Organizations have cybersecurity as a top-of-mind priority – but are they spending their limited time and resources on the right areas?

Or are many companies’ approaches to cybersecurity often misguided and ineffective?

And if they are, what can companies do to protect themselves properly and proactively?

Cybersecurity experts Greg Ferro of Packet Pushers and Johna Till Johnson of Nemertes recently had an entertaining – and direct – debate on the right approach to enabling cybersecurity. They covered everything from how the wrong mindset leaves companies vulnerable to the practices organizations should view as a top priority.

Here are their conclusions – see if you agree or disagree.

If a Breach Is Only a Matter of Time, What Do You Do?

In this day and age, companies have realized that avoiding or preventing any and all cybersecurity breaches is an impossibility.

One important thing, according to Greg, is to anticipate and prepare. “When a breach happens, and it’s only a matter of time, what are we going to do?”

Contrary to prevailing belief, a breach doesn’t have to be a complete disaster. On the contrary – it can be a business opportunity…if the company is ready to handle the PR fallout.

This means:

• Having an incident response policy (IRP) that covers how you’ll communicate with customers, employees, stakeholders, and the press (and police, if necessary)
• Making sure the CEO is prepped in advance
• Getting everyone internally aligned on policy
• Practicing scenarios where the IRP will come into play
• Understanding how to capitalize on the free media coverage by communicating clearly and openly to consumers about how you’re fixing the issue

After all, as Greg likes to point out, most companies who suffer breaches are still in business and going strong. It doesn’t have to be a fatal event, and with the right comms strategy in place, it won’t be.

Your Two Biggest Priorities: Detect and Mitigate – Not Prevent

If breaches will occur, what can a company do besides get synchronized with their pre-planned response?

Greg and Johna are in agreement: in an environment where you can’t prevent everything, you should spend more to detect cybersecurity events as soon as possible and mitigate their effects as much as possible.

Detection is key for two, big reasons. The first, per Johna’s recommendations, is the comms opportunity it gives you to be proactive with keeping your customers and stakeholders informed should something happen. It’s always better to get out in front of a bad message and control it.

The second, according to Greg, is to try and keep the attacker from getting too far ahead. The longer it takes a company to detect an event, the easier it is for the attacker to extract more data, cause more problems, and wreak more havoc.

In both cases, you want to gain – and keep – initiative. But far too many companies surrender initiative from the beginning by pouring too much time and money into prevention and not having the right methods and means if their prevention methods fall through (and they will).

There Is One Thing You Should Try to Prevent, Though…

You can’t build a system that’s invulnerable to hacking, but the one thing you can and should try to prevent as much as possible is data extraction.

Put another way, just because they infiltrated a system doesn’t have to automatically mean they cause any material damage beyond a PR black eye.

Greg puts it this way: “Wouldn’t it be great to go out to the press and say, we had a massive breach, but we were able to guarantee you – 100% – that nothing got out?”

That’s the dream, and it’s more feasible and practical to devote resources to this kind of targeted prevention than trying to erect a broad-scope, systemic Fort Knox around your data.

To this end, Johna thinks it’s key to be able to identify the “giant gaping holes” that your data can escape through, often in the form of various communications applications that have become ubiquitous in the pandemic era.

What makes finding and fixing these vulnerabilities difficult is often a lack of clarity about who in the organization is responsible for what. Who ultimately has responsibility for overseeing third-party comms platforms (or any other outward-facing portal)? For every possible point of data exfiltration, you need to have someone who is clearly responsible for its security.

How Companies Have the Wrong Mindset About Cybersecurity – and Why It Costs Them

Is a cybersecurity breach a crime?

It usually is – but according to Johna, thinking your company is a victim of a crime can be dangerous.

Why? Because the mindset convinces companies that the “super bad hackers” are solely to blame, and the company did nothing wrong, despite the impact the breach may have on the company’s customers and constituents.

