It is not uncommon that cybersecurity is not ingrained into everyday operations and employees are only asked to think about it when doing yearly cybersecurity training, leaving companies at risk from cyberattacks, concluding that most of the education and training done were ineffective and organisations need to look into cybersecurity culture-building in organisations with their employees, is recommended but such an initiative will be an uphill battle and challenge to actively involve employees.

Cyberattacks or Hacking is not just about personal information or bank details stolen. The reality is cyberattacks are more damaging and costly, such as  ransomware attacks to data breaches or business email compromise (BEC) scams can cost organisations thousands, if not millions. These incidents are inevitable as critical infrastructure and vital services become increasingly connected to the internet, there’s the additional risk of cyberattacks causing widespread disruptions. Imagine for a moment a city’s power grid/electricity is cut off/disrupted and let us push our imaginations further that electricity power is down, not for a short period of 30 minutes or 1 hour, not even a day but for a few days to a week or so. The entire city (pick any like New York, London, Paris, Sydney or even Kuala Lumpur) would be in chaos with the city in darkness (when the sun goes down), hospitals, public transportations, traffic chaos, in hot/warm countries no air conditioning, in cold countries no heating. Total disaster. Ukraine experienced power outages in the dead of winter because of cyberattacks, and Russia was top of the list of suspects who initiated the cyberwar.

As stated, with the enhancement of IT, there is this IOT, the rise of the Internet of Things which means basic appliances and sensors are connected to the internet and if they are not secured properly, they will be another loophole cyberattackers can penetrate networks.

Stuart E. Madnick, Professor of lnformation Technology and Engineering Systems at MIT Sloan Executive Education, quotes:

“Almost every product, except a brick, will have a computer in it, so the number of devices that can be cyberattacked is increasing exponentially”.

Back to the 6 million dollar statement that we know so well:

Bosses are reluctant to spend money on cybersecurity. Then their organisations get hacked.

This old school management does not seem to understand that preventive measures for cyberattack is more cost effective than being reactive to one. I have rant on this many times that many businesses are not willing to spend on cybersecurity protection as such preventive measures are viewed as additional costs and then, in an I-told-you-so moment, businesses then have to spend more recovering from a cyber incident after they have been hacked with ransomware.

I am baffled knowing that cyberattacks like ransomware, business email compromise (BEC) scams and data breaches are some of the key issues businesses are facing today but despite the number of high profile incidents and costly fallouts, many boardrooms are still reluctant to invest in cybersecurity measures necessary to avoid becoming the next victim. I am perplexed. I am further dumbfounded that the top guns of organisations are ignoramuses or just plain dumb (?) to ignore the fact that the cost of falling victim to a major cyber incident like a ransomware attack can be more costly than the cost of investing in the people and procedures to prevent incidents in the first place, something many organisations only then realise after it is too late. A costly slap or egg(s) in their faces.

Realistically, no one or organisation wants to spend unnecessarily but by being a scrooge resorts to being penny wise pound foolish which means, careful about small amounts of money but not about large amounts; used especially to describe something that is done to save a small amount of money now but that will cost a large amount of money in the future The plans to cut cybersecurity protection solution funding is penny-wise and pound-foolish.

Let us just look at the damage or costs when an organisation is hacked. An organisation will end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network. Do not forget about the additional costs associated with investigating, remediating and restoring the IT infrastructure for the whole business after the incident. Absence of cybersecurity insurance, the ransoms organisations are paying, could pay for cybersecurity professionals. Also note that cybersecurity insurance premiums are rising, resulting in high costs across the board for organisations.

In conclusion, personally I would like to see these complacent ignorami organisations get hacked, blackmailed with ransomware and then with their tails between their legs, no doubt blaming their IT departments for the damaging incidents, when the Board of these organisations, are guilty of their unfounded reluctance to implement much needed and valued cybersecurity protection solutions. They are the ones who have their heads in the clouds, and should be trained and educated at cybersecurity kindergarten level right up to advanced levels. Train them founders, CEOs, Managing Directors, Executive Directors and Board of Directors, top down rather than bottom up.