Incidents can have minimal impact or be very disruptive
Contrary to popular belief, many cyberattacks do not occur for monetary gain but for other reasons. Georgina Crundell explains that "what they are doing is attacking an organization for the disruption it causes, or to aid their political agenda."
We know this to be true. Many of our clients have experienced disruption to their supply chains or have experienced a severe impact on critical services delivery. Manufacturing production lines can be brought to a total standstill, and months of valuable time and money lost in remediation, rather than investing in growth.
Meanwhile, some prefer to speak about cyber "incidents" rather than cyber "crime."
An "incident" encompasses all the cyber threats that an organization needs to tackle – such as a breach – whereas an attack is more deliberate. Attacks can often be successfully defended against, while a breach is often caused by non-compliance with certain internet requirements, such as personal data being accessed without authorization. These are often deliberate attacks, but can also happen accidentally.
However the incident occurs, the damage can be significant. And the danger doesn’t always seem to come from an external source. Trusted insiders such as employees and third parties who have access to your systems and data are also a significant risk that can’t be overlooked.
But whether we talk about an "incident" or a "crime," "intended" or "accident," the need to "protect" is paramount. Visibility of cyber incidents still seems low – only 30% of organizations polled during the webcast reported a significant cyber experience in the last 12 months, suggesting that not all incidents are being identified or reported up to senior management. Increasing regulation, accelerating cybersecurity costs and protecting against potentially damaging and costly data breaches are fueling the issue’s "visibility" with the board, and enabling more investment.
Mounting regulation is indeed a particular challenge. Having an effective cybersecurity regime protects against financial and reputational loss. It also, of course, supports compliance in a regulatory environment that is often disconnected and confusing, and where the cost of getting it wrong can result in eye-watering fines.
The regulatory environment and cyber threat landscape are evolving
In Australia, for example, regulators are coming down hard in areas where they feel that an industry is not managing the risks appropriately, notably in the finance and energy sectors. In Singapore, laws and regulations are becoming more sophisticated, and the protection of personal data and digital identities is a focus. In China, security regulations are updated frequently, and across the Asia Pacific region, I detect a clear move towards sovereign protection. Some jurisdictions are more prescriptive than others, causing more than a few headaches for the larger multinational organizations to navigate their way through.
Similarly, the regulatory environment is constantly evolving, so the cyber threat landscape changes as we embrace a digital world. Consumers are becoming more aware of their privacy, and the increased risk of mobile devices and the Internet of Things delivers greater connectivity. With everything being interconnected, attacks are becoming more frequent and intense, and ransom demands are on the rise.
The elephant in the room – the COVID-19 pandemic – is also having a direct impact on risk. EY surveyed the impact of the COVID-19 crisis on cybersecurity operations. More than 80% of security leaders surveyed reported some disruption to day-to-day security operations due to the pandemic. Remote working was a challenge, as was the need to implement new business models without the due diligence that might typically be expected in a digital transformation program.
Find out what you don’t know and prioritize
Whether cybersecurity only becomes a priority after you’ve been attacked is a moot point. Professor Lam Kwok Yan believes that even if you don’t have the time and resources to control cyber risks immediately, you should find out what you don’t know and prioritize accordingly.
Targeting investment to identify and mitigate the highest risk is a sensible strategy, and Security by Design the new imperative: "This is especially true," he says, "in an age where the threat environment is a lot more complicated and extremely challenging."
Most seem to be taking his advice. Over half the organizations (56%) we polled during the webcast say they have a clear cyber assurance program or strategy in place. Perhaps the statement regarding taking action only after a cyber breach may have been historically true, or perhaps their investment was prompted by previous bad experience.
Whatever the case, it still leaves 36% who have a plan or are talking about developing a plan, but that plan is yet to be put in place, and an alarming 8% think it will never happen to them.
The frightening thing is that it will happen to them, for no organization is immune. And as the adage has it, failing to plan is planning to fail.