.gif)
It is now an accepted truth in the cybersecurity sector that “it is not a question of if, but when”. For those working in incident response (IR), this statement is by no means trivial or rhetorical, but represents the concrete reality underlying potentially disastrous operational scenarios. It is precisely from this awareness that a structured approach to security should emerge; yet, in many organisations, the certainty of risk still does not translate into timely decisions and consistent investment.
From awareness to inaction: why security keeps getting put on the back burner
Despite widespread awareness of the inevitability of a cyber incident, this certainty does not systematically translate into concrete decisions aimed at improving the security posture or increasing organisational resilience.
Experience in the field reveals just how difficult it is for IT managers to secure the necessary support for investments in risk prevention and mitigation. Requests for time and budget for fundamental activities such as system hardening, network segmentation, regular patching and the implementation of essential configurations and controls regularly meet with delaying responses such as “Let’s put it in next year’s budget” or superficial underestimations such as “We already have antivirus software; that’s more than enough”.
Cybersecurity and business continuity: the cultural and strategic crux
This resistance is not merely financial, but is rooted in a strong resistance to cultural change. Organisational inertia persists even in more stringent regulatory contexts, such as NIS2, which imposes measures and processes that are mandatory by law. Too many organisations that are not digital by design struggle to grasp the logic of proactive security. For many organisations, particularly businesses and public administrations, cybersecurity is still viewed as a “technical problem” rather than a strategic issue linked to business continuity.
Cybersecurity policies are not a technical whim, but represent the first line of defence against potentially devastating impacts. Security proves costly and ineffective when conceived as merely the sum of technologies to be installed, rather than as an organisational model, a strategy and a process of improvement.
Advanced threats, tangible impacts: what happens when prevention is not enough
In the current landscape, attack scenarios have become significantly more potent. Vectors have evolved, including increasingly sophisticated phishing, targeted attacks against the supply chain and the exploitation of zero-day vulnerabilities within a matter of hours. We are witnessing a time gap of over twenty years between the evolution of threats and the defences adopted by many organisations, which remain stuck in the belief that a simple, up-to-date antivirus and a firewall are sufficient to guarantee protection.
As an Incident Response Manager, I have witnessed consequences of despair and regret that go beyond direct financial damage. A successful ransomware attack can result in weeks of downtime, the loss of thirty years’ worth of documents, penalties arising from the failure to provide services or supplies, severe reputational damage, GDPR fines and, in extreme cases, the permanent closure of the business. Last but not least, cyber incidents can have a direct impact on people, with employees being furloughed and, at management level, directors ending up in hospital due to the stress caused by a total production shutdown.
A crucial, often underestimated element is the management of data exfiltration. Seeing sensitive employee data (ID cards, passports, medical records of family members) published and made publicly available poses a significant risk to individuals and requires an immediate change of approach in the structuring of cybersecurity processes.
During the acute phases of incident response, management gains a clear understanding of the necessary measures: allocating budgets for the removal of obsolete systems, adopting MDR (Managed Detection and Response) services, implementing MFA (multi-factor authentication) at least for VPNs and email, launching training programmes, using EDR (Endpoint Detection and Response) and establishing stricter policies.
After the crisis, the risk of a return to the status quo
However, the problem persists: once business operations have resumed and the immediate ‘crisis’ is over, there is often a return to the status quo ante. In many cases, the attack, the disruption of operations, and the financial and reputational damage are not enough to trigger lasting change. The correct strategic approach should not focus on how much it costs to protect oneself, but rather on how much it would cost to be brought to a standstill again.
The literature is full of best practices and the necessary technologies exist. The difference between a company that survives an attack and one that succumbs often lies in the proper management of data resilience. Whilst backups were not standard practice as recently as ten years ago, awareness of the issue is now greater, although the technical and procedural solutions are sometimes questionable.
A robust backup is a lifeline for the business
In cases of managed ransomware attacks, companies with robust and tested backups have achieved a clear and relatively rapid recovery timeline. Conversely, those with compromised backups have faced total darkness: a lack of essential data and services from which to recover.
Even in the absence of a budget for advanced solutions, such as immutable backups, or where management is not yet convinced of the need to invest, it is imperative to establish a rigorous internal procedure:
- Define realistic RPO (Recovery Point Objective) and RTO (Recovery Time Objective) that are consistent with business needs
- Store backups offline, or at the very least ensure their logical and physical separation from the production environment
- Periodically test recovery procedures
- Simulate attack scenarios and ask the critical question: “Would the backups survive this scenario?”.
When, despite postponed requests and denied budgets, operations come to a standstill, it will be the backups that save the company and everything that depends on it. It is essential to adopt processes and solutions that protect data, work and, above all, people. The same awareness now gained regarding the need for backups must be extended to cybersecurity, understood as a structured, effective and efficient model.
By Andrea Coli – Incident Response Manager, Cyberoo
