The main mistakes made by companies in cybersecurity

The year 2023 saw an increase in data hijacking (ransomware) and extortion in companies, according to data from the new Allianz Commercial report, Cybersecurity Trends 2023: The latest threats and risk mitigation best practices – before, during and after a hack.

Although the frequency of cyber incidents stabilized in 2022, the survey showed a 50% increase in ransomware cases in the first half of 2023, with the increase in models such as Ransomware as a Service (RaaS). For NovaRed, one of the largest cybersecurity companies in Latin America, executives still make basic security mistakes that lead to the worsening of cyber vulnerabilities and difficulty in preventing and responding to threats.

“Those who don’t take care of their business’ cybersecurity end up paying dearly sooner or later. To give you an idea, the Allianz survey shows that cyber breaches that are not detected and contained early can lead to repercussions that are up to a thousand times more expensive than if the environment were properly prepared to prevent and quickly respond to cyber incidents. However, some basic mistakes are still made in everyday corporate life and lead to even greater vulnerabilities”, says Adriano Galbiati, director of Operations at NovaRed.

The executive listed five of the main mistakes made by companies in cybersecurity this year:

1. Lack of data visibility

Faced with increasingly complex digital environments, especially with the recurring sharing of data with third parties, monitoring risks becomes even more challenging. Adriano Galbiati highlights that there is no way to defend without knowing the data available and susceptible to attacks. “Shadow IT, for example, is a phenomenon that has been talked about for over 10 years about large organizations in which sectors outside of IT implement new tools without notifying other colleagues. In other words, both security and IT professionals are unaware of new risks involving the use of technologies with sensitive company information. This is still something that happens frequently in business and demonstrates a lack of preventive culture among all professionals.”

2. Cybersecurity is not yet at the top

For Adriano, the root of the main deficits in information security is due to the lack of alignment with the executive board. Furthermore, cybersecurity needs to be structured from leadership to be prioritized in all processes. “Executives’ lack of knowledge about cyber risks means that investments in the area are scarcer. Having professionals specialized in cybersecurity participating in decision-making makes all the difference in ensuring more assertive targeting of monitoring and security resources, as well as prioritizing cybersecurity across all company departments,” he explains.

3. Negligence in preventive strategies

With the increase in cyberattacks, prevention must be worked on to minimize vulnerabilities, but also consider a Cybersecurity Incident Response Plan (IRP) in case an attack materializes. This strategy is part of risk mitigation and makes the recovery process less damaging in financial, legal and reputational terms. “If the organization does not have a plan and any structure for responding to the incident, the recovery process will take longer as it requires an analysis of the environment that will probably lead to few conclusions. Until this is all done, part of the evidence will already be erased by the cybercriminal,” says Adriano.

The executive also highlights how a lack of preparation for incident cases can lead to hasty measures that harm the process of evaluating the proportions of the attack: “When a ransomware attack is happening, a big mistake is thinking that you can interrupt it by shutting down the server. . In reality, the data may be lost permanently and the security team will not be able to investigate the evidence of what caused the vulnerability. The right thing to do is to isolate the network equipment and leave it to be evaluated after the attack,” he says.

4. Lack of strategic partners

Due to the complexity of the cybersecurity area, Adriano says that companies need to have qualified and up-to-date professionals to protect themselves from new cyber threats on the market and avoid new points of vulnerability. However, the shortage of qualified labor and the high turnover among professionals become major obstacles to obtaining strategic security partners. “Having good partners is essential to be able to implement new technologies safely and draw up effective cybersecurity plans. In companies with less digital maturity, with even more limited resources for defense infrastructure, this difficulty is even more present”, reports Galbiati.

It is estimated worldwide that 3.5 million positions in Information Security will not be filled in 2025, according to Cybercrime Magazine. “This gap could represent, numerically, approximately the population of Uruguay. This is why companies need to integrate in advance with outsourced teams that contain professionals trained to meet these demands, as in the case of a Security Operations Center (SOC), for example.”

5. Data ransom payment

Adriano warns about the harmful impact of paying the ransom when kidnapping data. Still, the practice has been growing recently, among professionals unprepared to respond to a cyber incident.

The Allianz report also proves this habit, indicating that the number of companies paying a ransom went from just 10% in 2019 to 54% in 2022. “When under pressure, a bailout may seem like the quickest solution, but you receive your data back in an infected environment prone to new attacks, in addition to proving that cybercrime is a profitable model”, says the executive. Study of Cybersecurity Ventures found that Cybercrime will earn USD 10,5 trillion per year by 2025, with annual growth of 15% worldwide.

“For 2024, it is necessary to evaluate all the failures committed, point out what worked, review strategies and, above all, develop an organizational culture capable of guiding all levels on responsibilities in the security of the corporate digital environment”, concludes Adriano Galbiati .