Why don’t organizations invest in sufficient protection? The reflex answer is cost. But that answer is overly simplistic and not truly accurate. Once a company is hacked or ransomed, they will pay inordinate sums to resolve the attack. They will pay criminals who just want their money. They will pay IT professionals to mitigate & investigate the attack. The cyberattack that was once a vague possibility is suddenly painful and very real. In most cases it is effectively too late, critical information has been stolen or the network is completely down, with systems and data encrypted, and the company is being ransomed (or all of the above). After a company has endured a cyberattack, if they survive, they have no problem investing in an effective Cybersecurity program. Because they endured an attack, and know what is being protected against, they don’t want it to happen again.
Another reason organizations don’t invest is they think their current IT resources have it covered, or blindly assume their employees will keep them secure by not falling for phishing and other tactics. If asked, leadership will say, “we’re good”, or “we’re happy with our service”, without truly knowing, testing, and verifying their measures are protecting them and the full extent of threats they face. In these situations, occasional network penetration testing (an Attack Audit) is prudent, at the very least, to assure the network is indeed secure.
In many cases (though certainly not all cases), we find supposedly secure networks with significant if not critical security holes; some have malware already running on their systems setting them up for attack. The reality is that unless an IT team or an IT provider is have appropriate experience and focus on Cybersecurity, they won’t design secure environments. Their security solutions reflect their level of attention and knowledge.
Our desire is for such threats to never become a reality for organizations. Unfortunately, over our 20+ years of providing IT services and security solutions, we have only seen the problem grow increasingly worse. The sheer number of attacks, their sophistication, damage caused, and information and monetary losses continue to grow exponentially. Without sincere, purposeful action organizations will continue to face this mounting risk.