Companies Must Commit to Mastering the Basics to Strengthen Their Cybersecurity Posture

The cyberthreat landscape is highly complex and always evolving, and cybercriminals are becoming only more creative and sophisticated with their tactics. As explained in our 2018 Security Threat Report, companies today face a monumental challenge in trying to keep pace with these dynamics, safeguard their critical systems and data, and protect their employees, customers and partners.

Among the many businesses struggling to navigate this landscape are consumer-products and consumer-services companies. They are key targets for adversaries because of the sensitive customer information they handle and the intellectual property (IP) they generate. Recent headline-grabbing cybersecurity incidents involving businesses in this sector include:

Incidents like those described above have everyone – from chief information officers and other executive-level management to boards of directors – more focused than ever on identifying and addressing cybersecurity risks. Yet consumer-products and consumer-services companies are still making slow progress in their efforts to improve their security posture, primarily because of the following reasons:

  1. They are exposing themselves to known threats for which there are known solutions.

Protiviti’s 2018 Security Threat Report notes that most vulnerabilities can be remediated and/or are the result of systems and applications not being patched. However, companies often put off patching because they don’t want downtime to undermine productivity and profitability.

Adversaries are wise to this bad practice, however. For example, the WannaCry ransomware, which affected tens of thousands of systems in more than a dozen countries when it first emerged in 2017, took advantage of the fact that companies often take weeks or longer to implement known security updates.

  1. They believe that major cyber incidents “won’t happen to us.”

Even when companies in their own industry suffer a major cyberattack, the leaders of many organizations continue to believe that their own business somehow does not face exposure to the same risk or won’t be targeted. That attitude — call it naïveté, overconfidence or blind hope — is inexplicable but common.

  1. They operate in a reactive mode, ramping up efforts to improve cybersecurity and address basic vulnerabilities and other security gaps only after an attack occurs.

Not every attack can be prevented, of course. But if organizations are stuck in a firefighting mode, acting only when faced with a crisis, they’ll never have the resources to manage known threats effectively, let alone be prepared to respond and recover swiftly when hit with something entirely new.

  1. They treat cybersecurity like a project.

While it’s essential for organizations to shore up their defenses in response to specific threats, they must also recognize that winning one battle does not necessarily win the war. Cybersecurity is not a project. It is a never-ending campaign to stay in step with adversaries and, wherever possible, anticipate their next move — all while protecting the business’s so-called crown jewels.

If companies want to make progress toward improving cybersecurity, they must be proactive (and realistic) about the need to fortify their defenses, let go of the project mind-set and renew their focus on the basics — in American football terms, the blocking-and-tackling issues related to cybersecurity. That includes the following:

  • Prioritizing high-risk patches: The lag between the time a critical patch is issued and the time the organization’s IT team tests changes and schedules and executes the update must be reduced to the greatest extent possible.
  • Using multifactor authentication: Maintaining strong permission and user-access controls, like multifactor authentication, helps significantly reduce the attack surface for malicious actors.
  • Implementing security segmentation: Segmentation is vital to protecting critical data if access controls are compromised. (Note: Regulators now expect firms to practice data segmentation.)
  • Refreshing incident-response and incident-recovery plans continuously: A key reason most postbreach business-continuity plans fall short of expectations is because they’re outdated. So, don’t just set it and forget it.
  1. They fail to train the workforce.

Organizations should redouble their efforts to build employee awareness about threats, such as phishing, and the danger of poor practices, like using weak passwords, through cybersecurity education and training. Protiviti offers an IT Security Awareness Training Library for businesses to equip their employees with information to help them keep data and devices secure.

Critical Steps Toward Building a Successful Digital Future

Consumer-products and consumer-services companies, whether they are traditional or born-digital businesses, need to create and maintain a solid cybersecurity foundation to support their digital future. Mastering the basics of cybersecurity by taking the steps outlined above, as well as others relevant to their business, is vital to shoring up defenses and building cyber resiliency.

But businesses also need to keep one eye to the future and look for opportunities to build in security processes and best practices that can help them prepare for trends and regulations that may not affect them directly today but likely will do so in the future. (The European Union’s General Data Protection Regulation (GDPR) is one example.) And it is particularly important for consumer-products and consumer-services companies to focus on strengthening data privacy and security as they seek to use more and more data to enhance the customer experience and deepen customer loyalty.

With these challenges in mind, we intend to follow up this discussion with future blog posts relevant to the industry, including taking a look at how GDPR is impacting U.S. colleges and universities — many of which were caught off-guard by the new requirements. Subscribe to stay abreast of these future discussions.

Richard Childs

Managing Director
Consumer Products and Services Industry Leader

Subscribe to Topics

Learn to better manage your data and safeguard your privacy in a world of breaches this Data Privacy Day – January 28. Find out all the ways you can get involved at
#PrivacyAware #dataprivacy

Want to reduce your operating costs and improve customer experience whilst still meeting #AML and #CTF regulatory obligations? Register for our presentation on January 27th today! #KYC #CustomerExperience #ProcessEfficiency #ProcessMining

Oracle’s latest release (20D) for #RiskManagementCloud was published on Oct 28, 2020. To enable organizations to take advantage of the updates, our #TechnologyBlog explains key changes specific to Risk Management Advanced Access Controls #Oracle

January 28 is Data Privacy Day and Protiviti is proud to be a Data Privacy Day Champion. Learn how @Protiviti experts like Manisha Agarwal-Shah can solve your key challenges with our data privacy consulting solutions #privacyaware #dataprivacy

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...