Barely a week goes by without a story of how another major organisation has been compromised. Whether millions of IDs were stolen, or personal data compromised, it’s clear that no business, irrespective of the money they throw at security solutions, is safe.

Even more scary, says Simon Campbell-Young, MD of Credence Security, is that very few CISOs believe that their organisations are highly effective at preventing a breach, and the majority aren’t even sure if they would even be aware that a breach has taken place.

“There are several reasons for this,” he says. “Firstly, they are lax about risk management. Businesses across the board are seizing the advantages and benefits brought by trends such as cloud, mobility, big data and the Internet of Things (IoT). However, the benefits of these technologies come hand in hand with many new risks, which are significantly altering the threat landscape. Very few businesses have adjusted their security posture to take these new threats into account, which is a big mistake.”

Another area in which businesses are going wrong is the classification of their data. “Too many companies are not differentiating the types of data they have, or assigning value to different data sets. They are treating all their data the same, which means they are not assigning enough resources to their most valuable and sensitive data, and to many to data that simply isn’t that valuable.”

They need to decide which data – customer data, IP rights, personal information of staff – is the most valuable, and focus resources there first, he says.

Then there’s the lack of a good crisis management strategy. “The best way to mitigate a crisis is to be prepared for it. Although most businesses know that threats are real and it’s probably only a matter of time before they fall victim to a breach, they simply are not prepared. Having a plan in place will ensure that everyone is aware of their role, that announcements to regulators and customers happen quickly, and that the business can be up and running with minimum disruption.”

According to Campbell-Young, too few companies are turning to the experts to test their security measures. “Relying on your internal team to conduct penetration testing is foolish. You need experts to determine the true nature of your cyber resilience.”

Chances are, in-house teams have too much on their plate, and lack the skills and expertise to conduct penetration testing effectively. “An outside expert will paint a true picture, and will perform testing, threat intelligence analysis, and investigations thoroughly, giving the business a good idea of where its security may be lacking,” he adds.

Ultimately, good cyber resilience isn’t about spending vast amounts of money on security solutions; that is only part of the solution, Campbell-Young says. Staff need to be educated, and procedures and policies put in place to ensure that all angles are covered in the event of an incident. Without these, money spent on security is often money wasted.