The COVID-19 pandemic has in many ways unleashed a new set of complexities and accelerated existing challenges for organisations globally. In this blog, I explore four cyber security trends leaders should bear in mind when managing cyber risk.
Expanding cyber attack surfaces and the new security perimeter
As we have all witnessed, the pandemic has forced organisations to react quickly and accelerate adoption of new technologies and ways of working, implementing digital projects at record speed. It has been estimated that digital transformation has advanced by up to seven years.
As a result, corporate IT systems have grown in complexity and data has become richer, offering an expanded and more enticing “attack surface” for cyber criminals.
With the rapid shift to multi-cloud environments, the rise in adoption of the internet of everything, in addition to the shift to remote and hybrid work models, organisations have had to quickly adapt their security programs to ensure they secure new forms of emerging technology.
The security perimeter is no longer confined to a company’s network. In a cloud native world, identity is the new perimeter, which brings about new ways of thinking and measures to manage risk.
Exponential growth in cyber adversary capability
This new landscape has generated a surge of sophisticated cyber attacks which is backed by increased adversary motivation and capability. As organisations have adopted digitisation at breakneck speed, cyber criminals have seized the global crisis to ramp up their attacks at a pace and complexity faster than ever seen before with a rise in attacks across all sectors.
From ransomware attacks through to third-party supply chain breaches such as the well documented SolarWinds incident, cyber attacks have reached a new level of sophistication, ranging from international espionage to mega breaches of personal information to large-scale internet disruption.
These large-scale mega attacks have sparked a need for integrated and unified security controls, such as ITC’s integrated delivery model, that take into account the exposure of an organisations networks, virtualised data centres, cloud environments, endpoint devices and identity.
Investment in contemporary security controls can reduce the cost of a data breach
The average cost of a data breach hit a record high during the pandemic. According to a recent study, the average cost of a data breach has now reached $4.24 million in comparison to $3.86 million in the previous year. In addition to financial loss, reputational damage includes the loss of customer and employee trust, these are only two of the many non-financial factors companies have to consider when suffering a data breach.
Furthermore, the study showed that by implementing contemporary security controls such as zero trust and security orchestration and response (SOAR), the likelihood of a breach or time to detection is reduced, which ultimately modifies risk and associated impacts.
Whilst just 35% of organisations had implemented a zero-trust security approach to address the new security perimeter, those in the mature stage of their zero-trust deployment had an average breach cost that was $1.76 million less than organisations without this contemporary control.
The rising need to shift from prevention to detection and response
It is estimated that in 2021, it took an average of 212 days for businesses to identify a breach and an average of 75 days to contain it, with a total lifecycle of 287 days – an entire week longer in comparison to the previous year.
This extended dwell time plays right into the hands of adversaries who have gained a foothold within an organisation’s IT infrastructure and allows them to watch and wait before exfiltrating data or executing ransomware etc.
Security never sleeps and nor do adversaries, it calls for always-on 24x7x365 protection, coupled with the right blend of people, technology, governance and culture which can be a challenge for many organisations from both a resourcing and expertise point of view.
Additionally, prevention – a long favoured method to stopping cyber criminals – is no longer enough. Cyber security strategies needs to be formulated with the idea that a breach is inevitable and preventative controls must be developed in combination with detection and response controls.
This is also something that needs to be addressed at a board level by setting the expectation that investments spent wisely can modify risk to within stakeholder appetite levels but not completely eliminate it.
A risk-based approach to managing the perfect storm in cyber space
What is clear from these trends is the importance for leaders to take a proactive approach to their cyber security strategy. As cyber threats rapidly proliferate and continue to increase in complexity, legacy approaches to cyber security will no longer suffice.
At ITC, we believe that by taking an advisory-led, risk-based approach to cyber security, businesses will be able to take the maturity of their cyber security practices from a state of reactive, to proactive … and to even predictive.
As the saying goes, “Security is always excessive, until it is not enough”. With a well balanced approach that considers business risk, asset value and even security fatigue, security programs and controls can be designed to not just manage risk, but also unleash new opportunities that were otherwise inaccessible.