Cyberspace has become an increasingly attractive hunting ground for criminals, activists and terrorists. The technical capabilities and influence of cybercriminals are now equal to those of many governments and organizations. In the next few years, these capabilities will extend far beyond those of their victims. As a result, the ability of current control mechanisms to protect organizations is likely to diminish, exposing them to greater impact.
Today, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events. In 2014, the global cost of cybercrime was estimated at more than $400 billion, a figure which is approximately the same as other, more established criminal activities. This makes cybercrime a profitable business.
Cybercrime, along with the increase in hacktivism, the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect storm. Moving forward, if the C-Suite doesn’t understand cyberspace, they will either take on more risk than they would knowingly accept, or miss opportunities to further their strategic business objectives such as increasing customer engagement or market leadership. These organizations are more likely to suffer embarrassing incidents, and when they do, they will suffer greater and longer-lasting impact.
Cyber Security is No Longer Enough
No business is immune to a cyber-attack. But, there are ways to better protect your organization from future incidents.
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves.
Above all, cyber resilience is about safeguarding the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Data breaches have become a regular feature of modern life. This will continue as long as efficiency and ease of data access trump security, a state of affairs which makes economic sense for many organizations, that is, until they suffer a breach of their own. Once a breach happens, the value of security as a business enabler becomes clearer. Prevention and detection will evolve, but will continue to rely on technical and intelligence-based solutions. This will involve a discrete number of stakeholders and departments who implement the basics and thereby manage the majority of information risk.
At a time when data breaches are becoming far too common, organizations that produce an imaginative and credible response will have a comparative advantage over those that are slow and confused, and this will translate to tangible business value. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of today’s increasing cyber threats and respond appropriately.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.