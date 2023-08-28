Some of us have scrolled past the flashy headlines about online threats so often that we've started to chalk them up as clickbait. Others have thrown in the towel, wondering, "Why bother with cyber defenses if the attacks are inevitable?"

While cybersecurity experts agree there's no way to stop incidents outright, businesses can blunt the effects on their bottom lines and consumers by strategically managing their digital risks.

For years, many small and midsize businesses have hesitated to invest heavily in cybersecurity. Their uncertainty is understandable, given that these entities' points of comparison are prominent corporations like Home Depot or Target. From the outside, it appears that these national organizations have weathered multiple cyberattacks--all without skipping a beat.

But that doesn't accurately portray what happened behind the scenes.

Generally, large corporations have robust multilayered cybersecurity programs. From stringent prevention controls to proactive public relations, they have pre-built internal processes designed to handle potential incidents swiftly and effectively. Yet even with these defense mechanisms in place, corporations must often operate in emergency mode for months following an attack. Their risk-based cybersecurity practices are what save them.

So, how can we encourage small and midsize companies to learn from impacted corporations' painful lessons to strengthen their data protection and, in turn, protect consumers? We can start by shifting our collective mindset about cybersecurity from a compliance-only mentality to a more comprehensive approach.

Too often, we've unintentionally led companies to believe that their systems are secure if they meet government rules, such as those in Health Insurance Portability and Accountability Act (HIPAA). And that's not the case.

Instead of hammering the importance of compliance, we should spur businesses to view these guidelines as a foundation for their cybersecurity practices. Fortunately, we're already seeing this shift take place.

Consider the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under an amendment, the U.S. Department of Health and Human Services must consider covered entities' implementation of recognized security practices when determining potential fines, audit results and other HIPAA violations, no matter their state of compliance. Now, organizations have a financial incentive to be strategic about cybersecurity programs.

Above all, we should caution businesses that cybersecurity isn't one-size-fits-all. Companies should conduct risk assessments to determine their pain points. Then, where government frameworks like HIPAA fall short, they can fill in with custom, risk-management-based controls, whether multifactor authentication for employee logins or full-scale intrusion prevention systems. By adjusting their tactics to meet their specific threat landscape, they can move beyond compliance to better prevent, detect, and respond to cyber incidents.

When attacks and breaches feel omnipresent, it can feel futile for companies, especially those with limited time or budgets, to allocate their resources to strengthen their digital defenses. But it's worth the return on investment. A risk-based approach to cybersecurity is the most efficient and effective way for businesses to combat threats, protect their operations and safeguard consumers' data.

Christopher Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm providing tailored cybersecurity, IT and security compliance services. For more information, email chris@swtechpartners.com or visit swtechpartners.com.