.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

How did they use to assess the threats they face? How did they manage their levels of exposure or protection against those? How did they determine the investments necessary to ensure adequate protection?<\/p>\n\n\n\n

Clearly, not very well\u2026<\/p>\n\n\n\n

One thing is certain: They were not really short of cash \u2013 at the time. It may be a simplistic view from a CFO perspective, but the reality is that \u2013 post breach \u2013 money invariably used to appear out of nowhere to get things \u201cfixed\u201d.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

That\u2019s the most pathetic part of all those incidents: Shameless executives, who previously would have argued that they \u201ccould not afford\u201d security measures, handing out millions in search of non-existent quick-wins or technical silver-bullets. And shameless tech vendors and security \u201cconsultants\u201d lining up, without for a second\u00a0daring<\/a>\u00a0to tell their clients what they need to hear: Buying more tech won\u2019t help you, until you address the cultural and governance attitudes which have led you in that mess in the first place: Endemic short-termism, cognitive biases, or frankly in some cases, threat ignorance and lip service to compliance requirements.<\/p>\n\n\n\n

Of course, once the entire business has been down for several days, priorities are put into perspective and mindsets change, but for how long?<\/p>\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Across the street, various competitors or suppliers would have been rattled and may also start thinking differently, but again, for how long?<\/p>\n\n\n\n

Once the dust has settled, losses are just losses; they may not please the shareholders, but in a context where many things could go wrong for large firms, do they really matter if the health of the business is strong? For St Gobain, Maersk and others \u2013 badly hit by the 2017\u00a0NotPetya<\/a>\u00a0outbreak \u2013 lost sales associated with the cyber-attack were estimated in the hundreds of millions and direct costs related to crisis in the tens of millions. Unpleasant, not invisible but manageable \u2013 in good times \u2013 on an otherwise healthy multi-billion balance sheet.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Frankly, those days have gone. The COVID-19 crisis changes the landscape totally around cyber-attacks, and that type of cynical approach now borders on plain negligence.<\/p>\n\n\n\n

Which business can now afford \u201cnot-to-afford\u201d good cyber security measures, in a context where most remaining activity has shifted online, and we are all dependent on digital services?<\/p>\n\n\n\n

Security has become essential to keeping the lights on, and nobody can risk a cyber attack in the middle of all this. At the same time, cash has become precious and the business outlook is unclear.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

But prioritising against security spending seems unreasonable, even in the face of massive cost reductions, and in particular in organisations where current cyber maturity levels are low.<\/p>\n\n\n\n

Now is the time to look at those maturity problems in the face and to focus the scarce resources available where they will have most impact. But cutting security spending to the ground in the midst of the COVID-19 crisis would be disastrous.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Which business can now afford \u201cnot-to-afford\u201d good cyber security measures, in a context where most remaining activity has shifted online, and we are all dependent on digital services? Security has become essential to keeping the lights on, and nobody can risk a cyber attack in the middle of all this.<\/p>\n","protected":false},"author":529,"featured_media":8941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[462,463],"ppma_author":[3178],"class_list":["post-8940","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-cyber-security","tag-digital-services"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/8940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=8940"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/8940\/revisions"}],"predecessor-version":[{"id":34444,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/8940\/revisions\/34444"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/8941"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=8940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=8940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=8940"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=8940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}