For busy chief executives and board members, the lexicon of cybersecurity has in the past two years become increasingly littered with catchy names and a rich acronym soup that together describe the latest attacks by criminal hackers, and their tactics. In 2020, we had Sunburst, describing the massive breach of US company SolarWinds’ software, allegedly by nation-state actors, to steal US government data. Then, in 2021, we read about DarkSide, the suspected Russia-based perpetrator of a huge hack that knocked the US Colonial Pipeline offline for three days. And we increasingly hear about tactics such as RaaS (Ransomware-as a Service) and BGH (big game hunting).
All of this can seem somewhat impenetrable, not to mention darkly mysterious, to those outside specialist circles. Yet behind the language lies a very clear reality: as the scale of cyber-risks in 2022 has unfolded, the volume and ambition of attacks show no sign of abating. This is a symptom of an evolving perfect storm that leaders need to understand and deal with urgently. The real-life experience of some chief executives speaks volumes. Nicolai Tangen, CEO of Norway’s sovereign wealth fund, Norges Bank Investment Management, revealed in August that the fund was experiencing an average of three “serious” cyberattacks daily. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated,” he told the Financial Times.
As organizations try to ramp up their protective layers, cybercriminals are adapting to some of the defensive tactics that are being deployed. CrowdStrike, a US-based cybersecurity company, said in its 2022 Threat Report that, despite new approaches taken by law enforcement, it observed an 82% increase in ransomware-related data leaks in 2021 compared with the previous year.
The context for these developments is clear: the drive to digitally transform. In addition, there’s the increasing technical complexity of systems we depend on, combined with a jumble of legacy systems that present their own risks and vulnerabilities.
Crucially, as organizations leverage new technologies for their transformation – such as artificial intelligence, blockchain, and cloud computing – so do the cybercriminals. And cybercrime is big business. A data breach is a business transaction, so it should not surprise us that criminal gangs are not only better organized, but deploy business plans too.
So, what does this all mean? First of all, we need to recognize that we are swimming against the tide and so must get determinedly creative. Doing so will involve realizing that it’s not enough simply to protect your own perimeter if your partners or stakeholders are vulnerable.
But I believe it is also time to go further, and work together to ensure that a minimum level of cyber hygiene is achieved globally. We need to start collaborating and stop sweeping under the carpet the stigma associated with discussing breaches.
Many organizations still do not map the value enabled by their cybersecurity initiatives, viewing cyber as a cost center instead of business enabler. We also need to enable open discussions, learn from our mistakes, and learn from the mistakes of others. Only that way can we start to push back against the tide.
“Many organizations still do not map the value enabled by their cybersecurity initiatives, viewing cyber as a cost center instead of business enabler”
For organizations looking to get ahead and build cyber resilience into their workforce and operations, here are three tips to help fortify your cyber defenses:
Some of the most proactive organizations are hiring ‘ethical hackers’ who use the latest hacking techniques of malicious actors to try to identify potential security weak spots that cybercriminals could exploit. They typically take a more holistic approach than your organization’s own penetration testers, testing not only your firm’s technical systems but also seeking to uncover all security vulnerabilities before the hackers do – from your company’s receptionist to outdated legacy IT infrastructure.
There is widespread awareness that an organization’s employees can be both its weakest link and its strongest line of defense. Almost every company has implemented cybersecurity training for staff, but the effectiveness of some of these programs remains questionable. Recently, Uber announced it was investigating a cybersecurity incident following reports that a hacker allegedly gained control of its internal systems after compromising the Slack account of an employee. Companies should view cybersecurity training as more than just a box-ticking exercise, and instead take a critical look at whether these programs are changing employee behavior. One way to do this is to carry out staged phishing tests that can gauge the alertness of employees to cyberattacks during a typical working day. Companies should also define key performance indicators (KPIs) which they can track over time that may be indicators of progress towards a pro-security culture. These could include levels of unauthorized access, sharing information with external actors, and requests for password help, among others.
Earlier this year, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law which requires prompt, consistent, and mandatory reporting of cyber breaches. Even if there is no pressure from your own government to report a hack, it is important to be the leader in your industry and choose transparency if you are breached. If you share what you experienced, why you were vulnerable, and what you learned from the incident, we are collectively more likely to strengthen our defenses. After all, the response to a data breach can make or break a company’s reputation, and those who respond transparently are more likely to be treated kindly by regulators and consumers.
Confrontation was always seen as an essential weapon for campaigners, but a new era of cooperation is proving equally effective. With the right approach, everyone can be a winner. ...
Audio available
Scenario planning is more valuable than ever – but what is it and how can executives implement it effectively? Peter Schwartz, author of the highly influential book The Art of the Long...
Søren Toft, CEO of MSC Mediterranean Shipping Company, makes the case for respecting the legacy of a family-owned business when taking the helm....
The diversification of actors and a widening of issues challenges the traditional model of diplomacy. A convergence of skills is needed from the public and private sectors to facilitate engagement between states,...
Audio availableYou have 4 of 5 articles left to read.