Cybersecurity has fast become a major source of anxiety to businesses worldwide and is now second only to the chaos caused by the pandemic.
That’s according to the most recent PwC Global CEO Survey, in which nearly half of CEOs cited cyber as the biggest anxiety in 2021, up from just 33% last year. And among CEOs in North America and Western Europe, it is the top business threat, and therefore the number-one priority for CEOs in North America (69%), Western Europe (44%), the Middle East (41%) and Asia (40%).
And there’s good reason for such concern, given the increase in high-visibility cyberattacks that have occurred since the onset of the pandemic, including 2020’s most significant – SolarWinds, with hacking of the US IT firm leaving its clients including the US government and Microsoft vulnerable for nine months.
There were many others though in 2020. In March, a major security breach with Marriott International led to the data of more than 5.2 million guests being compromised. In May, healthcare insurance giant Magellan suffered a ransomware attack with up to 365,000 patients impacted. And in July, someone took control of 130 high-profile Twitter accounts (Apple, Elon Musk, Barack Obama) and conned people into sending Bitcoin to an account.
Even as this is being written, “Acer, ironically a tech company, has just been hit by ransomware with the criminals demanding US$50 million”, Ira Winkler, CISO of Skyline Technology Solutions, and one of the world’s most influential security professionals, tells me.
Cyberattacks happen all the time, and more frequently, and they cause tremendous damage, says Winkler, pointing to the Wannacry virus where organisations around the world suffered crippling outages. Many incidents have been serious enough to lead “to the firing of CEOs”, he adds.
And while organisations “which are completely IT-based, like banks, have more dependence on cybersecurity”, all types and sizes of organisations can be at risk. “If you’re a small business and you cannot service your clients without computers, which these days includes everyone from restaurants to retail stores, you need to be concerned,” warns Winkler.
The statistics are scarier still. Since the onset of the pandemic, the FBI has reported that the number of complaints about cyberattacks to its Cyber Division is up as many as 4,000 a day, a 400% increase since the COVID-19 outbreak; Interpol is seeing an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure”; and according to VMware Carbon Black’s latest Modern Bank Heists report, there has been a 118% surge in cyberattacks against banks since 2020.
It’s the sort of numbers that keep banking CEOs awake at night. Like Uday Kotak, CEO of India-based Kotak Mahindra Bank, who cites cybersecurity as the company’s greatest business threat. Having “witnessed increased fraud in the banking system” during the pandemic, Kotak explains that it is the threat of a cyberattack and “the thought of losing my customers’ money to theft that keeps me up at night”.
Because as Kotak explains, “while COVID has brought about a significant increase in digital adoption and transactions, it has also increased the risk associated with digital”.
And with the shift to remote/hybrid working, the risks have been greater still, with many remote workers using insecure data transmission channels to transmit organisational data and organisations lacking in effective enterprise-grade firewalls, antivirus solutions and network security solutions.
Kralanx Cyber Security CEO, Jean-Michel Azzopardi, explains that “information security has broached the frontline” due to the majority of employees now working remotely and this has therefore heavily increased “an enterprise’s risk and reliability on information security as a whole”.
In her first speech since taking the helm of the UK cybersecurity agency, the National Cyber Security Centre (NCSC) in March 2021, CEO Lindy Cameron warned against company complacency, saying that as “our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online”.
Businesses not taking cybersecurity seriously
And while our reliance on digital has become much greater, and companies are forging ahead with speedy digital transformations, according to Cameron, cybersecurity is still not taken as seriously as it should be.
And PwC’s research backs this up. While nearly half of CEOs are planning increases of 10% or more in their long-term investment in digital transformation, little is being put into cybersecurity technology. So, despite the level of concerns CEOs registered about cyberattacks, just under half of those planning for heightened digital investment are also planning to boost their spending on cybersecurity and data privacy by 10% or more.
This is not a surprise for Azzopardi, who says that cyber security generally falls quite low on most businesses’ priority list due to the fact that there’s “no quantifiable value generation from direct investment”. And despite the very real urgency, that priority is lower still now due to competing business priorities. “Unfortunately, with many companies cannibalising marketing budgets in order to retain employees, InfoSec has taken a back seat for the most part.”
Winkler says he is currently seeing businesses tactically implement security. “They are doing what is obviously required, such as work from home security, but for many companies, they need a strategic rearchitecting of their security, which just isn’t happening as much.”
Cybersecurity, says Cameron, should be viewed with the same importance to CEOs as finance and legal and “our CEOs should be as close to their CISO as their finance director and general counsel”.
Though the stats suggest this simply isn’t happening. In the financial sector, for example, the majority (75%) of CISOs still report to the CIO rather than the CEO, according to VMWare’s Bank Heist report.
Azzopardi agrees, telling Business Chief that while the CISO has certainly become more important than it was previously, it’s still not as important as it should be. “Most CISOs spend their time touting the importance of what it is they do, and the reality is that most advice offered by CISOs falls on deaf ears until there is actually a breach. They are the most under-appreciated, and probably the most stressed of the C-suite.”
That’s assuming of course an organisation can find a CISO. According to Gartner’s Research VP Peter Firstbrook, “80% of organisations tell us they have a hard time finding and hiring security professionals, and 71% say it’s impacting their ability to deliver security projects within their organisations”.
Most common mistakes businesses make
Not prioritising the CISO role is just one of many mistakes that businesses are making today. According to Winkler, businesses generally don’t focus enough on the basics and often focus too much on the obvious when what is actually needed is for firms “to focus on the underlying architecture”.
He points not to a specific cyberattack, like ransomware or phishing, as major threats to businesses in the security landscape, but “enterprise ignorance”, along with a company’s lack of applying basic security protection. And this, Winkler explains, can lead to big incidents.
“The reality is that the basics matter, we call it cyber hygiene, so while everyone loves to talk about the hype of advanced attacks, it’s the simple things that are usually exploited to create the major incidents. Small businesses are dealing more with end user related issues and have to work on PC security and good passwords, while large companies have to worry about infrastructure concerns.”
According to Azzopardi, one of the key mistakes that businesses make is believing that a hack can be detected instantly. The reality is that most companies take on average of six months to detect a data breach, even a major one, as the SolarWinds incident proved. Information such as passwords, credit card details and social security numbers may already be compromised by the time a company is notified.
Azzopardi also explains how businesses, big and small, simply don’t attribute enough importance to the human element. That’s despite the fact that 95% of cybersecurity breaches are caused by human error.
“The main point of attack is, and will probably always be, the human element. It’s way easier to fool a human than it is to brute force login credentials,” explains Azzopardi. “The main issue with phishing is that it’s almost impossible to use technology in order to prevent it, instead security awareness training is perhaps our best tool and since we rely on humans to execute such a task, we must assume a significant rate of failure. It is our imperfection after all that makes us human.”
So, what should businesses prioritise in 2021 and beyond? Azzopardi points to the basics such as antivirus, antimalware, password managers and revoking of admin rights as organisational musts. “Throw in mandatory VPN access, regular training and exercises such as BCP testing and your organisation would already be much better prepared than most,” he says.
He also says that API security is right up there with companies forced to make certain APIs public. As such, a priority for security teams is to “design a robust and effective API testing strategy that doesn’t impede development too much while balancing security”.
Finally, he predicts that ransomware will continue to rise, and that cryptojacking will explode. “This is basically the process of creating a bot-net which unknowingly mines crypto for a single wallet. This can be delivered via phishing quite effectively and you will never know it’s even there.”