Three Ways Organizations Can Improve Their Cybersecurity Posture Without Spending Money

Fene Osakwe is one of Africa's most sought-after cybersecurity advisors.

From my observations over the years, I've found that when thought leaders, consultants and industry experts give advice, recommendations or opportunities for improvement to companies in regard to cybersecurity, it almost always seems to be about what the organization should "establish," "purchase" or "implement." It's just something to "do."

This can be a turn-off for many executives, as it just seems to be an endless expenditure on cyber—and there's still the conversation about how to measure the return on these huge cyber investments. This made me think: Are there some things organizations need to stop doing to improve their cybersecurity posture? Must it always be about something to start doing? In my experience working with other professionals, I've found there are three things that organizations can stop doing to improve their cybersecurity. In my usual style, I will make this short and very easy to understand for both technical and nontechnical audiences.

1. Stop believing the "silver bullet" technology hype. Technology is great, but buying a new tool or investing in that new solution does not guarantee improvement in your cyber posture. There is no technology that represents a "silver bullet utopia" to cybersecurity risk, and indeed, employees and suppliers alike can unwittingly undermine almost every technology. Reliance on technology alone can leave companies open to risk—which can only be properly managed through a combination of people, processes and technology operating in harmony.

2. Remove the options. Sometimes, this is where the problem is. There is always the thinking that if you hired one more person, bought one more tool, went for one more training or had an extra $100,000 to your budget, then you would automatically improve the cybersecurity posture of your organization. However, that might not be the case. Instead, force yourself to remove the options available and consider what you might do despite the limited options. For example, ask yourself what you would do if you eliminated hiring as an option and were forced to operate an entire security program with no additional hires in 2023. By removing the obvious choices, you would need to consider alternatives. Would you get unpaid interns? Would you reframe responsibilities? Would you automate some tasks? Are there certain activities you would simply stop altogether?

3. Stop trusting employees and third parties too much. A company I consult for recently did some layoffs across about nine countries, which affected 20% of its workforce. Based on the contracts it had with these employees, it was required to pay three months' salary in advance for letting the employees go without notice. While the entitlement had been paid in bulk and the employees could stop working immediately, I was shocked to see that the HR notices to these employees gave them the option to stay on for those additional three months if they still desired to work. What the HR executive didn't understand was that the company had just made 20% of its workforce disgruntled yet still gave these employees access to continue their "work" after paying them.

The amount of harm that can be done is unquantifiable. It can come in the form of data exfiltration, backdoors, collusion and so on. Even worse, the company had not made any compensating controls or even a scenario analysis of the potential risk this posed. A 2016 IBM study found that 60% of cybersecurity breaches are carried out by insiders. Insider threats are insidious and can stay hidden for a long time.

I wish you a cyber-resilient 2023.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Comments are closed.