The Five Stages of Cybersecurity Grief

The Five Stages of Cybersecurity Grief

A semi-serious cybersecurity guide for nonprofits

If cybersecurity has you feeling down, you are not alone. A recent study by IBM found that 83 percent of the over 3,600 organizations in their study had experienced more than one data breach already. If your organization has been fortunate enough to NOT suffer a breach, you have most likely still have been confronted with challenges renewing your cyber liability insurance, responding to questionnaires from partners or auditors, and answering increasingly uncomfortable questions from board members along the lines of, "What are we doing about cybersecurity risk?"

That's why we thought we would introduce the newest (semi-serious) cybersecurity framework, "The Five Stages of Cybersecurity Grief."

Denial

The first step in addressing any kind of risk is acknowledging that it exists. However, when it comes to cybersecurity, many organizations struggle to do this. In IBM's study, 68 percent of respondents said their organization is in denial about the seriousness of cyberattacks.

This denial manifests itself in a number of ways. For example, some organizations refuse to admit that they've been breached, even after evidence has surfaced. Others downplay the impact of a breach, refusing to believe that their data could be compromised. And still others simply don't want to deal with the hassle and expense of implementing stronger cybersecurity measures.

Ultimately, this denial can be very costly. According to the IBM report, data breaches cost an average of $4.35 million USD globally and a downright eye-popping average of $9.44 million for US organizations!

I don't expect we'll be hearing a "We're number one!" chant anytime soon.

By failing to address cybersecurity risk head-on, organizations put themselves at greater risk of being breached and losing valuable data. So if you're feeling down about cybersecurity risk, don't worry – you're not alone. But it's important to take steps to overcome your denial and start addressing the problem head-on.

Anger

There are many reasons that organizations may feel angry about having to deal with cybersecurity risk. One reason is that it can be expensive to implement proper cybersecurity measures. Another reason is that it can be difficult to keep up with the latest threats and technologies. And yet another reason is that a data breach can be very costly and damaging to a business.

Bargaining

During this stage, you may be trying to find quick and easy ways to make the problem go away. You may also be looking for someone to blame for your cybersecurity woes. At this stage, it is important to remember that there is no single solution to cybersecurity risk. The best way to reduce your risk is to develop a comprehensive security program that includes strong security controls, employee training, and incident response plans.

Depression

There are many reasons why nonprofits may feel depressed about cybersecurity risk. One is the high cost of breaches, over four million $USD on average, which doesn't even include the cost of dealing with the aftermath, such as customer notifications, credit monitoring, and identity theft protection services.

Another reason is that cybercrime is on the rise. In fact, it's expected to become a $7 trillion industry by the end of 2022. That means your nonprofit is up against some pretty big odds if it falls victim to a cyber attack.

Finally, many people view cybersecurity as an insurmountable task. It can seem like you're fighting a losing battle against hackers who are constantly coming up with new ways to exploit vulnerabilities. As a result, many nonprofits feel overwhelmed and helpless when it comes to cybersecurity risk.

Acceptance

Nonprofits can have a unique relationship with risk. They are often tasked with taking on risks that for-profit organizations would not consider, in the name of furthering their missions. This includes things like accepting donations of used computer equipment from the general public, or giving volunteers access to sensitive systems such as websites, social media accounts and CRM systems. That is because some nonprofits cannot afford to hire people at market rates to perform these functions and cannot responsibly pass up an opportunity to access these skills for free.

So how do nonprofits reach a state of acceptance about cybersecurity risk? They start by acknowledging that there is no such thing as perfect security, and that any organization is susceptible to a data breach. They then develop a risk management plan that includes incident response procedures, staff training, and regular reviews of their security posture. Finally, they commit to ongoing communication with their stakeholders about the state of their cybersecurity risk.

Despite the challenges, it is important to remember that cybersecurity risk is real and should be taken seriously. While there is no magic wand that allows you to completely eliminate cybersecurity risk, this is a classic case where you do not want to let perfect be the enemy of good.

Grief does not have to be bad. Remember Charlie Brown? Grief can be good, right?