First, one of the top issues companies must contend with is that many of the cybersecurity problems they are tasked with fixing are backward-facing, based on major issues of the past. That leaves the door wide open for innovators on the adversarial side.
Whichever issue brings a company the sharpest criticism from the public, the most attention from regulators or the most worry from its board, that’s what will get the focus internally, including from executives who hold the budgetary purse strings. In Facebook’s case, its security efforts have been especially laser-focused on election-related “fake news.”
The same is true at all big institutions with a target on their back for criminal attackers. Cybersecurity executives in the health-care, logistics and shipping industries, have told CNBC they are putting a significant portion of their attention to ransomware mitigation and disaster planning, following the WannaCry and NotPetya ransomware-worm attacks launched last year.
In the same vein, cybersecurity insiders at a range of top finance firms have told CNBC in the past year that they have put an exceptionally heavy emphasis on spinning up projects to prevent another breach like that which struck Equifax in September 2017, at the behest of boards and shareholders. Those initiatives typically include putting a huge focus on the public response plan for a data breach and reconsidering how these companies patch their systems en masse.
Of course, in 2017, Equifax itself was focused on something else before its massive breach: Chinese spies, one of the headline cyberattack concerns of 2015 and 2016.
All of these cyber-issues are important to address, but it is also important to give equal focus to forward-looking matters. That’s because criminals, trolls and other malicious actors aren’t constrained by a company’s yearly budget allocation meeting and quarterly reporting schedule.
Criminals, by contrast, can pivot strategies on a whim. And in some ways, they are just as mindful of what the Facebook CEO might need to do and say to please his shareholders and board as is Zuckerberg himself.
“This is a really serious security issue and we are taking it very seriously,” Zuckerberg said.
Undoubtedly companies may be “serious” about security, but criminals are serious about working around it. And for that, it may be time for rethinking how companies are held accountable for breaches, and how they should look to keeping more secure in the future.