by Georges De Moura*
A large number of government and private sector organizations including some of the most sophisticated companies in the world, have fallen victims to cyber-attacks in recent years. Business critical activities have been disrupted, data has been compromised and the threat continues to evolve at a fast pace.
This year alone, many providers of essential services including energy, healthcare, food, and transportation have been hit by ransomware attacks which crippled their operations and had cascading effects on critical functions that our society relies on.
The COVID-19 pandemic has exposed even more opportunities and vulnerabilities. According to a recent report released by Checkpoint, there has been a 102% global surge in ransomware attacks compared to the beginning of 2020, and healthcare and utilities were the most targeted sectors.
How to anticipate and prevent a high impact cyber-attack
By now, most businesses recognize that they have to invest significant amounts of cash and resources in cybersecurity. Collective global spending has now reached $145 billion a year and is predicted to exceed $1 trillion by 2035.
As the number and impact of cyber-attacks continue to rise, we have come to the realization that globally we’re not doing enough about cybersecurity. The current situation is comparable to trench warfare: progress is slow, and the casualties are high.
No company has the resources to fix all cyber issues and not all fixes are equally important. It is only by starting to identify activities that are important to a business, and understanding how attacks could disrupt them, that one could start to prioritize the process of risk mitigation.
Unfortunately, many companies skip the step of identifying these critical business activities which could be disrupted by a cyber-attack and instead focus on individual technologies to fix individual problems in their IT systems. While there is some value in this approach, a company could spend significant resources without addressing the fundamental issue which is to protect the critical business functions for which the products were procured.
Many companies don’t nearly get the benefits from the investments they make. While there is already a plethora of frameworks and best practice guides aimed at equipping cybersecurity leaders with the tools and knowledge needed to manage cyber risks, business leaders, particularly in SMEs and less mature industries or regions, often struggle to understand the cybersecurity narrative and their responsibilities.
We’re at a crossroad where cyber resilience has become a defining mandate of our time – to anticipate future threats, withstand, recover from cyber-attacks, and adapt to future digital shocks.
Business leaders must be prepared to answer the following questions to reassure their stakeholders:
-How well prepared are we to counter disruptions related to cyber-attacks?
-How well can we withstand the loss of mission-critical functions after a cyber-attack and how quickly can we recover them?
These three principles will help business leaders embed cyber resilience into their organizational culture and structure:
1. Cyber resilience must be governed from the top
There is often a perception from non-technical leaders that the cybersecurity field is so complex that they would need to delegate. By bridging the cyber literacy gap, business leaders will be able to make more effective decisions on mitigation strategies.
Businesses should also ensure that an accountable corporate officer has been nominated and reports regularly and directly to the board and executive committee on cyber risks and resilience.
Moreover, the board and executive committee should discuss with their cyber leaders the critical business activities and any concerns they have about what could go wrong:
-Ask which systems support this activity to help you prioritize, instead of going over which vulnerabilities have to be remediated.
-Learn about the known attacks, and how they would be able to compromise these systems and the potential economic impact.
2. Cyber resilience must be inherent to the business operating model
Business leaders must start looking at cyber resilience as a business imperative to solve and understand what assets and activities are critical and provide competitive advantage to their organization. A balanced approach to cyber resilience will ensure that investments are not only made in defense and preventive capabilities but also prioritized in response and recovery capabilities from a major cybersecurity breach.
Cyber risk profiles evolve rapidly because of transformational initiatives and changes in operating models.
They also differ between industries and vary widely depending on product and services, geographies and regulatory requirements, and geopolitical context.
By developing the cyber literacy of their workforce and adapting the knowledge required to the role and responsibilities of the employee, businesses will be able to better harness the power of technologies while minimizing the risks associated with the human element.
Moreover, companies need to build internal capabilities to deal with change management processes and incorporate some type of cyber risk assurance. It doesn’t have to be an onerous activity, but it is important that business leaders pay attention to the risk they are accepting.
3. Cyber resilience is an enabler of business outcomes
There will never be guarantees that your organization’s cybersecurity practice will be sufficient to fend off the attack you’ll face. However, if business leaders focus on what is important to protect and understand the kind of attacks that would compromise important business activities, they will be more likely to anticipate and be prepared to mitigate the risk of a major attack and recover quickly.
Such an exercise is continuous and dynamic, and often links with business changes – new supply chain partners, new operating models, etc.
Moreover, business leaders should be seeking value- and outcome-based measures and metrics for assessing the efficacy of the security controls implemented, return on investments for the technologies and services acquisitions made and impact on strategic business outcomes.
To fully realise the dividends of their digital transformation, businesses must align their visions with their risk tolerance. If the security risks associated with the proliferation of technology-enabled infrastructure and internet applications are not appropriately balanced with comprehensive cybersecurity strategies and resilience plans, businesses will be unable to achieve the economic growth and prosperity they seek.
*Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum
**first published in: www.weforum.org