The state of cybersecurity is changing dramatically, and organizations are finding it challenging to stay on top of cyber threats. The world has reached a watershed moment due to several factors, including rapid digital transformation, cloud adoption, remote working and interconnected business ecosystems. Additionally, there has been a massive rise in cybercrime and nation-state-sponsored attacks due to the Russia-Ukraine war.
A New Perspective on Risk
Cybersecurity is no longer just an IT issue, with IT a strategic necessity for businesses as well as a significant source of risk. However, many companies are unprepared for this reality. Their budgets for cybersecurity are not increasing at the same rate as the cyber threats faced, and cybersecurity initiatives are not keeping up with digital transformation. A global study of 1200 C-level cybersecurity decision-makers across 14 industries and 16 countries found that these executives do not feel adequately prepared for the risks ahead.
From 2021 to 2022, the average number of attacks increased by 15.1%, while material breaches increased by 24.5%. The damage to a company’s reputation caused by those breaches can negatively affect customer trust, market share and capital costs. Unsurprisingly, cybersecurity is now a top management priority across industries given the significant increase in cyber-attacks, breaches and damage to corporate reputations. In 2023, it is widely expected that cyber-insurance coverage requirements will become tougher and require a more risk-based approach.
Organizations are increasingly vulnerable as bad actors step up their game with more power, complexity and a larger playing field, and it’s evident that cybersecurity requires new approaches. Here are five ways organizations can significantly reduce cyber risk in this environment:
- Prioritize Vulnerabilities to Minimize Risk: Prioritizing risk is crucial in minimizing it, especially considering organizational and global resource constraints. Risk can be ranked according to the importance of the systems it depends on or, for example, the types of risks to an organization’s specific sector. Since the number of vulnerabilities that scans reveal can be overwhelming, risk-based prioritization enables teams to focus on and address the exposures that matter, which is particularly impactful for smaller teams that are already overworked.
- Decisions About Cybersecurity Should be Based on Knowledge and Analytics: CISOs have typically balanced the worlds of business and technology, but their skill set has tended to be more technical. As an organization’s cybersecurity evangelist, CISOs must now have a broader business mindset, which requires approaching security risks from a business perspective. To do this, they require high-quality reporting and analytics data to convert doubt into certainty. CISOs can shift their viewpoint from “we think we have this many vulnerabilities so we’re trying to patch them all” to “we know we have this many vulnerabilities on business-critical systems and we have a prioritized plan to mitigate their risk” by using data. Data can show where the business is exposed, help the organization decide on a business strategy based on its potential risk and demonstrate the need for cybersecurity investments.
- To Mitigate Cyber Risk, Go Beyond Regulatory Compliance: Regulations continue to increase to try and address growing cyber threats. Meeting compliance requirements can be beneficial for reducing new or industry-specific risks but is only part of the overall security picture. Applying the same rigor across non-regulated environments is crucial to properly address overall risk. Treating vulnerability assessment and prioritization is just as essential because security policy and compliance management prevents siloed mitigation. To truly understand the attack surface, security should be extended to field and OT environments to visualize and analyze the entire attack surface, including on-prem, OT, hybrid and multi-cloud networks.
- Utilize Technology to Reduce Risk Proactively: Despite the value of people-centric security, there shouldn’t be an overreliance on end users as the first line of defense. Even though many businesses view a 5% ‘click rate’ as an acceptable benchmark for phishing assessments, all it takes is one email to compromise an entire business. Therefore, companies need to leverage technology to stop the delivery of these attacks rather than putting the burden on the end users and the efficacy of security awareness training.
- Calculate Risk Based on Business Impact: A risk-based approach to cybersecurity enhances the organization’s risk management strategy by quantifying the likelihood of an incident and the consequences it will have. This is similar to how an insurance firm would view risk because this information is then utilized to decide whether to reduce, accept or transfer the risk.
Thinking differently about cybersecurity doesn’t require abandoning everything you’ve learned. It entails changing your perspective on how you defend your organization. Thanks to solutions now available to share meaningful data, you can approach this new era of risk in a more informed way.