Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
Protect and survive: Act now on cybersecurity

Magazine

Protect and survive: act now on cybersecurity 

Published 22 September 2022 in Magazine • 5 min read

Experts from the public and private sector – including CEOs, board members and government officials – are gathered in Lausanne for the Financial Times’ Cyber Resilience Summit, where strategies for overcoming new threats will be in focus. With the volume and sophistication of cyberattacks growing enormously, Öykü Işik, head of IMD’s Cybersecurity Risk and Strategy program, shares tips on how organizations can proactively get ahead to turn the tide.

For busy chief executives and board members, the lexicon of cybersecurity has in the past two years become increasingly littered with catchy names and a rich acronym soup that together describe the latest attacks by criminal hackers, and their tactics. In 2020, we had Sunburst, describing the massive breach of US company SolarWinds’ software, allegedly by nation-state actors, to steal US government data. Then, in 2021, we read about DarkSide, the suspected Russia-based perpetrator of a huge hack that knocked the US Colonial Pipeline offline for three days. And we increasingly hear about tactics such as RaaS (Ransomware-as a Service) and BGH (big game hunting).

All of this can seem somewhat impenetrable, not to mention darkly mysterious, to those outside specialist circles. Yet behind the language lies a very clear reality: as the scale of cyber-risks in 2022 has unfolded, the volume and ambition of attacks show no sign of abating. This is a symptom of an evolving perfect storm that leaders need to understand and deal with urgently. The real-life experience of some chief executives speaks volumes. Nicolai Tangen, CEO of Norway’s sovereign wealth fund, Norges Bank Investment Management, revealed in August that the fund was experiencing an average of three “serious” cyberattacks daily. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated,” he told the Financial Times.

Malware alert neon light screen

As organizations try to ramp up their protective layers, cybercriminals are adapting to some of the defensive tactics that are being deployed. CrowdStrike, a US-based cybersecurity company, said in its 2022 Threat Report that, despite new approaches taken by law enforcement, it observed an 82% increase in ransomware-related data leaks in 2021 compared with the previous year.

The context for these developments is clear: the drive to digitally transform. In addition, there’s the increasing technical complexity of systems we depend on, combined with a jumble of legacy systems that present their own risks and vulnerabilities.

Crucially, as organizations leverage new technologies for their transformation – such as artificial intelligence, blockchain, and cloud computing – so do the cybercriminals. And cybercrime is big business. A data breach is a business transaction, so it should not surprise us that criminal gangs are not only better organized, but deploy business plans too.

So, what does this all mean? First of all, we need to recognize that we are swimming against the tide and so must get determinedly creative. Doing so will involve realizing that it’s not enough simply to protect your own perimeter if your partners or stakeholders are vulnerable.

But I believe it is also time to go further, and work together to ensure that a minimum level of cyber hygiene is achieved globally. We need to start collaborating and stop sweeping under the carpet the stigma associated with discussing breaches.

Many organizations still do not map the value enabled by their cybersecurity initiatives, viewing cyber as a cost center instead of business enabler. We also need to enable open discussions, learn from our mistakes, and learn from the mistakes of others. Only that way can we start to push back against the tide.

Protect and survive: Act now on cybersecurity
“Many organizations still do not map the value enabled by their cybersecurity initiatives, viewing cyber as a cost center instead of business enabler”

For organizations looking to get ahead and build cyber resilience into their workforce and operations, here are three tips to help fortify your cyber defenses:

1. Hire ethical hackers

Some of the most proactive organizations are hiring ‘ethical hackers’ who use the latest hacking techniques of malicious actors to try to identify potential security weak spots that cybercriminals could exploit. They typically take a more holistic approach than your organization’s own penetration testers, testing not only your firm’s technical systems but also seeking to uncover all security vulnerabilities before the hackers do – from your company’s receptionist to outdated legacy IT infrastructure.

2. Measure the effectiveness of your cybersecurity training

There is widespread awareness that an organization’s employees can be both its weakest link and its strongest line of defense. Almost every company has implemented cybersecurity training for staff, but the effectiveness of some of these programs remains questionable. Recently, Uber announced it was investigating a cybersecurity incident following reports that a hacker allegedly gained control of its internal systems after compromising the Slack account of an employee. Companies should view cybersecurity training as more than just a box-ticking exercise, and instead take a critical look at whether these programs are changing employee behavior. One way to do this is to carry out staged phishing tests that can gauge the alertness of employees to cyberattacks during a typical working day. Companies should also define key performance indicators (KPIs) which they can track over time that may be indicators of progress towards a pro-security culture. These could include levels of unauthorized access, sharing information with external actors, and requests for password help, among others.

3. Be proactive in communicating what you learned from your cyber breach

Earlier this year, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law which requires prompt, consistent, and mandatory reporting of cyber breaches. Even if there is no pressure from your own government to report a hack, it is important to be the leader in your industry and choose transparency if you are breached. If you share what you experienced, why you were vulnerable, and what you learned from the incident, we are collectively more likely to strengthen our defenses. After all, the response to a data breach can make or break a company’s reputation, and those who respond transparently are more likely to be treated kindly by regulators and consumers.

Authors

Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategy program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 4 of 5 articles left to read.