The digital age has transformed virtually all aspects of everyday life. As data continues to migrate online, digital data becomes more pervasive. With the rise of the Internet of Things (IoT), cloud migration and extensive use of mobile applications, the cost of a data breach will increase.
Businesses are expected to be more 'inter-connected'. As employees and business partners work in businesses and require demanding access to corporate networks through the same mobile devices that they use in their personal lives and while smartphones and tablets upsurge connectivity, these present new types of security threats. To reinforce ties to customers and supply chains, businesses are encouraging vendors and customers to join their networks.
Malicious actors are more sophisticated and with the upsurge in the IoT, the rise of more threats is imminent. Political hacktivists, cybercrime organisations and state-sponsored groups have become technologically advanced, in such as a way that they are overtaking the skills and resources of corporate security teams. Malware has become more persistent, more difficult to trace and often customised to steal data that can be used for financial gain.
Developing a new business-driven cyber security model
Defending businesses technological assets from malicious damage and inappropriate use requires smart methods on how employees, customers and partners access corporate applications and data. Insufficient precautions will result in the loss of critical data; however, overly rigorous controls can get in the way of business operations or have other adverse effects.
For many businesses, cyber security has been treated primarily as a technology issue and many senior corporate leaders have too little understanding of the IT security risks and business implications to discuss the trade-offs for investment, risk and user behaviour.
However, taking a technical approach to solving the problem can have a negative effect on businesses by too tightly constraining how partners, suppliers, customers and employees interact with applications, data and physical infrastructure. There are seven steps to move toward a Business-driven cyber security model:
- Executive level involvement – business and technology perspectives
- Classifying data risk across the enterprise and the entire value chain
- Identifying business processes and process participants accessing sensitive data
- Determining which applications have access to what data
- Balancing security effort, expense and impact on the business against the data risk profile
- Develop a comprehensive security model
- Education and awareness
Businesses will have to reverse their thinking to address cyber-risks. Businesses should first protect the most critical business assets or processes, rather than starting with technological vulnerabilities. Businesses have started to evaluate their cyber-risk profile across the full value chain, clarifying expectations with vendors and enhancing collaboration with key business partners.
Addressing rapidly evolving business needs and threat by invigorating cyber security strategies
It's no longer a matter of if a successful cyber-attack will happen, but when. Having the capability to detect and then outpace the attack itself can level the playing field for organisations experiencing a skills shortage. Currently, there are so many flaws in the academic model and the industry is forthrightly bad at selling itself at inspiring the next generation by showcasing that cyber security can be a stimulating and financially rewarding career.
In addition, training has over the past decade become almost exclusively product focused – with vendor 'academies' teaching individuals about specific product sets, rather than security framework requirements, a move that has further weakened the depth of expertise offered by any one individual. The only way businesses will be able to address the huge demand for cyber security skills will be to take control and invest.
Continuous education on awareness is vital, as new digital assets and mechanisms for accessing them mean new types of attacks. Many businesses are conducting simulated cyber-attacks to identify unexpected vulnerabilities and develop organisational policies for managing breaches, as well as outsourcing to educational providers in demand of secure coding and penetration testing.
However, cybercriminals are getting smarter at creating greater threats which can operate autonomously. Predictively, malware will be designed with adaptive, success-based learning to ensure the efficacy of attacks – meaning the next generation of malware will use code which is a forerunner to artificial intelligence (AI), including more complex decision-making trees. This new breed of autonomous malware works much in the same way as branch prediction technology.
What should senior executives do to ensure that cyber security is sufficiently addressed?
Many businesses have a misalignment between risk exposure and leaving businesses unprepared to stop data breaches because their security strategies and investments are not aligned to combat the primary threats they are facing. A study found that 60% of CEOs expect to invest the most in protecting against malware, rather than identity security solutions that protect against privileged access abuse and stolen passwords. These misinformed investment decisions pose a significant risk to organisations.
Cyber security should be a constant element on the agendas of management leadership. To stay ahead of the threats, executives must engage in an ongoing discussion to ensure their strategy continually evolves and makes the appropriate trade-offs between business opportunity and risks. Communication should start with several critical questions, which include:
- Who is accountable for maintaining a cross-functional approach to cyber security?
- Which assets are most critical and in the event of a breach what is the value at stake?
- What roles do cyber security and trust play in our customer value proposition?
- How are we using people, technology and processes, to protect critical information assets?
- How are we adapting business processes accordingly as technology evolves?
- How are we managing vendor and partner relationships to ensure the mutual protection?
- How are we working with appropriate government entities to reduce cyber security threats?
The cyber security challenge will only increase as more value migrates online and corporations adopt more innovative ways of interacting with customers and other partners. Companies need to make this a broad management initiative from senior leaders to protect critical information assets without placing constraints on business innovation and growth.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.
James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
More articles by James
Cyber Pulse: Edition 105
Cyber Pulse: Edition 104
Cyber Pulse: Edition 103
Cyber Pulse: Edition 102
Cyber Pulse: Edition 101
4 things you need to know about cyber security in 2020
How does Ransomware-as-a-Service work?
Phishing Campaigns: Defending organisations against phishing
Is Mr Robot a good representation of real-life hacking and hacking culture?
Safeguarding your Digital Footprint