The internet is increasingly ubiquitous with more and more devices from watches to crockpots internet-enabled. In business, it’s even more so with almost everything living on the cloud. With all this connectivity comes increased risk, particularly for companies that have a hybrid or remote-working capability. With this increased connectivity comes the additional opportunity for cybercrime. How can businesses protect themselves?
What is cybersecurity?
Cybersecurity encompasses the processes, technology applications, controls and overall practice of protecting networks, servers, electronic systems and connected devices from online threats and attacks, says Aanand Venkatramanan, head of ETF EMEA at LGIM. “Cybersecurity is essential for numerous industries, as virtually all businesses now use connected tools from work phones and emails to decentralised data storage and online payment platforms.
“With individuals, private companies and public institutions all requiring protection from attacks, the global cybersecurity market reached $140 billion in 2021 and is expected to continue growing at a compound annual growth rate of 13.4 per cent between 2022 and 2029.”
Types of cyberattacks
While ransomware is the biggest cybersecurity concern for companies and public institutions, other types of attacks are also capable of causing widespread disruption, says Venkatramanan.
“In a distributed denial of services attack, cybercriminals flood an organisation’s servers with malicious traffic, effectively taking the server offline.” Phishing attacks, in which attackers attempt to persuade users to hand over valuable information, are also on the rise. The trend of home working potentially leaves employees more vulnerable to phishing attacks, which is one possible explanation for the estimated 29 per cent rise in attacks seen in 2021.
“Today, malicious software is written by humans. But advances in artificial intelligence [AI] could one day make it possible for machines to probe networks for vulnerabilities and create software to exploit any weaknesses.”
How can companies protect themselves?
Colm Murphy, senior cybersecurity adviser, Huawei, says that cybersecurity is a board-level issue. “It is no longer ok to say that it is the sole responsibility of an IT department.
“The same way it is a given to expect board members to be financially literate, in the modern digital world the same standard will soon apply to cyber. It is a key area of risk management for the vast majority of organisations these days, so a degree of cyberliteracy is necessary to be able to understand the risk, allocate appropriate resources, to manage and control it.”
Cybersecurity becomes the responsibility of all, he says, when it becomes embedded into all decisions, everyone is held to account and everyone is working to ensure the highest level of cybersecurity standards.
Outsourcing enables a business to pay for the service and outcome required, without having to worry about keeping pace with technological developments, says Eoghan Daly, director, BDO. “Outsourced providers will be expert at providing cyberdefence solutions, and can maintain focus on keeping pace with the rapid evolution of new cyberthreats.”
It is a reality that all organisations will need access to cybersecurity expertise, whether in-house or via a partner, says Murphy, who flags that there is a skills shortage. “The cybersecurity skills shortage in the workforce will continue to be a concern for many organisations as technology evolves. Governments around the world are focusing on this and promoting Stem subjects at university level to help ensure adequate supply of skilled employees.”
Empowering employees to protect themselves
Many organisations address cybersecurity with their employees only once a year at a company-wide event or training day, says Dani Michaux, EMA cyber leader at KPMG. “While these events are valuable, the message presented often fades quickly and fails to make any meaningful and necessary change in employee behaviour. In the past, the approach to cybersecurity across most organisations was to treat it as a ‘one and done’ issue.
“Such approaches won’t cut it anymore. A modern cybersecurity programme must project a consistent and persistent message that cybersecurity is an essential part of ‘how we do business’. Cybersecurity awareness needs to evolve from an annual event to an integral part of who a company is in order to ensure trust in the marketplace.”
Murphy agrees that employees can be seen as something of a weak link. “An attacker will take the path of least resistance and unfortunately that means that they target regular people, normal employees.
“A huge majority of attacks will only be successful if someone is tricked into clicking a malicious link in an email or providing their username and password via a fake website.”
Owning the output
Venkatramanan says chief information security officers (CISOs) and their teams should adopt a mindset of enablement — cybersecurity is no longer just about prevention. “It’s not a matter of telling colleagues what they can’t do, it’s showing them what they can do — securely. CISOs are moving from enforcers to influencers, showing how staff at all levels of organisations can enable their organisations to work safely, remotely and effectively”.
However, Daly says cybersecurity does not have to be supported at all levels. Cyberdefence can be “owned” by the IT or security team, with ultimate responsibility with the Executive. “As much as possible should be automated and undertaken by technology to reduce the burden on employees.
“For example, instead of asking employees to remember multiple complex passwords, businesses should require two-factor authentication and the use of a password management system. This approach empowers employees to act in a cyber-secure manner.”
Building a defence
The starting point of any cyberdefence strategy is to adopt a risk-based approach. Murphy says this applies across the board, whether you are a large global organisation operating in 170 countries, or a one-person operation. “Given your technological footprint, you need to prioritise the risks and determine what steps you need to take to mitigate and manage those risks.”
Being resilient and prepared for incidents is key, says Michaux. “Review your threat landscape, working with cyberintelligence allies to better understand the business risk and actions to take.
“Review your cybersecurity controls which may help to reduce the likelihood of a successful attack.”