In 2023, the global average cost of data breaches was $4.45M. And with Cybersecurity Ventures forecasting a 15% per year increase in the cost of global cybercrime, hitting $10.5T by 2025, the future is not looking much safer for businesses. As they continue to face the cost of cyber breaches, it's increasingly clear that the traditional security approaches businesses adopt are insufficient.
Tunnel-vision focus on perimeter or external security measures, such as firewalls, intrusion detection and prevention systems and access control, often gives business leaders a false sense of security. In reality, as modern cyberattacks increase in frequency and sophistication, these measures can lack the ability to withstand attacks. It's time for business leaders to change and rethink their approach.
The problem: compliance is not enough
The problem is that IT departments often view cybersecurity as a compliance hurdle rather than an act of protection. They're aware that cyber threats are costly, and they're aware that businesses are vulnerable. But responding action often only aligns with legislation that threatens those who don't adapt with hefty fees and reputational damage, as evidenced by policies like the EU Cybersecurity Act, rather than advising on the most effective way to protect a company's assets.
Without looking beyond compliance and regulatory demands, an over-reliance on perimeter defences and single sign-on solutions can occur, creating a false sense of security for organisations that believe compliance equals safety. This illusion of safety is only compounded by those who choose to outsource responsibility to security vendors. One thing that the SolarWinds hack, one of the biggest breaches of the 21st century, has shown us is that an overreliance on external advice increasingly blurs the lines of accountability. Be it for breaches themselves or the maintenance and updating of infrastructure, this confusion can inhibit effective communication on security concerns across the business.
An inside-out approach: assume breach and take control
So, if the traditional approach of focusing on keeping attackers out proves insufficient, how can businesses adapt? Working from the inside out flips existing mindsets and assumes a breach is possible and imminent. This means the focus should be on protecting assets and networks rather than building up the walls around them.
This will ensure IT departments take control of their networks by putting measures in place to limit damage after a breach. Using air gapping technology, for example, businesses can segment parts of their networks that have been breached or are most at risk of being breached to reduce the attack surface and protect sensitive data. Once an attack has been mitigated, systems can also be instantly brought back online, allowing business operations to continue as normal.
Going one step further, some organisations may even keep certain devices or networks offline entirely when they are not actively in use. This 'default disconnect' mindset is particularly effective in a critical national infrastructure setting, where a variety of legacy IT and OT systems are in use, which are particularly vulnerable to attack.
The role of C-suite leadership But where should this drive for change within an organisation come from? SolarWinds highlighted the need for a clear delineation of responsibilities and accountability within an organisation's leadership when it comes to cybersecurity. In today's rapidly evolving threat landscape, there's no space for confusion, and C-suite direction on overall security strategy is no longer optional. As the cost of cybercrime continues to grow, new regulations will likely come into place that will hold leadership accountable for security incidents. So, the direction for adopting an 'inside out approach' needs to come from the top, as does the decision to disconnect assets in the case of a breach.
This goes beyond allocating budget and directing strategy. C-suite leaders should also champion a culture of security by actively participating in security discussions, prioritising security awareness, and creating a culture where individuals feel they can step forward and flag potential incidents. Setting this strong tone from the top empowers employees to be vigilant and make security a core value.
Final thoughts According to a Microsoft study published earlier this year, only 13% of UK organisations can be described as "resilient" to cybercrime, and 39% are defined as high-risk. As it stands, organisations are not doing enough to protect their assets. Emerging technology like AI and quantum technology will also bolster the toolkits of cybercriminals, and businesses need to re-evaluate their cybersecurity posture. Implementing a multi-layered security set-up is the most effective way to protect your assets. This goes beyond traditional perimeter measures, outsourcing responsibility to security providers and implementing base layer security that keeps what should be offline, offline until needed. Looking at your cybersecurity stance from the inside out will allow business leaders to take back control while giving them the peace of mind that assets are secure.