There’s no doubt that living in an age of digitization and rapid digital transformation – where factory floors can run autonomously and buildings within a city are able to interact with one another – is filled with the promise of opportunities and possibilities.
However, with an estimated 2 million cyberattacks in 2018, resulting in over $45 billion worth of losses, we know, perhaps all too well, that there is a dark side to our hyper-connected world. Indeed, coupled with reputational damage and the risk of falling foul of an increasingly strict regulatory landscape, that dark side can easily result in the crippling loss of a business and livelihood.
With this in mind, it’s no wonder that there has been a rise in the demand for cybersecurity frameworks as businesses, more so now than ever before, take precautions against cyber and data security risks, as well as to ensure compliance.
Organizations are learning that security needs to be preemptive – not reactive – and that recovery plans and relevant insurances need to be put in place before a breach, if the worst-case scenarios are to be mitigated.
That said, according to Ecosystm’s ongoing cybersecurity study, less than 30% of enterprises in Asia consider themselves to have mature security systems in place. The rest believe their measures are immature at best, and non-existent at worst. In fact, even those deemed mature admit to lacking in several areas.
It’s clear that there remains some significant, if not dangerous gaps in businesses’ cyber defenses. So, where are we falling down?
Dedicated resourcing
It’s understandable that the size of an organization’s cybersecurity team will be dependent on the size of the organization itself. However, while larger firms with deeper pockets are able to fund, staff and equip fully-fledged security teams, smaller businesses often turn to employees (or even directors) with no IT experience to handle cybersecurity as a secondary portfolio, treating it as an administrative task. This immediately opens them up to increased risk.
Whether cybersecurity is introduced as a core responsibility for an existing employee, or better yet, businesses create a new cybersecurity role, we must not underestimate the importance of dedicated resources to ensure checks are being conducted frequently and rigorously.
Data classification
Next is understanding the value of the data in a business’ possession and its relative importance in and outside the network – what may first appear valuable to the business may not be the case to others (i.e. hackers). The reverse, notably, is also true.
Consider, for example, statistical data on home locations and when energy is being consumed. For a power company, this may be nothing more than a tool to determine billing for the month. But to a hacker, this information can be compiled and sold on to criminal groups, enabling would-be burglars to predict when homes are most likely to be unoccupied.
This valuation of data is further reflected in the way organizations grant access to their data repositories. According to the same Ecosystm study, three quarters of businesses still use ‘complex passwords’ as their primary means of data access control. Only half had implemented any form of Multi-Factor Authentication (MFA).
Cloud risk
The ownership of data is also a factor to be taken into consideration. Businesses should remember that even if data is outsourced to a cloud partner, the responsibility for its safety and security remains with the business as well as the vendor. The responsibility and inherent risk has not been passed on – you own the data no matter where it resides.
This means that if the cloud provider were to get hacked and the business’ data was leaked for whatever reason, it is the business that will be held accountable. It’s also worth checking the SLAs with your providers to determine the limits to what kind of legal action can be taken against them.
As such, businesses should carefully consider and analyze the risk in their data supply chain – if you’re on your own when a breach happens, you want to ensure your partners have done everything within their power to mitigate the situation.
Breach management
Sadly, the reality is that data breaches are an all too common occurrence. In fact, Ecosystm’s study suggests almost 75% of all respondents who were yet to experience a breach believe it’s an inevitability. This is no surprise when we consider the spate of recent victims across the region, including the likes of the Ministry of Health in Singapore, Sephora across Asia Pacific, and Toyota in Vietnam and Thailand just to name but a few.
It’s therefore vital that organizations have a plan of action in place when crisis looms to minimize remediation costs, as well as impacts on share price and long-term reputational damage. This includes having clear, designated roles for efficient and effective escalation, a thorough understanding of which authorities need to be notified of the breach, and a crisis communications plan which ensures the business is able to control its own narrative (instead of falling victim to the rumor mill and allowing misinformation to spread).
Insurance
Finally, if a breach is inevitable, then it only makes sense for businesses to have insurance in place. However, Ecosystm found that only 70% of mature companies, and only a third (33%) of evolving businesses have taken out a policy – the rest don’t have any insurance in place at all.
What’s more, in many cases, the insurances purchased are not fit for purpose, limiting their effectiveness. Businesses should ensure they fully understand what coverage they require and work with brokers to have their specific needs addressed.
With the above in mind, let us consider where organizations should be spending in order to best bridge these gaps and make their budgets stretch.
Currently, most budget is spent on application security, and network & infrastructure security – this is essentially the equivalent of putting up a fence around your data. In principal, not a bad idea – but it completely neglects what’s happening outside, as well as what happens when someone manages to scale the wall.
Moving forward, the prudent option would be to divert spending into more holistic security operations, which includes the live monitoring of threats and identity management. Constant vigilance and oversight into what’s happening within the network and understanding who has gained access to data via what means is necessary as the advanced threats of today might have the ability to slip through the primary defenses.
Meanwhile, just as organizations are investing in their defenses, cybercriminals too are evolving. Generic attacks will slowly be phased out, as attacks become more sophisticated and targeted towards individuals. Consider, for example, a scenario where an employee is asked to release funds based on email from the “CEO”– how do employees identify the fake from the real?
With this in mind, it’s important that employees throughout an organisation are trained in breach protocol, looking at possible breach attempts and their associated risks. It’s also a good idea to implement secondary approval processes for the release of funds.
Cybersecurity has transcended from the realms of IT to weigh heavy on businesses as a whole – it therefore deserves adequate time, attention and resources to ensure that the fortress remains secure. There are many weaknesses in the security programs of today, but even a simple assessment and analysis of current gaps could go a long way towards businesses taking their measures from basic to mature. The time for action is now – because waiting for lightning to strike will only make the impact more devastating.