Defence Online

Closer cyber-business alignment: a strategic answer to the challenge of surging cyber-risk

Homeland June 7, 2021

Writing for Defence Online, Bharat Mistry, Technical Director at Trend Micro, examines how closer cyber-business alignment could help mitigate the cyber threat

The scale and sophistication of escalating cyber-threats took many organisations by surprise over the past year. Even a defence community more cyber-savvy than most was impacted, as threat actors took advantage of under-protected home workers and preoccupied IT teams to do their worst. Yet while technology solutions exist today to mitigate many of these risks, there’s a deeper challenge that must be addressed.

To tackle the systemic problems which undermine cybersecurity efforts in many organisations, closer attention must be paid to the way in which boardrooms and security leaders interact. The challenges highlighted in a new report will require not just extra budget but cultural change from the top-down.

Breaches on the rise

Cybersecurity breaches continue to make the headlines with an almost monotonous regularity. But that shouldn’t desensitise you to what’s at stake here. Theft of sensitive customer/employee information or IP is a serious matter. When combined with ransomware designed to lock down IT systems, it could have major financial and reputational repercussions ranging from regulatory fines and lost productivity to customer churn and huge IT overtime costs.

As we saw with the now-infamous SolarWinds attacks, companies operating in key supply chains for government and critical infrastructure are very much in the crosshairs today — either as a “stepping stone” to higher value victims or as a target in their own right. Our 2020 roundup report reveals a 34% year-on-year increase in new ransomware families, with government the most targeted industry and healthcare in fourth.

The shift to mass remote working during the pandemic has created some perfect conditions for cyber-threats to flourish. First, there are home workers, who may be more distracted, use less well-secured devices and networks and engage in more risky behaviour than if they were in the office. Phishing is a primary concern here. In fact, 91% of the 62.6 billion cyber-threats we blocked in 2020 were email-borne.

Elsewhere, attackers targeted unpatched systems and accounts protected by weak passwords. VPN vulnerabilities have been particularly scrutinised, as have RDP endpoints used for remote working. In many cases, previously breached credentials for these servers are easy to find online.

A deeper problem

The good news is that there are security tools and best practices to mitigate these risks, including enhanced user education, multi-factor authentication, network segmentation, endpoint protection, and company-wide threat detection and response. Yet to apply these without addressing some of the underlying causes would be like fixing a sticking plaster to an open wound.

According to a recent study from Enterprise Strategy Group (ESG) a key challenge facing most European organisations is that cybersecurity is still seen as mostly (51%) or completely (18%) a technology area, with little direct impact on the business. Over a quarter (27%) of European organisations don’t view it as part of the business mission at all. This is despite the fact that 77% of respondents believe cyber-risk is either “much” or “somewhat” greater than it was two years ago.

Why does this matter? Because business leaders who aren’t engaged with cybersecurity will tend not to ask the right questions, dig into the right issues, or join the dots between cyber and business risk. The result, ESG warns, is that executives are only willing to fund “good enough” security — the bare minimum needed to comply with regulations and deliver basic protection. This can impact key activities such as staff training and awareness-raising programmes, cyber-hygiene like prompt patching of vulnerabilities and the building-in of security into business processes and technology initiatives from the start.

Unfortunately, “good enough” security is increasingly not good enough for modern organisations, especially those in highly targeted sectors like defence and government. We’re facing an adversary backed by an underground economy now worth trillions. Security requires much closer strategic input from business leaders.

Closer alignment starts here

Fortunately, boards are getting more engaged. Two-fifths (40%) of European organisations say their executives are engaged in some type of continuous cybersecurity education, and even more (82%) say their boards are “much” or “somewhat” more engaged with the topic than they were two years previously. However, there’s still a long way to go.

So what can these organisations do to improve cyber-business alignment? ESG makes three key recommendations. First, CISOs should report into their CEOs, which currently only happens in around a quarter of organisations. This would help to provide more security exposure for the CEO and more business input for security teams.

Second, consider a more formalised cybersecurity programme, led from the top-down and managed via KPIs and established metrics. These will in turn help CISOs communicate better with their business colleagues in a language both understand.

Finally, organisations should look at creating a new role of Business Information Security Officer (BISO) within specific units. These would be executives with knowledge of both security and business issues that can really drive home the importance of cyber to employee productivity at a granular level.

Cybersecurity must be built deep into the fabric of your organisation if it is to withstand the rising risk and threat levels of a post-pandemic world.

If you would like to join our community and read more articles like this then please click here

Post written by: Matt Brown