Despite the thousands of cybersecurity products on the market today, most business leaders do not understand their true cybersecurity risk or who their potential attackers are. Most think they’re not much of a target at all. They understand that they have to budget for certain protections such as antivirus or firewalls, but once they’ve metaphorically locked the doors and windows, they think they are done. In fact, this lack of understanding of the true risk and who the attackers are is driving complacency, ineffective spending and financial losses. 

2024 is on track to be the costliest for cyber security related incidents. Official reporting from the FBI shows that in the US, losses grew from $3.5 billion in 2019 to $12.5 billion in 2023. This year we saw an Illinois hospital permanently close because of ransomware and countless high profile incidents like MGM Casino, Caesars Palace as well as AT&T and Change Healthcare. This week we learned the seminal brand Stoli Vodka has filed for bankruptcy, due in part to a ransomware attack. But we also know thousands of small organizations were impacted like this Reddit account of a small law firm in Connecticut who closed their doors forever after 30+ years in business. 

 As a leader, if you don’t understand the underlying problem, you’re unlikely to fully address it. I’m reminded of this every day in my own home life. I assumed protecting my kids from the dangers of the Internet would be relatively easy for me compared to my friends and non-technical counterparts. I know all the tools and how to set them up to filter Internet content and control my devices. In much the same way that businesses fail to understand their risks and adversaries, I had failed to account for my son’s determination, ingenuity and resources (knowledge, Internet and time). He consistently and repeatedly circumvented the limits and systems I had put in place. 

 In 6th grade we gave my son a smartphone. We wrote up a contract about responsibility and acceptable use and the risks posed by social media and the Internet. Additionally, we setup parental controls to limit apps, inappropriate content and the amount of time he could spend on different apps and sites. Lastly, I had put a business class firewall in my home to filter and control the Internet. I was busy congratulating myself and pitying the fools who weren’t as smart as me. I had secured my home technology kingdom, and I thought I was done! 

 The first thing he did was realize that if he embedded URL links in Google Docs, which was allowed because he needed it for school, he could open whatever links he wanted in an embedded browser window that would circumvent the parental controls and time limits in place. Next, he realized I had no way of controlling the hotspot on his phone. So, he would connect his computer or our TVs to his hotspot to get around all of my limits. As I ran around scrambling to patch the holes, he continued to find the “bugs.” One day after checking his screen time reports I noticed he was spending a lot of time with the Files app, the program used to browse and open documents on the iPhone. Apparently he had figured out that by embedding URLs in the Files app, he could again circumvent my controls. Lastly, he realized that he could cover his tracks by deleting incriminating files on his phone and then restoring them from the trash when he wanted to access them. He could continue to do this as long as he restored them within the 30 day permanent deletion retention period. 

 There is a great talk published on YouTube that I highly recommend for business leaders. It’s only 30 minutes and if you watch it at 2x speed, like my children would, you could get through it in only 15 minutes. In the video researcher Selena Larson tries to dispel the misguided focus of businesses and cyber professionals on APT or government threat actors as the greatest risk. She argues that this is a distraction and provides a false sense of security. She describes a criminal ecosystem that supports both government and non-government threat actors working like any legitimate industry driven by money and endless opportunity. As we learn about the illicit ransomware industry, we learn that it doesn’t matter what type of business you are or how small or large you are, you are a target of equal significance to this criminal industry. 

 If we take the example of my son, had I not monitored his screen time regularly, I wouldn’t have noticed the unusually high usage of an unlikely program, the Files app. This cued me into the fact that he was doing something unexpected. If this sounds expensive and time consuming for a business whose focus is making widgets, you’re right. But over the last 30 years businesses have been enjoying the productivity and cost savings of automation, computers and Cloud computing. Now with the explosion of AI and natural language learning models, it will only get more efficient. We have to invest some of that efficiency into understanding the business risks fully and developing effective cybersecurity programs.  

 Cybersecurity is not just about implementing tools or locking digital doors; it’s about understanding the risks, the attackers, and the ever-evolving threat landscape. My experience with my son highlights how a determined individual, armed with time and ingenuity, can outmaneuver even the most carefully implemented defenses if risks are not fully anticipated. For businesses, the lesson is clear: a static approach to security is insufficient. Success requires continuous monitoring, adaptability, and a deep understanding of both risks and adversaries. By investing in comprehensive cybersecurity strategies, businesses can safeguard themselves from the devastating consequences of cyberattacks and build resilience in an increasingly connected world.