In 2018, we witnessed some of the biggest data breaches ever – affecting businesses and consumers alike.

From social media, hospitality, healthcare and even mail delivery, 2018 proved that there is no escaping cybersecurity flaws, regardless of the type of business or its popularity. For example, we witnessed the data of approximately 500 million Marriot guests get breached and a USPS security flaw that exposed the personal data of more than 60 million people.

Not only do these kinds of breaches cause reputational havoc, but with new regulations such as the GDPR taking hold, fines are also a big fear factor for business leaders. According to reports, Facebook’s potential fine for its part in the Cambridge Analytica scandal could reach $1.63 billion– a harsh reality for a global giant like Facebook to face and pay up. Even for small businesses, the idea of paying up to four percent of their annual turnover as a fine isn’t a fun one.

With the average data breach costing enterprises $1.23 million and fines in the billions now at stake, security professionals, like chief information security officers (CISOs) and business leaders need to band together to align their strategies and budgets with the protection needed to stand up to today’s evolving cyberthreats.

You would think this is already happening, but then again, why are cybercriminals so often continuing to succeed in breaching big and small brands?

Cybersecurity breaches are unavoidable – protection is a must

According to recent survey results from Kaspersky Lab, almost nine-in-ten (86%) CISOs globally believe that breaches are inevitable. These are the people core to protecting an organization’s information and data security and even they are not confident in being able to mitigate the risk of a cyberattack. And there is a valid reason behind this certainty.

Most enterprises are on a path towards digital transformation, with over half (52%) agreeing that this is the tech trend that will have the biggest impact on the IT security of their organization in the next five years, according to the same report.

Digital transformation widens the surface of attack, giving cybercriminals more opportunities to find weaknesses to creep into systems and leak or exploit data. Cloud adoption, the increasing mobility of workforces and the rise in the use of digital channels, are all contributing factors here, increasing the risks.

Unfortunately, this isn’t the only factor that CISOs are up against. What if a malicious insider – an employee perhaps – was to single-handedly work against a company or even combine their efforts with those of an external attacker? To help them through the backdoor, so to speak.

This sort of threat could be especially difficult to identify and prevent in advance. In fact, it’s one of the most feared types of threats among the CISO community, with 29 percent of CISOs agreeing this is the biggest IT security risk facing their organization – second only to concerns about financially motivated cybercrime gangs at 40 percent.

With fears of digital transformation and malicious employees keeping security professionals up at night already, business processes and budget are also causing a headache for CISOs to ensure a proper security strategy.

Business budgets for security need to be prioritized

With proof points like rampant attacks and reports on concerns of CISOs, one would think it should be easy to bring business leaders on board with supporting a cybersecurity budget.

Although many may think it’s easy for CISOs to justify the need for their budgets, recent research from Kaspersky Lab has shown that they are actually struggling to get the budgets they require to fight off cybercriminals – which contributes to continued attacks and cybercriminal success.

There are a couple of reasons that the budget isn’t being allocated properly to security:

• Sometimes security is lumped into the wider IT budget. A budget that is being prioritized for digital, cloud or other IT projects.
• Most commonly, it’s hard for CISOs to get budget specifically for security purposes because they cannot guarantee that their organization will not suffer a breach.

Proving the ROI in cybersecurity protection presents a challenge, but businesses must side with being prepared, or prepare to live with the fact that they could have done more to protect the company once a breach has hit – or even lose their jobs because of it.

At Kaspersky Lab we think the question: “can you guarantee there won’t be breaches anymore?” isn’t really a question that businesses should be asking.

Business leaders are not asking crucial cybersecurity questions

The right questions lead to the right decisions. There are plenty of reasons why the question ‘can we prevent an attack?’ is not the right one for business leaders to be asking CISOs. So what is the right question to ask?

When it comes to cyberattacks, it’s not a matter of “if” but “when” one will occur. So, the crux of the issue really lies in whether a business can detect an attack fast enough and respond in a timely manner to minimize its impact.

When business leaders are presented with a CISOs request for increased budget or separate security strategy, business leaders should be asking how the money will be used to prevent and detect advanced cyberattacks early on.

Anyone in security will tell you that a “prevention-only” strategy is no longer sufficient. That mindset is out of sync with how businesses today work. When it comes to targeted, highly elaborated attacks, detection and mitigation should instead be the priority for the organization.

Considering the three reasons why cybercriminals are still a success today will allow CISOs and business leaders to improve their protection strategy. It’s not about guaranteeing the complete prevention of cyber incidents, it’s about being prepared and raising the price of attacks for attackers. It’s about making an attack unaffordable, and not worth their while.

More importantly, the CISO’s strategy for security needs to be supported by business leaders, otherwise the security team can’t take immediate action when cybercriminals make attempts to interfere with the organizations’ network. If CISOs and businesses take the necessary measures and think about the three reasons cybercriminals are succeeding, they will improve their overall IT security strategy and increase their chances of staying out of the headlines as the next big brand being hit by a breach.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.