The world has a positive perception of security-aware individuals and tech companies. That’s why we often assume that they’re the entities most at risk, but this is a misconception. In fact, cybersecurity is more of a problem with public companies in particular, and that’s the case for many reasons.
Generally, public companies perform worse than many individuals who have lower budgets. Why? Take a look at these 4 reasons:
- Inert management/lack of oversight
- Outdated equipment
- Greater targeting
- Insufficient awareness
Public company management and workforce aren’t focused on cybersecurity as a possible point of loss. That means these attacks are more likely to happen to public companies, and more likely to succeed.
Additionally, while public companies have arguably engorged budgets overall, they would need to project for any expenses in regards to cybersecurity. That often includes larger amortization costs. The owner of the company (the public) is also less likely to accept these costs.
Here, we’ll divide the issues into technical and human, and see where is cybersecurity a problem with public companies.
Is Technical Cybersecurity a Problem with Public Companies?
Yes, it is. Public companies may employ senior security experts that are aware of all the issues, but these experts have diminished resources. They also usually cover way more ground than their private counterparts.
In 2018, public companies endured more than 67 attacks, according to analysis from the Center for Strategic & International Studies. Each attack made a loss greater than $1 million, and shows a steep rise in both frequency and cost.
While none of the biggest security breaches in 2021 were of (entirely) public companies, many smaller attacks were.
In 2021, the number of these attacks jumped to 188. The most prevalent issue? Unauthorized access. Even though human errors enabled and finalized most attacks, many of them were still due to the technical solutions.
Sometimes, the solutions were outdated. Other times, the system had a bad setup in the first place. A good example is the case of the Singapore Hospital breach in 2018. In that story, many people had access to information, even those who should’ve never had it in the first place.
Let’s go over some reasons why cybersecurity is an issue for public companies.
In any network, data access hierarchies should be a major concern. It doesn’t matter if it’s a collection of individuals, a small business, or a public company. Data segmentation is necessary, and any cybersecurity expert will advise that each employee should only have access to information necessary for their work.
For public companies, that isn’t always the case. In many instances, all of the devices on one server have access to all the data on that server. Even worse, the companies don’t impose any significant restrictions. That makes each device on the network a possible point of impact (POI), and in turn, a risk.
In such cases, one unsecured wireless device, a small software exploit, and a disgruntled employee can risk your whole system.
Outdated Hardware and Software
Regular updates are a cornerstone of cybersecurity. While companies can’t always update the moment the new stable version is out, they should still manage their updates at least monthly. In the online world, even a few hours can make a difference between being secure and being a victim.
Contrary to that rule, public companies often work on an administrative schedule, updating their software quarterly in the best case. Yet, many also update annually, which is even worse. When it comes to hardware, the situation is even worse. Most of their equipment is older than five years.
Such old hardware and software usually have already established exploits. Cybercriminals already know the ways to hack them, making the number of attackers that can harm significantly larger.
Still, most issues are due to human error.
Human Error Is Common
The easiest way to hack any company is to hack customer support. Acting out a sob story is less demanding than finding a software exploit. Cybercriminals can also exploit the human element in many other ways!
These issues aren’t unexpected given the increasing workload for these outreaching positions. That’s why we can’t place the full blame on the employees. Yet, we can’t deny that the problems they cause also have repercussions.
Public companies often connect emails and platforms to their main server. This way, a simple phishing attack on someone who opens dozens of emails each day can spell disaster for the entire company.
The cybersecurity landscape changes constantly. Given the surge in AI, IoT, and cyber warfare, all entities need to stay vigilant, public or private.
Regretfully, negative selection riddles public company management. In fact, many managers receive promotions because of their good relations with high-ranking individuals, not their expertise. A manager’s cybersecurity knowledge comes after their friendship with the municipality, state, or county.
The managers also need to explain to the public that the cost of cybersecurity is on the rise, so they simply decide not to make the expense and hope for the best.
Public companies rarely consider cybersecurity as a cornerstone for operations. That’s why they often lack recruitment for cybersecurity positions. In turn, this makes the companies more vulnerable to attacks.
In most cases, the system administrator only has to keep the network running. This doesn’t leave openings for a good cybersecurity strategy and its implementation. We also don’t hear about any exceptions, because they aren’t under attack.
Finally, most senior cybersecurity advisors will also stay clear of public companies because they have this perception. As a result, public companies lack the expertise to be proactive about the newest threats. They also can’t react if a new issue arises.
The Final Word
Between 2016 and 2021, the number of successful cyber-attacks on public companies has increased by over 400%. Right now, it’s also costing municipalities, states, and the Federal Government over $200M each year on average.
These cyberattacks happen for human and systemic reasons, but the implementation of proposed solutions isn’t near. That’s why individuals and companies need to be mindful of the data they share with public companies.
Ideally, you should consider any and all data sharing as a liability. You should also only share the information that is completely necessary for everything to function.
TechGenix: Boost Your Cybersecurity
Find out why allowlisting is great for your company’s cybersecurity here.
TechGenix: Human Threats to Cybersecurity
Read about the human elements that may create cybersecurity risks here.
TechGenix: Cybersecurity and Vendors
Discover why you need to include your vendors in your cybersecurity strategy here.
TechGenix: Prioritizing Cybersecurity
Learn how to make cybersecurity a priority here.
TechGenix: Creating an Impressive Cybersecurity Resume
Read our tips on how to create an outstanding cybersecurity resume.