Are Companies Not Paying Enough Attention to Cybersecurity? - Through the GRC Lens, April 2021IT Risk & Cyber Risk | 4 Min Read |11 May 21|by Shampa Mani
It feels like we’ve suddenly entered a rabbit hole of cyberattacks. Starting from the SolarWinds attack to Facebook’s old leak resurfacing, to the LinkedIn hack, and more, 2021 has so far been immensely challenging for cybersecurity officials, leaving only one thing on their priority list – cyber resilience – broadening protection, detection, and response measures to future-proof their cyberattack mitigation strategies.
The data breach crisis escalated last year as more records were compromised in just 12 months than in the previous 15 years combined reported Canalys in a special report ‘Now and Next for the cybersecurity industry’, adding that cybersecurity must be front and center of digital plans, otherwise there will be a mass extinction of organizations, which will threaten the post-COVID-19 economic recovery.
However, not just the last year, 2021 has also brought with it a fresh set of unfortunate news. Beaming’s analysis of commercial internet traffic found that UK businesses encountered 172,079 cyberattacks each, on average, between January and March 2021, the equivalent of 1,912 per day, reported Information Age.
And although, there seems to be an increase in number of attacks, a new report from Audit Analytics, “Trends in Cybersecurity Breach Disclosures,” revealed that cyber breach disclosures fell in 2020 for the first time in five years. “It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed,” Audit Analytics said.
Post this report, Booking.com was fined €475,000 after failing to report a serious data breach that happened in 2018. The Dutch Data Protection Authority imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation. AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions…But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
According to Compliance Week, “The costliest cyber-security breaches aren’t necessarily those that result in the largest loss of records as much as the type of data stolen.” But it does seem like negligence and non-compliance have a number that keeps going up. The world’s top brands across sectors might lose between $93 billion and $223 billion because of a data breach, a first-of-its-kind study by Interbrand and Infosys, called ‘Invisible Tech, Real Impact’, has found. Following the report, Macquarie was slapped with a $500m capital buffer after ‘multiple breaches’ by the Australian Prudential Regulation Authority.
More recently, Gartner released its Emerging Risks Monitor Report which identified cybersecurity control failures as the top emerging risk in 1Q21 in a global poll of 165 senior executives across function and geography. Cybersecurity control failures also ranked third overall in “risk velocity,” an additional metric that Gartner tracks in the Emerging Risks Monitor Report.
Current research estimates that this year alone, businesses will spend $106 Billion on cybersecurity, and that is a direct result of a 300% increase in cybercrimes that have been reported to the FBI since COVID-19 started, said Suzy Greenberg, Vice President of Intel Product Assurance and Security for Intel, in conversation with Forbes.
The Need of the Hour
Security and risk management leaders must address these eight top trends: Cybersecurity Mesh, Identity-First Security, Security Support for Remote Work, Cyber-Savvy Board of Directors, Security Vendor Consolidation, Privacy-Enhancing Computation, Breach and Attack Simulation, and Managing Machine Identities, to enable rapid reinvention in their organization, said Gartner, Inc, adding that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.
While talking to Strategic Risk Europe about the art of the con, cyber security strategist Eddie Doyle said, “Threat actors are always going to be out there, so creating technologies to stop them is necessary…We’re already starting to see the future, which is all about blockchain and artificial intelligence…but today, what we can do is make sure that every employee is identified within our system, and that the remote access control is unique to each and every person. You need massive granularity on a system so you can see where users go, what they’re doing, and what things they’re trying to touch and not trying to touch.”
The World Economic Forum (WEF) recently published a report in collaboration with the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), and PwC. The report listed six consensus principles for cybersecurity board governance:
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
Gaurav Kapoor, Co-Founder and Chief Operating Officer at MetricStream, called for a collaborative effort between organizations and regulators to ensure operational resilience in these unprecedented times. “Due to remote working and rapid digitization, the year 2019 and 2020 witnessed the highest number of cybersecurity breaches, financial frauds and third-party risks,” Gaurav said. “It is now critical for companies especially banks and financial services institutions, and regulators to work together to create the conditions where companies take advantages of business growth opportunities and accelerate digital transformation while remaining operationally resilient throughout.”