Many organisations know that cyber is a challenge. The year 2020 broke all records when it came to the frequency and severity of cyber-attacks, as well as the volume of data lost in breaches. Without a doubt, cyber incidents are one of the biggest risks for businesses today and concerns over cyber threats is causing 91% of companies to increase their cybersecurity budgets in 2021.

The complexity of the issue contributes to the uncertainty that surrounds it and there is difficulty in assessing the likelihood of your organisation suffering a damaging cyber-attack.  Cyber-attacks come in all shapes and sizes- from troublesome phishing emails to full-blown ransomware attacks or data exfiltration. Evaluating what controls are ‘right’ for your organisation to defend against attacks is also complicated.

In this post, we hope to demystify the drivers of insecurity and work toward practical solutions in this complex space- so that we can map a path toward cyber confidence.

UNCERTAINTY OVER WHY IT MATTERS?
 
We are entering a new era of cybercrime and the last twelve months has certainly seen a pandemic-provoked rise in cases. Many have drawn parallels between the COVID-19 pandemic and cybersecurity because like a virus, cybercrime constantly evolves and adapts to its environment.
 
Organisations must have prevention tools in place, such as firewalls and spam controls as their first line of digital defence.  In the same way, basic hygiene- “Hands, Face, Space” is the prevention solution in the fight against COVID.
 
But this is not enough. To stay ahead of the game, in either case, we need to adopt detection tools. With cyber, for example, this may be network sensors and for COVID this comes in the form of testing. Detection measures help us discover unknown threats that can get past our prevention controls.
 
It has been predicted that global crime will cost the world an eye-watering $16.4 billion dollars a day in 2021.
 
This chilling statistic attests to the financial impact of cybercrime, but it is not just the economic cost that can damage your business. Reputational cost and the impact it can have on consumer trust must be considered, as well as regulatory costs. GDPR and other data breach laws mean that your organisation could additionally suffer from regulatory fines or sanctions as a result of cybercrimes.
 
Financial services, alongside the technology and automotive industry, could stand to lose the most due to data breaches.  Big financial services firms, such as Allianz, face a potential $2.6 million loss in brand value although it is retailers that stand to lose the most relative to net income.
 
Equally, like a virus, cybercrime does not discriminate. Cyber-attacks can affect companies, governments, and individuals. Data privacy and security issues continue to impact businesses of all industries and sizes.
 
Small and medium-sized businesses can sometimes suffer overconfidence, perceiving that they are too small a target for cybercriminals. However, increased sophistication in, for example, ransomware has seen the threat to SMBs increase- with one ransomware victim every 10 seconds in 2020.
 
“IN THIS DIGITAL AGE, WHERE A COMPANY’S REPUTATION IS BASED ON ITS ABILITY TO PROTECT CUSTOMER DATA AND ESTABLISH DIGITAL TRUST, CYBERSECURITY IS BECOMING A BUSINESS DIFFERENTIATOR.” 1

WHAT ARE THE DRIVERS OF INSECURITY?
 
We have just discussed how cybersecurity threats are on the increase and how attacks can involve any business, anywhere. We have also thrown some scary numbers around when looking at the irrevocable damage that can be caused by financial and reputational loss. The challenge, however, is not underestimating the significance of cybercrime but not being overwhelmed by it either. This is a hard balance to strike, and the excessive amount of often technically heavy information out there fuels much uncertainty and anxiety.
 
Let us take a look at what drives under-confidence in cybersecurity, to alleviate and tackle some of these symptoms:
 
·      OVER-COMPLICATION
 
There is a tendency to over-complicate cybersecurity, and this can be an obstacle in an already complex industry. There is a lot of information available, and many providers are trying to create uncertainty. Confusion and lack of confidence is the result- try not to get overcome by it all.
  
“IF YOU HAVE CYBER CONFIDENCE, IT MEANS THAT YOU UNDERSTAND YOUR SECURITY POSTURE, YOU FEEL GOOD ABOUT YOUR SECURITY POSTURE AND YOUR SECURITY POSTURE IS INDEED GOOD.” 2
 

·      UNDERSTANDING RISKS
 
Management teams need to remain cool and calm in the face of an ever-changing cyber landscape.  If an organisation can take the time to understand the risks and responsibilities involved there will be clarity and confidence in objectives set and decisions made.
 
·      RESPONSIBILITY
 
Loss of confidence can arise from ambiguity, particularly when it comes to accountability. While the IT department plays a crucial role when it comes to combating data breaches, cybersecurity cannot be the sole responsibility of IT departments.  By assimilating different departments and implementing an integrated strategy consistency and certainty will follow.
 
