6 Risks of Not Conducting Continuous Cybersecurity Training
Cybersecurity training is vital. In a field where conditions on the ground change constantly, it is crucial that professionals are equipped with the knowledge and expertise they need to be effective in a crisis. Cybersecurity defenders must constantly maintain mission readiness to defend against coordinated networks of bad actors.
Security awareness training is an important part of the puzzle, but it is not enough. Teaching staff basic internet safety practices is analogous to teaching civilians to be aware of their surroundings and report circumstances and individuals out of the ordinary. It makes a difference and may even deter some degree of crime. But when safety is critical and lives are on the line, awareness isn’t enough.
Modern cybercriminals are professionals. They are always learning, innovating, and evolving new patterns and methods of attack – and they are succeeding. Cybercrime Magazine predicts that, by 2021, the annual cost of cybercrime damages worldwide will reach $6 trillion dollars.[i] That makes the cybercrime industry more profitable than the global trade of all major illegal drugs combined.
Cyberdefense is serious business, and threat actors in this arena will not stop in their mission to wreak havoc. And if cyberdefense specialists do not engage in continuous, up-to-date training, the consequences are severe. Here are some of the risks of neglecting cybersecurity training.
Risk 1: Legal Consequences
Cybersecurity breaches have serious consequences under the law. Each industry has their own unique compliance regulations with their own penalties that in some cases are more severe than the ones listed.
Organizations that fail to provide continuous, current cybersecurity training and to adequately secure their data run the risk of severe legal penalties, including the following:
Negligence and failure to exercise due care.
If any type of lawsuit or insurance claim arises as a result of a cybersecurity incident, it is highly likely that the organization’s cybersecurity training – or lack thereof – will be called into question.
Consequences to federal agencies.
The Federal Information Security Management Act requires federal agencies or those handling outsourced agency business to meet certain established cybersecurity standards. Failure to comply may result in a variety of penalties, including reduction in federal funding and censure by Congress.
Breach of state regulations.
As of 2019, 31 states have enacted cybersecurity-related legislation regulating, among others, the insurance industry; election law and security; data security of public records; wastewater discharge; business data handling practices, and public utilities’ information security.[ii]
Risk 2: Financial Loss and Cost of Remediation
Organizations sometimes balk at the price of cybersecurity, but they don’t always consider the cost of not having it. According to the Ponemon Institute’s Cost of a Data Breach Report 2019, the global average total cost of a data breach is $3.92 million dollars.[iii] For companies in the United States, that number is even worse: the average American data breach costs $8.19 million. That’s the equivalent of losing over $22,000 every day for one year.
And the initial cost is only the tip of the iceberg. A cybersecurity incident can continue to cost money for years after the initial attack. Of the companies studied by the Ponemon Institute, 67% of breach costs on average were accrued in the first year, 22% in the second year, and 11% of costs occurred more than two years after a breach.[iv] For organizations without the financial stability and well-being to weather severe damage, a cyberattack can spell the end of the company.
Finally, cyberattacks aren’t going to stop anytime soon. In 2019, 51% of data breaches were caused by malicious cyberattacks, and were on average 27% more costly than those caused by human error, and 37% more costly than breaches caused by system glitches.[v] This is the new normal. Cybercrime is not going away. And it is crucial for organizations to protect not only their assets, but their financial futures.
Risk 3: Loss of Intellectual Property
Intellectual property is often the most valuable asset an organization has. But in the realm of cybersecurity, that property is also vulnerable to theft and compromise. Depending on the organization’s sector and specialty, many different assets may be at risk, from weapons blueprints and vaccine research to source code and trade secrets.
Cybercrime is big business. Intellectual property and intangible assets may make up more than 85% of a company’s value today.[vi] And while intellectual property breaches do not receive as much press coverage as other cyberattacks, they are every bit as harmful. The ramifications of intellectual property theft can include loss of property, loss of competitive advantage, loss of market share, and even risks to national security. When terrorist hackers are able to access confidential military communications and predict troop movements, the lives of American soldiers are at risk as a result.
Recovering from an intellectual property breach can be impossible. Once data is stolen, it is impossible to control who accesses, trades, sells, and benefits from it. And until organizations make the decision to invest in their own cybersecurity on an ongoing basis, they will continue to incur damage.
Risk 4: Physical Risks
When most people think of cybersecurity, they don’t always think of consequences that affect the offline world. But those consequences are very real, and cyberattacks are completely capable of causing real-world effects.
One of the most well-known cyberattacks with physical consequences is the Stuxnet worm. Discovered in 2010, this malicious computer program was written specifically to target the Iranian nuclear weapons development program. Once installed, Stuxnet spread throughout the networks of nuclear enrichment plants. The virus took over software controlling the centrifuges used to enrich uranium and caused repeated hardware failures leading to destruction.
Stuxnet is not an exception. Other cyberattacks designed to strike at physical infrastructure include the Industroyer virus of 2016, which caused a power outage in the Ukraine, and the Triton worm of 2017, which attacked the safety instrument systems of petrochemical facilities in the Middle East.
As more and more systems become automated and data-reliant, the number of potentially vulnerable points of attack will grow. This is the new reality. And without trained cybersecurity professionals who can combat these ever-changing threats, it is inevitable that physical damages will occur, and human lives will be lost as a result of cyberattacks.
Risk 5: Becoming a Target
Reputation counts for a lot, even among cybercriminals. An organization that has been breached once is extremely likely to be breached again, unless serious measures are put in place to assess and secure vulnerable systems and provide ongoing cybersecurity training. Without these measures, it is entirely likely that the same attackers – or new ones – will simply continue to gain unauthorized access and cause damage.
In the hacker community, information is king and word spreads fast. And information on an organization that leaves the virtual back door open is worth a great deal to the right buyer. Companies that both fail to secure their systems and are also known to pay when threatened with ransomware are particularly attractive targets. Criminals have bills to pay, too.
Risk 6: Loss of Trust with Consumers
One of the longest-lasting and most pervasive forms of damage caused by a cyberattack is the loss of public trust. Reputational damage is difficult to quantify, but impossible to ignore. And providing a year’s worth of identity theft protection coupled with a statement assuring that “we take cybersecurity seriously” will not solve the problem.
Trust is difficult to build and incredibly easy to lose. In the corporate realm, that loss can lead to loss of customer relationships, increased insurance premiums, and public scrutiny and shame. In the military sphere, mission readiness and international cooperation may be irretrievably damaged. And in the political arena, a loss of public trust can lead to national instability.
Risk of Avoiding Continuous Cybersecurity Training Takeaways
It is not a matter of “if” an organization is targeted by cybercriminals. It is a question of “when”. If an organization’s operations rely in any way on the Internet or technology, then they are a target. There is no immunity to cyberattack.
A continuous cybersecurity training program is the best long-term solution to combating cyberattacks and avoiding the consequences of being unprepared. Professional defenders must be empowered with the training and resources they need to protect against harm, be it theft, extortion, or worse.
It is never too late to invest in cybersecurity.
In fact, given the state of the world, no organization can afford not to.
[i] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
[ii] https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2019.aspx
[iii] https://www.ibm.com/account/reg/us-en/signup?formid=urx-42215
[iv] Ibid.
[v] Ibid.
[vi] https://www.oceantomo.com/media-center-item/annual-study-of-intangible-asset-market-value-from-ocean-tomo-llc/
Contact Us Today, Defend Better Tomorrow.
Aries Security wants to help you prepare for tomorrows cyber threats. Our experienced and knowledgable staff is here to guide you through the process of setting up your event, building your content or installing your range. Contact us today.