Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Hannah Young
Hannah Young
.
February 10, 2023
7 min
 read

Image by John Klossner

Cybersecurity often looks and feels very aspirational. You’ve heard of “Least Privilege” and “Zero Trust” and understand that they’re important big-picture concepts, but it can be difficult to see how this always translates to an urgent need or a tangible action.

In this article, we walk you through why cybersecurity (or information security/infosec) is more crucial than ever and what you can actually do to make your organization more secure, no matter your role.

Why now?

It’s no secret that we’re in an economic downturn; when you search “are we…,” the first thing Google auto-fills is “are we in a recession?” This, coupled with the added security risks that come from WFH positions, makes it so that you need your employees to be as efficient and secure as possible, as soon as possible.

Three kids trick-or-treating, one is a ghost, one is a witch, and one is a cloud that says “Risk of RECESSION” on it which has made the owner of the house pass out with fear.
Image by Tom Fishburne

Many are overworked and/or haven’t been shown the value in investing the upfront time to take preventative action that could save them time later (like investing in an IAM (identity access management) solution or automating permissions). Because they haven’t invested in tools to automate security, they don’t have enough time to procure security tools, and on and on the cycle goes until there’s a breach.

Our point? Breaches can’t be the first time you do something about security; they’re far too costly, and it’s often too late once they happen. Not only are there upfront costs of a breach, but there are also opportunity costs from a damaged reputation and not meeting compliance standards, leading to a massive loss in revenue.

Upfront Costs of a Breach

Graph showing the “average total cost of a data breach” in millions of dollars from $4 in 2016 to $3.62 in 2017 to $3.86 in 2018 to $3.92 in 2019 to $3.86 in 2020 to $4.24 in 2021 to $4.35 in 2022
Image from IBM Cost of a Data Breach Report 2022

You’re most likely aware that security breaches are costly. The average total cost of a data breach in 2022 was $4.35 million; this number is at an all-time high with no signs of slowing. This cost is not just limited to the monetary damages caused by the breach, such as the amount of data stolen, but also includes the costs of ensuring the safety of your system afterward, labor costs, cost to your clients, and other associated costs. This can become exponentially more costly if the breach is not identified and addressed quickly and can lead to further losses: the loss of customer trust, loyalty, and revenue.

The Cost of a Damaged Company Ethos/Reputation

It is estimated that 60% of small businesses that experience a cyber-attack will go out of business within six months, a cost far exceeding the tangible damages. Even when companies can continue, the fallout of a lack of security practices includes potential clients forgoing your organization (opportunity costs) and a loss of revenue from customer churn. All these things contribute to the inability of your company to keep operations running smoothly and continue delivering services that clients can trust. Client trust is invaluable; it’s difficult to obtain (and even harder to re-establish), making preventative action crucial to security compliance.

Compliance

Image of a woman looking at a piece of paper walking through a path with cyclical clocks and dollar signs with a sign that says “The Path to Soc2”
Image by StrongDM

No matter your position, you know that compliance takes forever. Whether it’s industry compliance (e.g. HIPAA), geographic compliance, legal compliance, or various cybersecurity frameworks (e.g. SOC 2), compliance standards often require organizations to assess their current posture, identify gaps, and implement the necessary measures to fill those gaps, and these things take time.

There is a boss behind a desk and a male and female worker on the other side of the desk. The boss says: “We have a compliance requirement for compliance… and compliance requires compliance with the compliance requirement.” The next slide says “BLAMMO!!” with explosion marks, and in the final slide, the boss’s head has exploded, and the female worker says, “that wasn’t nice,” while the male worker is smiling evilly.
Image from Charlie Ciso Comic

Achieving compliance standards can be costly and time-consuming, but it can make your organization more secure, improve your company’s reputation, and unlock more deals: the sooner you start, the sooner you can succeed. While these compliance checklists often give you a starting place, they can be too high-level or tedious to implement as your only everyday security practices.

What you can actually do to make your company more secure today

Security isn’t a next-quarter problem: it’s a last-quarter problem, and you’re playing catchup. Save your future self time, effort, and money and stop punting security further down the roadmap; implement practices to make your organization more secure today (or just sign up here to get great practices delivered to your inbox).