As Johna says, people tend to miss the notion that “philosophically, somehow, we’re saying that simultaneously a breach is your fault, but then you’re actually a crime victim.” The truth is that both parties have a role to play: the hackers, for the exploit; and the company, for making it easier to be exploited.

“If you’re going to be a crime victim,” says Johna, “you have to prove that you didn’t leave all the doors and windows unlocked and bundles of cash sitting around the windows, because then you’re not really going to be credible.”

And when it comes to dealing with cybersecurity in the public eye, credibility isn’t just everything – it’s the only thing.

There’s also the notion that just because a band of cyber-pirates pillage your system, your company isn’t free of its civil liability. A cybersecurity hack isn’t a “Get Out of Jail Free” card. Customers may still have recourse no matter how wronged the company may feel at the hands of those craven ne’er-do-wells.

The Government’s Role in Cybersecurity: What Should It Be?

Finally, Greg and Johna had an invigorating debate over how governments should be involved in what many think is solely a private enterprise problem.

One phenomenon that has really pushed the issue over the past two decades is ransomware: rendering data in a network (or the network itself) unusable unless money is paid to the hackers.

Holding a company for ransom may not be as exciting and visually dramatic as it appears on the silver screen – you know, a mysterious voice over a phone that’s being frantically traced; a car chase or two; ominous one-liners by the heroes as the clock ticks away – but the implications are just as severe.

According to Cybersecurity Ventures, the total cost of global ransomware campaigns will reach $250 billion by 2031. But many governments today in the global community are cracking down on companies paying ransoms to ransomware hackers – very much a “We don’t negotiate with terrorists” mentality that, in their eyes, only encourages more ransomware activity.

That mindset may be theoretically correct, but that doesn’t do much good for companies who are being hit by ransomware attacks today.

There’s also the idea that governments are largely behind the curve when crafting legislation and creating regulations to combat cyber-attacks and help businesses and consumers alike stay protected (or deal with the fallout in the event of an attack).

From a broader perspective, the question of government emerges because the global business community is very much divided into two classes when it comes to cybersecurity issues: those that can afford to mitigate and weather the storm, and those who can’t.

To that point, what is needed is more equality in the IT security world, which Greg likens to a world infested by zombies. In this horror scape, you don’t have to be the fastest person to escape. You just have to be faster than the slowest person.

Johna uses the example of having a home in a high-crime neighborhood. You don’t have to be the most secure house on the block – just more secure than your neighbors.

Similarly, hackers find more success targeting the more vulnerable companies, and there are more of them in the market than there are organizations with sophisticated, elite cybersecurity systems. The industry collectively spends so much on raising the cybersecurity ceiling, when it should be focused as much as – if not more on – raising the floor across the board.

According to Johna, the role of government, in protecting this commons – this environment that all companies share – is clear: to provide the kind of broad investment needed for such a large scale.

Greg, however, believes that “from a business point of view, every penny spent on security is wasted money. It’s not value-producing. It’s not value-enhancing.”

Johna disagrees on two counts, the first being that – akin to defense spending – a lot of important technology comes from investment capital beyond the scope of the initial investment. The Internet itself is perhaps the world’s most important example today, having originated from the U.S. Defense Department’s ARPANET project that began in 1966.

The second is that individual companies who may view cybersecurity spend as a waste on the micro-level may still benefit from a more secure commons. It’s the same logic behind why shipping companies no longer have to arm their vessels while sailing in waters regularly patrolled by the U.S. Navy or U.S. Coast Guard – but they do when sailing around the Horn of Africa, where piracy still runs rampant.

At the end of the day, the question remains: Is everyone doing cybersecurity wrong? Greg and Johna would probably agree that everyone is doing at least something wrong when it comes to cybersecurity; the trick is finding out what that thing is and fixing it.

Check out the full debate for more insight on additional topics that you can use to shore up your organization’s cybersecurity efforts – ideally the right way.