Cybersecurity and cyber resilience programs are often seen as cumbersome and costly parts of IT infrastructure, mandated by regulators. A seemingly bottomless money pit that is never good enough, constantly outdated and potentially limiting capabilities to maximise IT utilisation. However, when viewed as an investment rather than a necessary obligation, cybersecurity and cyber resilience can offer savings, in time and money, on top of protection.
The bad news is, the clock is ticking. According to the Allianz Risk Barometer 2020 , an annual survey that identifies top business risks around the globe, cyber incidents are the #1 business risk for the first time ever.
Here are some examples. Ransomware has transcended the ranks of security & risk professionals and is unilaterally understood as one of the most heavy-hitting modern security breaches a company can fall victim to. A ransomware attack may cause sudden loss of access to all of an organisation’s data, which is then held hostage by a malicious third party. In March 2019, one of the world’s largest aluminium companies was hit by a major ransomware attack, and 35.000 employees across 40 countries were affected. In the end, the financial damages amounted to €61 million.
According to a recent Kaspersky study, a ransomware attack costs a company on average €612,000, and that’s only the amount spent to unlock data. It does not include any additional financial damage that may have occurred due to slowed, or even worse, ceased daily operations. Unfortunately, ransomware is far from the only threat to IT infrastructure. The current status quo, which sees many employees globally working remotely, a decline of interpersonal connection, and often rushed remote capabilities, has multiplied the available attack vectors and created the perfect breeding ground for cyberattacks.
Given the financial cost of a successful cyberattack, the potential reputational damage, as well as the negative impact on daily operations, a comprehensive cybersecurity strategy should be made a business priority.
So, what does a fit-for-purpose cybersecurity strategy look like? Cybersecurity is basically the opposite to a beauty contest; an organisation needs to make itself as unattractive and uninteresting a target as possible, baiting would-be attackers to look elsewhere. Reality has proven time and time again that there is no 100% guaranteed security. Keeping that in mind, if an organisation is an attractive high-value target, it is necessary to have a robust and thorough cyber resilience strategy in place to respond to and recover from such an attack. Additionally, and perhaps most importantly, a contingency plan must be developed and on standby to be implemented when an attack occurs so that the organisation can continue operating.
Technology obviously plays a fundamental part, but so do employees. Proper identity and access management is paramount to limit what an attacker can do with a compromised account. A well-designed network setup limits how far an assailant can fan out once inside, helping to mitigate damage. A modern mobile device management and endpoint security solution keep company-issued phones and laptops safe. Data encryption ensures that any data that might get stolen or copied cannot be read or used. These common principles do not change for modern multi- and hybrid cloud deployments, only the tools do. Ultimately, all these items should be part of a well-developed strategy and more importantly should be constantly re-evaluated to ensure such safeguards meet modern requirements and standards.
However, all these tools are only as good as the humans using them. For example, a potentially overworked and stressed-out administrator may hastily click on a survey link from HR after receiving the 4th reminder email, which in fact turns out to be a phishing link, sent from a malicious third party.
In the end, continuous employee training and policy review should be the mainstays of a strategic framework for cybersecurity. Cybersecurity and cyber resilience are ultimately of interest to everyone in an organization and it requires both technology, human awareness and business buy-in to be effectively managed.