Security in a Complex World: Focus on the Simple

Some interesting lessons appear in the recent Financial Times article on the state of ransomware, data breaches, and cybersecurity.  First, the numbers are a bit alarming.  As the sheer volume of threats continues to spiral, the concomitant spend on cyber security measures has become daunting particularly for smaller companies.  In 2024, $9.5 trillion will be spent on cybersecurity, a threefold increase in nine years.  While that statistic seems to fly in the face of the “focus on the simple” dictum, one who reads closer will learn which mitigation factors offer the highest value.  Hint:  It's not the expensive or complicated ones. 

Data breaches at large companies make front-page news, but small and medium-sized companies are twice as likely to be targeted, principally because opportunistic bad actors see them as “soft” targets. And the primary vector of attack, by far, was social engineering, including email phishing, targeting Microsoft Outlook and 365, the former Office. 

As to what organizations can do, the article provided some truly fascinating statistics. Employee training and incident response planning/testing were the factors that statistically provided the greatest mitigation effects; effects far greater than sophisticated technological defenses that small or medium-sized businesses might struggle to implement.  

Other measures discussed included:  offering employees access to only those programs they need to do their jobs; vetting the company's digital supply chain; and focusing on zero-trust, a security framework that requires the continuous validation of all users.  

Even in an increasingly complex technological landscape, simple practices still prove to be strong mitigation factors.