When will they ever learn?

Having worked at the sharp end of the cyber security industry for over 20 years, conventional wisdom suggests that we should have learnt lessons and come a long way in protecting our businesses, assets and critical national infrastructure (CNI). The truth is that while we have made great progress, cyber criminals are still one step ahead and too many companies make it easy for them by not doing the basics. This includes patching, multifactor authentication, segmentation, network hardening, and more.

So, while 2021 has been unique and challenging in many ways, it has also been depressingly familiar. Our penetration testing and red teaming exercises discover the same issues and vulnerabilities time after time. Many organisations that are sold a promise and invest hundreds of thousands of pounds in new cyber security technology are often left with a false sense of security. In reality, very few companies enjoy the levels of protection they think they have.

Cyber security has always been and remains a business problem first and foremost, rather than a technology one. It’s about having the security dial in the right place in the context of the business’s needs and risk appetite. To do this, business leaders first need to understand the risks and the value of their data assets to attackers to make informed decisions and justify investment in the right places.

But for many companies, it takes the hardest lesson of all – when they get attacked – to wake up, respond and take action. And it can be drastic. Companies hit by ransomware attacks – whatever their size – face a crisis that can be extremely costly, time-consuming and mentally exhausting.

It’s far better to learn from others and be proactive rather than reactive. And there are positive signs with a move away from the traditional checkbox approach to security to more outcomes-based security. This is where regulators and authorities define the desired outcomes rather than simply prescribing measures to get there.

It’s the difference between being told you need a 6ft fence to being told you need to do whatever it takes to keep people out. This change is being driven by regulator schemes such as CBEST in banking…