Part of my role as a Cyber Risk Analyst is to help companies think through their cybersecurity threats. Like most threats, they lie under the surface and most of the time remain unseen until it's too late.
The first step in any problem is simply identifying the problem. This is easier said than done. Since most of the real threats to your organization occur under the radar, you're going to have to dig a little deeper than your normal in-house controls.
For example, maybe your IT department has appropriately configured the network to disallow transmission of potentially sensitive files through email. What if Ted from Accounting wanted to send something through Gmail, instead? Are third-party email providers flying under your radar?
Think of your open connections (such as the third-party email providers above) as a "gateway drug" for hackers. Open security holes such as these give hackers a sweet taste of your network vulnerabilities and leave them wanting more. And once they're in, it is almost impossible to get them out without a nasty fight.
If you were a hacker, what are the precious jewels your organization has that you would go after? Add hoops and logs to mitigate the risk of this happening. Ensure you have the proper tools and procedures in place to actually review your logs.
Waiting for open threats to surface in your organization before attending to them is similar to waiting to change the oil in your car until the engine breaks. Sure, it will be theoretically easier to solve the issue, but think of the costs and the time involved in fixing it. It's cheaper and in your company's best interest to perform the maintenance now rather than later.
Identifying cybersecurity threats is never easy, but it always pays off. Don't be the ship that thought it could cruise by the iceberg without consequence. Investigate and live to operate another day.