Contributed by Curt Dalton, Managing Director and Global Leader - Security and Privacy Solutions, Protiviti.
Cyberthreats are viewed as a significant risk to organisations, one capable of disrupting core operations and inflicting serious damage to brands and reputations.
Businesses today are operating under constant threat of cyberattack. And the costs they’re incurring are skyrocketing. Consider this: Cybercrime will cost the world US $6 trillion (£4.8 trillion) in 2021 alone, according to estimates from Cybersecurity Ventures. That’s more than the combined GDP of the UK and France!
Cyberthreats have been among the top global risks in each of the eight years that Protiviti and NC State University’s ERM Initiative have been conducting their annual Executive Perspectives on Top Risks survey. For 2020, cyberthreats rank sixth among the 30 risk factors assessed by board members and executives from around the world. The research shows that cyberthreats are viewed as a significant risk to organisations, one capable of disrupting core operations and inflicting serious damage to brands and reputations.
Homing in on the top cyberthreats
Among the many challenges in addressing cyberthreats effectively:
Hackers continue to be a moving target. As soon as companies develop an effective defence to one exploit, attackers change their approach and pursue their targets from a new angle. Hackers also share information on successful exploits. To date, however, companies have been reluctant to share effective responses, making it difficult to pin down best practices.
In addition, threat vectors and exploits are becoming increasingly sophisticated and harder to detect and mitigate. For example, hackers can now capture fingerprint, voice and facial recognition data. And some state actors have infiltrated the supply chains of high-end computer manufacturers and implanted malignant microchips on some of the US and other government’s most secret systems. The most common form of intrusion, however, remains malware, which is usually introduced through targeted email campaigns.
Related to this, in a survey Protiviti participated in with ESI ThoughtLab, IT leaders at1,300 companies were asked to list their greatest systems vulnerabilities. Their responses, presented in the accompanying chart, tell an interesting story.
Further exacerbating the threat environment, innovative digital transformation initiatives, cloud computing adoptions, mobile device usage, robotics, machine and deep learning, and other applications of exponential increases in computing power continue to outpace the security protections many companies have in place.
Yet another critical issue: Increasingly sophisticated attacks on the human perimeter by perpetrators of cybercrime add to the high levels of uncertainty in organisations regarding their cyber defenses.
Bottom line, there are two categories of organisations — those that have been breached and know it and those that have been breached but don’t know it yet.
Building effective response capabilities
The unfortunate reality for any organisation is that cyberattacks are imminent. Thus, an effective response plan to ensure operational resilience and recovery becomes imperative. Organisations know they need to keep the business functioning even in the immediate wake of an attack. Time is of the essence. The longer an attack is in play, the greater the damage and recovery expenses are likely to be. To ensure a quick response, the plan has to be second nature. That means it needs to be well-rehearsed and address key questions including, threat response, containment and eradication.
Although most cybersecurity initiatives will be carried out at operational level, boards and senior management play an important role in setting the proper tone at the top, asking probing questions and clearly establishing that security is a top priority.
Here are some things every company should be doing to bolster cybersecurity.
Be prepared. Breaches are inevitable; what matters is how quickly an organisation can rebound. This is a conditioned response best reinforced through attack drills.
Be vigilant. Preparation is not a deterrent. Note that digitally advanced companies report more attacks than less-sophisticated peers.
Align efforts. Cybersecurity should be considered part of the innovation process and budgeted accordingly, rather than having to compete for scarce resources.
Communicate. Assess insider risk and train employees on threat detection and how to minimise risky behaviours/practices. Untrained staff are the single largest cybersecurity threat because they are easy marks for phishing and other targeted attacks.
Quantify. Set risk appetite thresholds using a quantitative risk analysis tool, such as the Factor of Analysis of Information Risk (FAIR) methodology.
Monitor. Take constant stock of the threat landscape. Now that ransomware has become a moneymaking activity, any organisation is potential prey.
Get serious. Investors now assess cybersecurity as part of overall board and company performance. Ask probing questions. Set clear expectations and use data visualisation tools (threat dashboards) to flag control weaknesses and potential trouble. The National Institute of Standards and Technology (NIST) and the International Standards Organisation (ISO) have each published cybersecurity frameworks that can serve as excellent roadmaps.
To stay ahead of the threat curve, companies need to view cybersecurity as an integral part of their digital transformation and critical to business continuity and operational resilience. They need to start focusing on cybersecurity in the earliest stages of digital transformation and embed it into their corporate DNA.
Cybersecurity has become every bit as critical to operational sustainability as cash flow, compliance and an uninterrupted supply chain. It is part of the cost of doing business. Organisations that make cybersecurity part of their broader operational and growth strategy will not only be better prepared in the inevitable event of an attack, but they also will have a valuable competitive edge over organisations that only react to cyber events as they occur.
Note: The article appeared in SC Media. The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.