Minimising the threat of a cybersecurity attack is a day-to-day struggle for many businesses in the current climate. According to a recent Pricewaterhouse Coopers (PWC) survey, the rapid pace of digital transformation due to the COVID-19 pandemic, which saw businesses move services online, supply chains disrupted and employees work from home, has pushed cybersecurity to the top of the agenda for CEOs. Ninety-one per cent of UK CEOs appearing in PWC’s 24th Annual CEO survey said they were concerned about the threat of cybersecurity risks, up from 80% last year and the highest figure ever recorded since CEOs were first asked about cyber threats in the survey.
With cybersecurity attacks on the rise and threats coming from multiple angles, having a futureproof risk management plan is essential for businesses of all shapes and sizes. Ed Martin, Director of Product Management at American Cybersecurity company Secureworks, says: “The key to success is to plan for all eventualities, including what to do if a breach occurs, while still taking a strategic approach to minimising risks. A risk management plan should cover every aspect of where threats are likely to arise and what to do when they occur.”
The COVID-19 pandemic changed the world of work and infrastructure was transformed overnight for many organisations. A sudden switch to remote working, increased use of cloud services and greater reliance on personal devices created a significantly expanded attack surface for many enterprises. Security operations teams have become overwhelmed with alerts and unable to pivot away from daily tactical firefighting to more strategic, proactive threat hunting and organisations continue to respond by adding security tools to their technology stack further enabling an uncoordinated approach to securing data and devices. Security staff are overloaded, made worse by a reported severe shortage of qualified cyber security professionals and lack of staff training for in-house teams.
Martin says: “The global nature of the pandemic saw the targeting of healthcare, pharmaceutical, and government organisations including laboratories researching Coronavirus by both nation-states and financially motivated cybercriminals. And attacks targeted to exploit changes due to the pandemic didn’t slow the constant barrage of zero-day, ransomware attacks or data breaches organisations face, as demonstrated by incidents relating to SolarWinds in the US and Microsoft Exchange across the globe.
“Of course, there will always be changes in the work environment. Companies grow, sometimes by merger or acquisition and in doing so may open themselves to threats they have not previously experienced. Risk management plans need regular revision and updating.”
Ernst and Young’s Global Consulting Cybersecurity Leader, Kris Lovejoy, says a future risk management plan created in 2021 will likely look very different from just one year ago, as there are new risks to worry about. “With people returning to work in various configurations and normal operations resuming, CISO’s need to anticipate that some employees will be reluctant to return and continue to work remotely, shortages and supply chain risks will continue to disrupt normal business and insider threats remain high as staff members’ futures remain unclear. Nation-states will continue to exploit the persistence obtained previously, InfoSec will continue to uncover historical breaches while managing ongoing significant ransomware risks and companies will invest in infrastructure as emphasis on resiliency and contingency planning is renewed.”
Kris says cybersecurity strategy and road maps, as well as security governance, management and operational structure, need to be realigned. “Risk assessment methodologies should be revised to reflect revised operational requirements and new KPIs and KRIs for business stakeholders will be necessary to reflect cyber performance in this new world,” she adds.
Planning for the future
Understanding the inherent risks is, of course, an important part of the cyber security puzzle, yet to create a truly futureproof cybersecurity risk management plan, there’s lots of work that needs to be done in house according to Chris Gaines, Cyber Security Leader at PWC UK. “With every area of every organisation now more reliant on technology, and more reliant upon the technology of suppliers and other organisations within their ecosystem, business leaders need to appreciate the role they must play in securing their organisation,” he says.
“Securing an enterprise is far more than ensuring the CIO builds the right technical controls. It is about simplifying the organisation to be securable. It is about assessing, understanding and managing the cyber risk impact of every business decision. And it is about recognising that much of cybersecurity risk originates from vulnerabilities outside their organisation. CEOs are right to be concerned about cyber security risk but the challenge they face is shaping their organisations to be securable. However, this period of change we find ourselves in presents the perfect moment to face into that challenge,” he adds.
PWC’s Global DTI 2021 survey found that more than half of businesses are expanding their cybersecurity teams. Three-and-a-half million people globally are needed for cybersecurity jobs in 2021 because despite the advancement of technology, it is still human error which poses the biggest threat to data security. Therefore, cybersecurity needs to become part of company culture and viewed as a priority.
Secureworks’ Ed Martin says security teams need help in improving investigation capabilities and accelerating the ability to respond to discovered threats. He believes businesses today need a solution that will keep staff from being overwhelmed by the number of different security tools to manage and allow those resources to focus on proactive and strategic activities.
“The security marketplace is flooded with vendors and solutions. Few of them by themselves really meet the needs of overburdened, under-resourced CISOs and point solutions are often targeted by hackers or other threat actors exploiting gaps in these products. It can be difficult to identify exactly where vulnerability is occurring with many separate tools in play. This is deeply irritating as advanced adversaries and emerging threats continue to increase, while organisations struggle with uncoordinated tools and lack of qualified staff,” he says.
The cybersecurity industry is evolving at a phenomenal rate and is accelerating innovation and growth, yet with cybersecurity threats on the increase, more cybercriminals and more complexed infrastructures in our day-to-day lives there’s no time to rest on our laurels. Modern businesses must take a proactive, forward-looking approach to cybersecurity that will help prepare for the unknown as failure to plan for the future could put the whole company at risk.