Today, the growing scale and sophistication of cyberattacks make one thing inevitable: sometimes your team might take a loss. Think of it like football. Bad actors have grown from JV squads to Superbowl contenders, bringing highly skilled, professional — and well-funded — teams with an intensity that requires targets, ranging from businesses to government agencies, and you should be ready for them at all times.
So, if these attacks on high-value targets like financial institutions are now less a matter of “if,” and more a matter of “when,” how can we prepare? By reducing the likelihood of a successful cyberattack while also building out a plan for quick recovery and minimal business disruption. It’s this combination of offense and defense that will help keep the inevitable from becoming the insurmountable.
Despite awareness of the damage these cybercrimes can cause, organizations face a number of obstacles on their way to comprehensive cybersecurity, including budgetary restraints, operational requirements, or an underestimation of the scale of threats. Then, when a data breach or other security event does occur, it’s not unusual to hear claims that nothing could be done — that the opponent was unstoppable.
Any winning coach knows that even when a team takes the loss, there’s no room for excuses. A loss is a chance to examine what went wrong, identify weak spots, and prepare for the future. The same goes for cybersecurity. For example, the recent U.S. government breach, which included data from the Department of Energy, can be viewed as learning opportunities that allowed officials to examine what could have been done differently, and how changes could help mitigate or even block future attacks.
Above all, organizations should develop a winning game plan: one that takes cost, security, and ease of operations into consideration in equal measures. It’s a delicate balance.
Given the constant improvements and innovations in large-scale cybercrime, it’s unlikely any organization can remain 100 percent secure at all times. To even attempt to build an impregnable online fortress would probably require processes or systems that are too burdensome to be useful. That means there will always be trade-offs as an organization moves between ease of use and security.
It’s not easy to decide which trade-offs to make, however. To continue the football metaphor, a defensive player can come under fire from coaches for giving an offensive player too much room to move, only to be taken to task later for covering too closely, limiting his ability to change course as needed. In the same way, companies and government agencies are regularly criticized either for being underprepared in the event of a security breach or for overcompensating by requiring onerous security measures.
Businesses should pay attention to their situation and what these trade-offs mean for them in the now. It’s easy to be a Monday morning quarterback — there’s always something you could have done better. But in the game, you have to call your plays the best you can.
Just as NFL teams face spending caps and limited budgets, organizations can commit only so much money to cybersecurity. Every department has its basic operating budget, plus (usually) a five- or 10-year plan of future expenditures. Of course, most managers want extra resources for their own squads along the way, too.
The team that focuses solely on beefing up defense without considering offensive needs is likely to lose a lot of games. Organizations taking the same approach will likely limit their ability to serve customers or users. To strike that ideal balance, they should deepen their bench and address the complementary aspects of security and functionality. The tension between the two requires steady leadership and a holistic approach — one that can help prevent cyberattacks whenever possible and reduce the severity and lasting impact of those attacks we can’t avoid.
The key to deepening your company’s bench and building long-term improvements into your cybersecurity program, then, is to determine which measures will provide the most essential protection for the amount invested. Every executive will have a different answer, but all should agree that expert coverages, services, and support will go a long way in helping to prevent significant harm from cyberattacks.
To learn more about how Liberty plays offense and defense for businesses in the cyber game, visit our cyber liability site.
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.
