(As originally published on LinkedIn, 15 February 2018)
The Internet of Things (IoT) is connecting business in ways we could have never imagined. Every organization, now digital by default, is operating in a huge cyberworld where every asset owned and used is another node in a vast and converging global network.
While this new digital world is creating tremendous opportunities, it’s also making it more difficult than ever for companies to accurately map out their operations – and protect against security threats.
Recent cyber events have proven that no organization, regardless of size, scale or sector, is immune to cyber attacks that can impact business operations, process automation, data protection and privacy. These attacks are hitting the bottom line, brand and reputation of companies and reverberating right across the entire ecosystem.
Bridging the disconnect between today’s budgets and tomorrow’s cyber risks
According to the results of the recent EY Global Information Security Survey (GISS), both awareness and the resources required to adequately tackle cyber threats are sorely lacking. The survey of nearly 1,200 C-level leaders of the world’s most recognized organizations found:
- The majority (87%) of respondents said they need up to 50% more cybersecurity budget – yet only 12% expect an increase of more than 25% towards this investment;
- Only 12% of those surveyed felt they would be able to detect a sophisticated cyber attack;
- Just over half (57%) admit to having no or only an informal threat intelligence program in place.
We know cyber budgets are likely to increase over time. They will simply have to – either leaders will begin to see the bigger risk landscape and adopt more aggressive preparation, or a painful experience will provoke a greater investment to prevent further impact.
In the interim, how organizations allocate their limited resources will have a critical impact to their security posture.
My colleague Paul van Kessel, EY Global Advisory Cybersecurity Leader, says the most successful cyber attacks use common methods that leverage organizations’ known vulnerabilities. As organizations continue to transform to navigate the digital age, he says they will need to examine their ecosystems from every angle to protect their businesses today, tomorrow and far into the future.
89 % of respondents say their cybersecurity function does not fully meet their organization’s needs.
What can we do in the here and now?
The fact that cyber attacks can be thwarted is encouraging, but organizations need to adhere to a checklist of continually changing protocols. With limited budgets, companies can get the most out of their cyber programs by focusing on some key elements in determining their cyber strategy:
- Governance: Organizations need to make cybersecurity a topic at the forefront of their board of directors. Conversation should focus on determining the company’s cyber risk appetite, and how to measure, evaluate and mitigate risk. It also requires the right people and expertise to be in the room.
- Hygiene: The key to strong cybersecurity is strong hygiene. New technologies are exciting but it’s more critical to recognize that effective safeguarding requires companies to execute the fundamentals of cyber risk prevention well.
- Due diligence: There is always a need to keep on top of the governance, processes and controls that are used to secure information assets. Cyber due diligence is particularly critical when a company is subject to regulatory compliance; has intellectual property that, if obtained by a competitor could pose a risk; and has operations that could affect reputation if disrupted.
- Third-party risk management: Third-party breaches and outages impact the marketplace and expand the boundaries of the threat environment outside of a single company. Organizations should have an inventory of all third-parties supporting them and be aware of potential risks these third-parties pose. Put another way: guard the perimeter!
- Resiliency: Having the ability to withstand and rebound from cyber attacks is critical to the resiliency of day-to-day operations. This points to the need for a well-developed, enterprise-wide resiliency strategy.
- Cyber risk management: Fast-changing and evermore potent cyber threats require a new mindset and approach to cyber risk management and governance. These days, for example, there is a stronger focus on driving practical and substantive change in cyber risk governance. What’s more, the GISS report finds organizations with good governance processes underlying their operational approach are able to practice security-by-design – an approach to building systems and processes that can respond to unexpected risks and emerging dangers.
Building cyber security resilience in the face of the unknown
Embedding the following objectives into your cyber strategy can further augment an organization’s cyber security resilience.
Talent-centric: Build on the foundation that cyber security is everyone’s business and not just the domain of IT. A simple mistake by one employee can be detrimental to the entire operation, so setting the tone from the top and building it into the culture is key. That means raising awareness for potential risks across the board, and training employees on how to avoid them.
Strategic and Innovative: Make cyber security a part of all strategic decision-making, including all technology adoption, new product development and a company’s innovation and ideation programs.
Risk focused: Ensure cyber risk management is driven by well-governed risk alignment, awareness and risk prioritization. This entails implementing proper policies and standards for metrics and reporting, as well as staying on top of third-party threats.
Intelligent and agile: A cyber security function that enables timely threat identification and response can minimize risk, while improving cyber threat intelligence and vulnerability management.
Resilient and scalable: Ideally, cyber risk management should minimize the impact of disruptions and keep pace with business growth.
Managing cybersecurity is an ongoing and constantly evolving journey; no organization can anticipate every threat that will emerge. However, by making cyber security a key part of company culture, and having the critical components in place to defend against common threats, even those risks one can’t see can be mitigated.
National Cybersecurity Leader
+1 416 932 5902