Despite a massive increase in cybersecurity investments, companies saw data breaches for the first quarter of 2022 soar, even after reaching a historical high in 2021 according to the Identity Theft Resource Center (ITRC). Additionally, the ITRC report adds that approximately 92% of these breaches were linked to cyberattacks. 

Phishing, cloud misconfiguration, ransomware and nation-state-inspired attacks ranked high for the second year in a row on global threats lists. So, why are attacks on the rise if more security solutions have been implemented? Should security investment shift its focus from reactive solutions to proactive strategies? 

Cybersecurity is much more than just mitigating threats and preventing losses. It’s an opportunity that can have a significant return on investment. It connects directly to a company’s bottom line. 

Cybersecurity as a business opportunity 

The industry cannot deny the power of disruption that modern-day attacks have. As cyberattacks rise, organizations increase their security budgets to keep up with the threats. 

Cybersecurity Ventures estimated in 2021 that global cybersecurity spending would reach a staggering $1.75 trillion by 2025. The PwC’s 2022 Global Digital Trust Insights reveals that the spending security trend shows no signs of slowing down, with 69% of those surveyed predicting an increase in their security spending for 2022. 

However, investing in solid cybersecurity solutions can be much more than reacting to threats. Focusing strictly on cyberattacks and mitigation is a cybersecurity strategy that misses out on the big picture. 

Security is today a must-have component when doing business. Companies demand their customers and partners to include security in their contracts — and companies that cannot meet these expectations are losing out on sales and new business ventures. 

Organizations should also consider investing in cybersecurity to navigate legal requirements — particularly related to data —safely. Not meeting legal requirements and standards will limit a company’s capacity to do business. 

For example, companies face serious risks and consequences if they do not align with international laws like the General Data Protection Regulation (GDPR) or federal U.S. laws like the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act for data companies working in healthcare.

Lawsuits and fines for breaching these laws can amount to millions of dollars and erode the reputation of any company. Additionally, companies should be aware that in the U.S., many states have adopted laws and regulations on how data can be collected, used, and disclosed. 

Cybersecurity also builds brand reputation. Leading companies that engage in cybersecurity promote their strength as a brand value. Customers value companies that manage their data responsibly and ethically and go to great lengths to protect it. 

Rethinking your human security barrier 

Another security mantra that the industry has been repeating since the pandemic began is the need to strengthen the human security element. 

The industry has talked about this issue relentlessly over the past two years. Workshops and creating a culture of awareness, have been presented as the go-to solutions for the human security element. But the stats show us, again, that these solutions do not stop cybercriminals. Phishing and smishing attacks are soaring, with 2021 alone seeing a 161% increase.  

The problem with strengthening the human element is that human error is inevitable. If an organization has thousands of workers and thousands of active devices, eventually, a worker will click on a malicious link. 

Building a strong cybersecurity culture is a good strategy, but it must be rooted in other solutions. An excellent addition is phishing simulation. It is a hands-on approach that can actively educate workers at all levels, helps identify vulnerabilities and risks, and does not present a real threat to an organization. 

Companies should automate as many things as possible when thinking about strengthening the human barrier. Paradoxically, removing the human element of risk from the equation through automation strengthens the human security barrier.  

The keys to the kingdom: Outsourcing your security 

The current cybersecurity environment has reached such levels of complexity that companies are now outsourcing most, if not all, of their security. A 2019 Deloitte survey found that 99% of organizations outsourced some portion of cybersecurity operations. Skurio research revealed in 2020 that more than 50% of U.K. businesses outsource partners for cybersecurity. 

Companies that offer cybersecurity as a service have increased significantly, and the sector is poised to continue to grow. Though, this begs the question, how much control should a company put in the hands of its security partner?

For example, if a customer’s entire cloud environment is managed by a security vendor, including their encryption keys and the organization ID, the customer has absolutely no control over its system. Vendors that offer to take over encryption keys, want to be the administrator on all accounts, and own the subscriptions to all critical applications, should raise eyebrows. 

Additionally, when building an in-house security team, the risks and costs must be considered, along with the benefits. While volatility, burnout, and turnover can play a role and affect security performance, control over your security, in-house rapid detection, recovery, and restoration solutions also weigh in. No company should ever give away the keys to the kingdom. 

Encryption and key management 

There are two approaches a company can take regarding encryption and key management. Outsource them, or choose to build their capacity to manage them with the help of their security partner. 

Instead of offering built-in solutions, some security companies will write up an organization’s security policies and procedures and guide them on what encryption to maintain. 

Companies should be testing their current encryption methods with their software-as-a-service (SaaS) applications, and make sure they are enforcing TLS 1.2 or above. They should also check their databases to make sure that all production data, customer data and environment are being stored in an encrypted manner using AES 256-bit encryption or above. 

Key management is also critical. The main questions to answer are, “How encryption keys are being managed?” “Where they are stored?” and “Who has access to them?”

From crypto-jacking and ransomware to phishing, cloud configuration, and nation-state-inspired attacks, organizations know that they are being hit hard and that the risks they face are real. However, now is the time to go beyond the concept of investing in cybersecurity to prevent losses and build the foundations of a new cybersecurity. This is an opportunity for organizations to rise above the threats of today and the threats of tomorrow. 

A change of perception on how cybersecurity strategies should be built can open doors and drive growth. To continue dumping millions every year into cybersecurity solutions that have already proven to have little results is just not good business. Owning your cybersecurity is key to learning from mistakes and the only way to progress into safer and better work environments.  

Taylor Hersom is the founder and CEO of Eden Data.