Many businesses are sitting down right now to finalize budgets and lay out their plans and goals for the new year.
For those focused on creating a more formal cybersecurity approach to address cyber risk, I thought I’d share a few tips I’ve learned from years of helping people through the process.
There are many pitfalls to avoid. Anticipating them will not only help your chances of success but be more efficient in getting there.
Let’s dig into these 14 common challenges and share some ideas on how to avoid them!
Lacking a Risk-Based Approach
Without a formal strategy, businesses are often left to take reactive measures or can become distracted by Fear, Uncertainty, and Doubt in media and marketing. I’ve seen this cause scattered approaches and neglect of important areas of risk.
Best practices suggest a strategy based on risk and prioritizing mitigation efforts. Being thorough can give you the visibility to make better decisions with time, energy, and budget.
Not Understanding Risk
Offices that don’t have a systematic way to capture and assess risk, based on likelihood and impact, are left to their best assumptions about where to focus attention.
A risk assessment basically tells you your starting on the map as you work toward your cybersecurity goals. The more thorough you are and the better you understand your risks, the more effective you can be.
Not Following a Framework
It’s easy to miss an important step in your cybersecurity practices, and there are a lot of resources and templates out there that may not be complete. If your strategy is ever questioned to see if you “took reasonable measures to protect nonpublic information”, you’ll want to be able to point to something others recognize as ‘reasonable’.
The framework is the road you follow once you know your starting point. Cybersecurity frameworks are designed to guide businesses through a detailed list of security controls that make up recognized best practices.
Making Assumptions
I’ve seen many businesses make mistakes by cutting corners and making assumptions. Whether it be that they assume something was set up correctly and don’t take the extra time to verify or if they assume something has a low risk, it can lead to blind spots that can come back to haunt you.
As you approach your cybersecurity practices, the people that have been most successful are very detailed and thorough in their work.
Missing Critical Details
As companies adopt cybersecurity practices, missing important details could mean something was not addressed properly or maybe compliance is being overlooked.
Make sure you are thorough in not just executing on your plan but also in how you are documenting it.
Poor Culture
Culture can make or break your attempts at addressing cyber risk. This can look like leadership not leading by example or not providing appropriate support for cybersecurity initiatives, employees looking for shortcuts to bypass security protocols, or overconfidence from IT. When the culture is lacking the right focus on cybersecurity, it can be an uphill battle and businesses are often stuck at the bare minimum of what they can do.
Focus on culture first and start from the top down. Have leadership explain why changes are being made and the potential impacts across the company if there were an attack. Teach staff how to be safer at home and help them build the security awareness that will carry back into the office. When your culture is more risk averse, you will have less resistance in the work ahead.
The Wrong Mindset
Thinking something is “Secure” can give people the wrong idea. There is always some level of risk, and never a 100% secure system. The wrong thinking can be misleading and open the door to surprises.
I can always tell a company is going to do well when I hear “I don’t know what I don’t know”. You need to continuously work on better understanding your risks and priorities.
Inadequate Budget
It’s not uncommon to lump cybersecurity costs into IT’s budget (assuming you have a budget at all). And, if you ask many IT leaders, their teams are often underfunded. Many businesses are still new to cybersecurity and may not even know where to begin to set appropriate expectations.
Use the knowledge of your risks to help understand the value of your investments based on their ability to remove, reduce, or transfer risks. Educate yourself about what to expect as your program matures over time and explore different solutions to understand your options.
Assuming Cybersecurity Is the Same as IT
IT is critical to the success of your cybersecurity program but, when IT doesn’t have a cyber resource, it can lead to issues. IT and Cybersecurity professionals can create checks and balances that keep the business on track with their goals across both functions and provide accountability across teams. When IT is left to both set up and test the environment for vulnerabilities or weaknesses, there can be unintended biases.
While there is a lot that overlaps, IT and Cybersecurity are very different. IT is about keeping systems up and running while driving efficiency. Cybersecurity is about risk mitigation, incident response and recovery, and data security compliance. Both have important roles to play but it is important to make sure the right team is assembled with the appropriate skillsets. I often compare it to the differences between a general physician and a specialist, both are important and have different roles they play.
Saying but Not Doing
It’s easy to grab a template and be able to show you meet your requirements, but too many businesses have shown me policies and procedures that they aren’t actually following. This means that security practices aren’t really in place, and you are probably just as vulnerable as before you put your name on a template. And, if something happens, you would likely be looking at serious penalties for effectively lying about what you are doing to protect nonpublic information.
While templates can be a good place to start, a lot of work is needed to adapt them to your own environment and implement what is done. It may take time and there may be items that have to be addressed strategically throughout the year to align with priorities or other projects. Document whatever is not completed as you adopt a policy and procedure plan and be clear about the goals for addressing them so you can show your progress.
Thinking It’s a Quick, One-Time Project
Don’t assume that you’ll meet your requirements and be done. Too many offices find they did not have realistic expectations about how long it would take or the resources necessary to succeed. Many businesses have come to me thinking that they can complete everything in just a couple of months or that it’ll just be something that takes one pass through to succeed.
This is now and forever going to be a part of your business. Plan extra time in your first year because that is typically the most work. Future years can be faster because it may just be a matter of reviewing and updating things, however, it’s best not to leave even that to the last minute.
Not Having a Routine
Many people were busy before taking on a cybersecurity project, so they struggle when the additional workload starts to take a toll.
Find incremental ways to keep progress and avoid procrastination. Remember, it’s not a sprint, or even a marathon, it’s never-ending – so find manageable ways to keep momentum by breaking up the work into a cycle that covers the whole year to spread the effort out.
Missing Compliance
A lot of the businesses I’ve worked with only knew about part of their requirements, if even that. Data Security Laws and Requirements can come in many forms from the Federal or State governments, regulators, or even third parties that have standards set in their contracts with you.
As you begin understanding your risks in the early stages of your planning, also seek out requirements you have to make sure that you select the right framework and implement the appropriate best practices.
Doing the Bare Minimum
Meeting compliance requirements can mislead people to believe that they are safe from cyber-attacks. However, many requirements are focused on the very basic practices that businesses probably should have been doing already. This typically means you could pass a checklist but does not meet you have established the proper level of risk tolerance for your organization.
Go beyond your data security requirements to be as secure as possible, but also to help you in the event that requirements tighten in the future. This world is still evolving, and it takes regular work to stay ahead. Avoid the bare minimum practices to both protect yourself and save troubles as things change over time.
Resources to Help You on Your Journey
There’s a lot here and I intended to have this be a quick list you could skim through.
I’ve been sharing a lot of tips, guides, and resources that will help take this all further. I also work with businesses to help set them up for success whether they are just getting started or continuing to improve on their approach.
Here are just a few other items I recommend exploring to help you as you proceed (I have more I can share on-demand):
- Data Security Requirements for Insurance – A Short Guide
- Grab our Insurance Data Security Law Database to start researching your requirements
- Use this Risk Inventory Tracker as a starting point in understanding your risks
I offer a free initial consultation where we can speak more specifically about your current situation and goals. From there, I can recommend the appropriate path to get you where you want to be. Whether it be with my help or others I can connect you with, I’m happy to point you in the right direction.
I’m also working on some really cool programs to help agencies tackle their cybersecurity projects in 2025. If you are prioritizing cybersecurity this coming year, we should definitely talk before the end of the year about strategies to help you succeed!