·      SECURITY POSTURE
 
Cyber confidence is about reducing the gap between how you might feel about your cybersecurity posture’s effectiveness and its actual effectiveness.  A recent survey found that 78% lack confidence in their company’s cybersecurity posture. There are several best practices that you can implement to help you identify gaps, quantify risk, and get you on route to cyber confidence. 

1.      Vishal Salvi, Head of Cyber Security at Infosys
2.      Billy Gouveia, Senior Managing Director, Cyber Security at S-RM

6 STEPS TO BUILDING CYBER CONFIDENCE

Our goal with this paper is to help build confidence in your cybersecurity posture. Here are 6 practical solutions for developing a trustworthy defence against cyber threats:

1. Conduct A Cyber Security Risk Assessment

Improving your security posture begins with assessing the strength of the controls you currently have in place. One way to do this is by conducting a cybersecurity risk assessment and risk register. Only with a thorough risk assessment in place can an organisation be informed about known and reasonably likely threats, identify an effective overall risk management strategy and build resilience

When conducting risk assessments, it is also important to evaluate your organisation’s third-party vendors so you can identify and address any vulnerabilities they may have in their systems. Three key questions to ask when ranking your third parties for cyber risk are:

  • How much access does the third party have to your network?
  • What data types will be accessible to the third party?
  • How business-critical is the third party?

From this point, you can rank your business’s priorities.

2. Prioritise Risk and Enhance Visibility

Once vulnerabilities have been identified, it is important to then rank them based on the overall risk they pose to your organisation. Determine your priorities to improve your security posture.

Map out the decisions you will be frequently required to make, this will help you understand the data you will need access to. Confidence will come from focusing on the right information, not accessing as much of it as you possibly can.

3. Where to Spend?

Cybersecurity costs money and it can be difficult to justify the right budget. Make sure you spend your money wisely by looking at information about competitors:

  • Where are my peers spending on cyber?
  • What are firms spending after they have been attacked?

– it will likely be more than they were previously and therefore, your organisation should probably be spending somewhere between the two.

4. Implement Automated Software Solutions

Using automated technological solutions will save you time and money. It can help cut down incidents and stop attacks from spreading across networks. If set up correctly, automated resources can also be

used to assess security metrics.

Focus on identifying what issues you hope to solve and how any new platforms or technologies might slot into that vision.

response times

5. Educate Your Employees

A lack of security training can expose your organisation to a variety of cyber risks. Personnel is a known residual weakness when protecting an organisation’s assets from attack. Building a strong company culture that encourages active participation in a company’s defence and promotes collaboration, not punishment is key to success.

6. Create an Incident Response Plan

The experts seem to agree that the best way to feel cyber confident and be prepared is by creating an incident response plan. A well established and well-rehearsed plan can help reduce potential damage and allow for a quick return to normal operations.

CHALLENGING INSECURITY – ARE YOU FOCUSING ON THE RIGHT RISKS?

Earlier in this post, we highlighted recent and alarming cybersecurity statistics, and ultimately this was a call to not only take the cyber risk seriously but to take risk management more seriously. This is because cybersecurity cannot be considered or solved in isolation but needs to be examined within the context of enterprise risk management. A collaborative approach is important for protecting an organisation’s critical systems, networks, and data.

In this final section of the paper, we will look at ways an organisation can start developing a more cyber confident and integrated risk management programme:

Breaking Down Siloes:

Traditionally the approach to security was about finding risks across an organisation and solving them independently within departments. Organisations should now look across their many departments and many business challenges, and attempt to understand how they all connect. An integrated strategy builds consistency.  If risk management is split between departments and professionals, then oversight and susceptibility is likely.

Alignment of incident response and recovery plans is also necessary as effective investigation will require close cooperation between professionals. Recognising overlap and shared planning and resourcing is required for an efficient investigation into any security incident.

Centralisation

Businesses would do well to centralise knowledge gained from risk assessments. Weaknesses should be accounted for in an overall risk assessment and risk register. Only with a thorough risk assessment in place can an organisation be informed about known and reasonably likely threats, identify an effective overall risk management strategy and build resilience.

Do not Underestimate Other Risks

Risk, governance, and operational security are equally important. Well established, well defined policies and plans are critical to both risk management and cyber security. The interface between the two must be reinforced and cohesively applied. This will help particularly with first recovery containment actions in the event of a breach.

Build a Just Culture

It is paramount to build a good security culture at all levels of your business. A just culture helps create an environment where employees feel confident to report errors and help the organisation to learn from mistakes. Such active, company-wide involvement in an organisation’s defence is the goal.

Hopefully, the way has now been cleared and the signposts laid out for your journey to cyber confidence.

If you would like to explore any of the issues discussed further, then please contact our risk and compliance experts at 1RS. We are here to help.

We are listed in b2blistings.org's Software Tools Directory