Breaches of Equifax, HBO and Uber made headlines in 2017, and 2018 will have its own share of high-profile breaches. As the threat landscape continues to evolve, cybercriminals are becoming more creative and expanding their attack vectors. The industry spends billions trying to protect against every imaginable threat, but experts tell you that, no matter how much you spend, it’s never enough.  

The mistake most companies make is that they focus solely on security products, thinking: “If I have this product, then I am safe.” The reality is that a security product focuses on only one attack vector (e.g., email), but you need to think about more than just email to truly be safe. But where to start? There is an endless supply of products and services available for every known vulnerability and attack vector a company could possibly have. In other words, without knowing better, a company could spend everything down to its last dime on cybersecurity.

Which raises the question: If not in security products, how else should you beef up your cybersecurity posture?

Focusing On Prevention Is Not Enough

Cybercrime today is rampant, and businesses must be pragmatic about the threats they face. “It’s not a matter of if but when” is a common industry warning to companies about the dangers they face of being breached. The truth, however, is even more sobering. “When” has come and gone — there’s a good chance you’ve already been compromised, and you need to find the breach.

To do so requires shifting from a preventative mindset to one centered on threat detection and response and allocating your cybersecurity budget accordingly. Spending in this area is already a top priority for many organizations.

Imagine your IT network as a human body. To stay healthy, people often turn from one fad diet to another — Atkin’s, to South Beach, to Paleo, to whatever comes next. The result? In the long run, they’re not much better off than when they started. That’s largely been the approach of many companies to cybersecurity. They’ve moved along from whatever preventive security product is the current rage — including gateway, endpoint and firewall products — yet still struggle to meet the challenges posed by the latest cyber threats.

Just like how diets can give people a false sense of wellbeing, relying entirely on prevention-focused products gives companies a false sense of cybersecurity. For people, there are sometimes underlying health issues and diseases only a doctor can diagnose. The same goes for corporate security.