Talk to Your Friendly Neighborhood Security Team

You may have heard of your company’s security team or strategy, but between all of the different roles and acronyms (CISOs, CSOs, BISOs, oh my!), it can be challenging to know who to look for, let alone what to talk about. Here’s a brief overview of your company’s security team:

On the phone, one man (Man A) says, “Our audit committee wants to know if your title is Head of Information Security or Head of Cyber Security”. A different man (Man B) answers on the phone and says, “Tell them I’m the Supreme and Glorious Leader of Cyberspace Command.” We return to Man A, who says, “Ok. got it. Uh… is cyberspace one word or two?”
Image from Charlie Ciso comic

A CISO, Chief Information Security Officer, is entirely focused on security (as opposed to a CIO, Chief Information Officer, who’s often the highest ranking person in IT and is more of an IT generalist). They have more specialized knowledge in infosec frameworks and work with the whole security team. They often handle the “big-picture” security strategy while delegating many daily operations to other security practitioners.

A BISO, Business Information Security Officer, connects security with broader business interests. They’re a newer position, popping up in the last ten years or so, and are often seen as a tactical ambassador to the CISO, working closely with the business team to ensure the security of the organization is maintained.

A CSO, Chief Security Officer, is responsible for the organization’s overall security. Where a CISO would be focused on the security of an organization’s digital information assets, a CSO is more of a generalist, focused on the safety of both physical and digital assets.

Nobody knows more about the specific security needs of your organization than your security team, and understanding their strategy is crucial to implementing it through your own actions. Especially if you work on a team like IT, knowing your security team’s strategy can help you invest in tools that aren’t only useful to you but also relevant to your company’s security goals.

Invest in Good Tools Early

A drawn comic of a cow on the left in front of a table of poorly made tools with a barn in the background, the caption says “Cow Tools”
Image from The Far Side comic

While all automation tools have obvious benefits (decreased labor costs, increased productivity, etc.), security automation has its own specific advantages. For example, on average, breaches at organizations with fully deployed security automation cost $3.05 million less than those without security automation and have a shorter recovery time (breach lifecycle) by 74 days (from 323 down to 249 days).

While the point can get lost in the numbers, retaining over 70% of a direct cost and an extra 2.5 months of productivity in the event of a breach is exceptionally consequential — not to mention the amount of money and stress saved by freeing employees from tedium. If you’re looking to invest in some good tools, we suggest starting with one that helps with access management.

Access management solutions do exactly what they sound like they do: they help you manage who has access to what resources in your organization. This is also known as security authorization (as opposed to authentication). Where manual authorization processes have become cumbersome and time-consuming, there are now products that automate the process within minutes, like Crosswire.

Crosswire gathers permissions across different enterprise applications to implement rule-based access without human intervention. It automatically provisions access and identifies anomalies, providing the IT infrastructure to manage authorization at scale. Your organization is safest when everyone only has as much access as they need, only for the amount of time they need it (a concept we expand on in this blog post), and you can automate this process with access management solutions like Crosswire.

Stop. Hoarding. Permissions.

The idea behind “least privilege” is that everyone should have as much access as they need to do their job and nothing more. Less is more, to each according to their need, etc. Every access point is a point of entry into your company’s IT infrastructure, and the less access you have, the less effective an attack will be.

Taking a mindful approach to granting permissions can help to ensure that there is proper control over who has access to what data and, therefore, will help to reduce your risk. You’re doing your part when you don’t take more access than you need, so stop hoarding permissions and start being mindful of how much access you take.

Training and Awareness

Comic of a professor in front of a white board that says “Cybercrime” in a lecture hall answering a student’s question by saying “No, if you get infected with RANSOMWARE, you don’t quarantine”
Image from © 2021 Cybersecurity Ventures

Even as the importance of security becomes more well-known, only some people are trained in information security and its practices. Cybersecurity has become a technical discipline, but outside of conferences like RSAC™ (come see us at Booth 21!), it can take time to know where to look to train yourself and your team. To stay on top of the newest information security trends and practices through trainings, webinars, blog posts, and more, sign up to receive Crosswire’s updates below!

More from our blog

How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read