As we go into 2023, corporate aposematism is a worthy consideration

Despite the endless amount of information that is available on cyber security and ransomware, alongside technology providers waxing lyrical about breach prevention, the view that "it’ll never happen to us" is still prevalent -- not just among smaller businesses, but surprisingly in bigger organizations too.

So, when the breach actually happens, and the bad actors demand a ransom, frequently, organizations’ reflex reaction is to make the ransom payment as a way of "making it go away".

Sophisticated bot technology

Cybersecurity criminals today don’t poll ports once a few days, weeks or months at the off chance that they might be successful -- they are polling "at scale", quite literally 1000s and 1000s of times a second across 10s of 1000s of organizations to exploit the smallest of vulnerabilities. Also, these criminals are professional cybersecurity attackers, with the most sophisticated skills and tools, alongside dogged commitment to breakthrough security defenses. Furthermore, bot technology is advancing rapidly, sometimes making it difficult to differentiate whether the interaction that is taking place is with a bot or a human.

Typically, it’s only after a breach that organizations start paying the level of attention that they should have paid in the first place. It’s easy to be wise after the fact! However, by that time the damage is well and truly done.

Organizations are always guarded as to what caused the breach and why they had not taken the necessary measures to prevent the attack. But the impact of a breach is most definitely palpable and long lasting, if not terminal.

A few months ago, a large city firm suffered a very significant security breach. Whilst at the time there wasn’t coverage of the attack, now some months on, there has been news about their financial woes and losses, legal injunctions, employee lay-offs, delayed payments to suppliers, and so forth -- at a time when their peer group is announcing record revenues. The impact of a security breach is crippling financially and reputationally. A large majority of small to mid-tier organizations don’t even survive after such incidents.

Employees tend to be the weakest link in organizations which often leads to security breaches. One inadvertent click and the organization's crown jewels could be breached. So, alongside secure processes and properly configured technology -- backed by ethical penetration testing -- the mantra has to be "education, education, education".  And this cannot be a one-off, it has to be frequent and continuously improved.

Corporate aposematism

With the above in place, the way forward might be corporate aposematism. In the animal world, some species use defenses in the form of physical changes -- such as color or sudden appearance of spikes -- and signals in the form of spitting poison, making warning sounds, or emitting foul smells -- as a way of warding off predators with the message that either they shouldn’t attack them because they are not worth the effort or that the attackers may themselves be caught.

Taking a leaf out of these animals’ book, organizations too need to display big, bold signs of warning, and send signals to the cyber criminals that they are not worth the effort. There’s an element of the "survival of the fittest", and the fact that cyber criminals want to be successful quickly. So, typically, the criminals exploit vulnerabilities that are often under the radar of security professionals in organizations. In addition to the more overt security measures, closing off what may appear as the most irrelevant gaps, will send a clear signal to the criminals that the company is sophisticated in its approach and that cybersecurity is watertight.

The idea here isn’t to boast about security, but demonstrate signs that illustrate that significant work has gone into covering the security pitfalls, and therefore the reward to bad actors is unlikely to be commensurate with their effort. The objective is deterrence, not a challenge.

It’s well acknowledged that a security breach is a matter of when, not if -- but strong, well-rounded security will in many instances mitigate a breach -- and should it actually occur, the impact will be contained and minimized. As suggested by Gartner, every organization needs to build a culture of corporate resilience, especially as cloud adoption, data privacy laws and digital transformation initiatives evolve, creating even more complexity from a cybersecurity standpoint.

Image credit: Rawpixel.com / Shutterstock

Roy Russell is CEO, Ascertus Limited.