Here’s a quick story that will send shivers down the spine of every CEO.
Years ago, a promising tech company hired us to revamp its email security. It didn’t take long to uncover several troubling security flaws, which we urged them to fix immediately. The company had just secured $20 million in funding to support a new product launch, an incredible achievement for any startup. However, their focus was strictly on product and they didn’t want to spend the money it would take to really secure their system. They agreed to take some of the basic steps we recommended, but opted out of resolving the larger security vulnerabilities.
Just days later, the company’s COO boarded a flight from Tokyo to Chicago. While their plane was still in the air, the COO’s team received an email from them with instructions to wire $10 million to a new vendor. Being a fast paced startup team, the finance team quickly jumped on the request. It took over 48 hours for anyone to realize what had happened. The COO hadn’t sent the email. There was no new vendor. And that $10 million? It was lost to some very sophisticated scammers.
The company was left reeling from the attack, but its troubles were far from over. Without a robust cybersecurity infrastructure in place, it was ill-equipped to investigate the incident and uncover what really happened. This is where the importance of being able to “tell the story” of a cyberattack comes into play.
Reconstructing the Narrative
To uncover the truth about the attack, we partnered with experts who could sift through the company’s systems line by line. Their fee was $1 million—payable immediately. So, in a matter of days, this company lost more than half of its funding.
These digital detectives worked around the clock to reconstruct the narrative of this attack. As it turned out, hackers had accessed the company’s email system and monitored conversations for a long time. They knew the COO’s travel schedule and picked a moment to strike when they knew the COO would be unreachable. With no protections in place, the company was helpless to defend itself.
Many organizations wouldn’t have survived such a significant blow, but this company was more fortunate. It did survive and, ultimately, went on to thrive. But, within a year of the hack, the founders and the entire leadership team were replaced.
Three Takeaways for Business Leaders
This story isn’t just a plug for my team, it’s a real life example of the potential costs when a company neglects its cybersecurity responsibilities. It’s easy to put your security last on your organizational roadmap, but with threats increasing at an alarming rate, business leaders must respond with strategies that protect their organizations’ assets. While most companies won’t experience the kind of losses our client did, their experience still offers valuable lessons business leaders can use as guideposts as they examine their cybersecurity position. Here are a few to consider:
1. You May Not Understand Your Actual Risks
It’s common for business leaders to misunderstand their cybersecurity risk level or, worse, mistakenly believe their systems and processes are stronger than they really are. However, attacks have become so sophisticated and multilayered that it’s shockingly easy to get caught up in them.
In the example I shared, the tech company believed their vulnerabilities were limited to a single layer: email. And while the attackers used the company’s email system to gain information, they relied on another tactic called social engineering to execute the heist. This approach relies on manipulation, influence, or deception to exploit human vulnerabilities by tricking people into revealing sensitive information or taking actions that compromise security. In this case, it was an email from a trusted supervisor sent at precisely the right (or wrong) time.
Business leaders must understand that threats exist throughout an organization, both within its computer systems and among the humans that use them. An effective security program maps an organization’s risk profile, aligns resources based on risk tolerance, and creates solutions that address all the elements in play.
2. Upfront Costs Are Not a True Representation of Value
In the same way business leaders misunderstand their cybersecurity risks, they also underestimate the actual value of an effective cybersecurity program. Most organizations classify cyber IT as a capital or overhead cost that accounts for somewhere between 3% and 5% of a typical company’s annual budget. While these expenditures don’t drive profit, they hold value and can protect organizations from incurring even higher costs.
I was reminded of this a few years ago when I unexpectedly ran into a customer while I was vacationing. During our conversation, he told me, “I always thought security was a waste of money until we had to use you guys for real.”
He explained that his company had recently received a seemingly legitimate email from one of their current vendors requesting a change in bank account details for payments. The company followed its verification procedures and transferred a significant amount of money to the new account. A few days later, they realized the email was fraudulent and someone had stolen the money.
The company’s cybersecurity insurance repaid the lost funds minus a 10% deductible. But because they were an edgefi client, we were able to review the interaction and prove that the vendor was responsible for the breach. Our client took this information to their vendor, who agreed to cover the deductible costs. That added value will never be reflected in an IT budget spreadsheet.
Now, take that idea a step further. How does a financial institution quantify its loss of member trust after it experiences a security breach? How does a legacy brand price its tarnished reputation after customer data ends up on the dark web? Recovering from these challenges is certainly possible, but you’ll need a lot of money to throw at the problem. How much? That’s also impossible to predict.
That tech company I spoke about earlier balked when it came time to address its email security because it didn’t recognize the value in the upfront cost. However, if leadership had the power to go back in time, I’m confident they would have gladly paid twice as much to preserve their positions within the company and avoid such a staggering loss.
3. Action Always Beats Inaction
So why don’t more business leaders prioritize cybersecurity? As with most things, it comes down to time and money, which are very limited resources in most work environments. Leaders are already booked to the brim and asking their employees to do more than ever. They barely have the time to do their core work, let alone take on a problem as significant as cybersecurity.
Some business leaders are also afraid of what they’ll discover after finally getting serious about addressing their cybersecurity needs. So, instead, they prefer to keep their heads buried in the sand, hoping for the best. As a longtime executive myself, I get it, not thinking about it means less to carry on your mind – but waiting will likely create major headaches (and more) at some point in the future
Ultimately, deciding to do nothing is a choice to accept the maximum risk. So, if you’re a business leader who knows they need to get their cybersecurity house in order, taking one step—any step—in the right direction is always the safest move. The tech company’s experience, for example, shows us that inaction can be fatal.
Crafting Your Cybersecurity Story: A Proactive Approach
Every company has its own cybersecurity story to tell. Some will be dramatic tales of great loss and challenges overcome, like our client. While those stories are exciting to read, nobody wants to experience them firsthand. Instead, you want your story to be uneventful because you were wise and proactively addressed your cybersecurity needs.
Okay, you’ve heard the horror story, and now you’re probably asking, “where should I begin”?
- Get honest about your risks. Bring in experts who can provide the complete picture of your vulnerabilities through comprehensive risk assessments and penetration testing.
- Look past the initial price tag. The cost of building a cybersecurity infrastructure will almost always be less than the cost of recovering from a breach. This doesn’t mean jump on your first quote. Make a calculated decision, with a trusted vendor, at a reasonable scope.
- Create a bias towards action. Doing nothing is the riskiest path. Even the smallest steps forward can create momentum for significant change. I can’t stress this enough.
If you’re not sure where to start, I always love helping other executives get momentum around their security posture (and swapping a story or two). Don’t hesitate to reach out!
