It is a worrying fact that, while digital technology is transforming both our personal lives and our interactions with companies and government, it is also making us increasingly susceptible to fraud and other crimes. According to the US Cybersecurity and Infrastructure Security Defense Agency, 47% of American adults have had their information exposed online from cyber criminals. There is no reason to suspect that the picture is much different elsewhere. Even those organizations that might be expected to be alive to the threats are not immune. Earlier this month, Capita, an outsourcing company with UK government contracts worth more than $8 billion, admitted it had been infiltrated by what are thought to be Russian cyber criminals.[1]
The figures from the US Cybersecurity and Infrastructure Security Defense Agency are quoted in a report out today from RiskOptics, a US company formerly known as Reciprocity that helps businesses manage information and cyber risk. As the report points out, the increasing number of attacks is leading organizations to spend ever more on trying to prevent them and dealing with the aftermath. The topic has become a critical issue for boardrooms around the world. Yet, despite this renewed focus, “business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives — or that it could be used as a strategic asset and core business differentiator,” it adds.
This latter point was explained by the CEO and chief product officer at RiskOptics, in an interview shortly before this report. Hitherto, he said dealing with risk had been seen largely as a matter of compliance. Indeed, Reciprocity made its name with a product, ZenGRC, that helped internal audit, compliance and information security teams manage and implement appropriate processes. But the company had latterly taken the decision to focus on developing a different view of risk and therefore understanding it better. Hence the name change to RiskOptics. “It stops security people just saying ‘No’ to everything,” he said. Stressing that an organization could never be 100% secure, he added it was better to do a quantitative analysis of risks and benefits. The advantage of this was that, instead of just throwing ever more resources at the problem — and the report shows that IT teams are already overstretched to the point that there are serious shortages of personnel — senior executives could focus on the threats and vulnerabilities of particular parts of the business and perhaps see opportunities.
The need for all executives to accept the importance of cybersecurity and not leave it to the IT specialists is also stressed by Rapid7, a leader in detecting cyber risks and threats. In an interview earlier this month, he echoed other expert’s view of the futility of increasing budgets to meet the escalating incidence of security breaches. He said there were two underlying issues, the effectiveness of cybersecurity measures and the ability of organizations to operationalize such measures. He said the issue had three elements, technology, people and processes. The last was “the glue” that made the system work. If this aspect was tracked and maintained properly it would be easier to identify the technology and people risks.
Two key recommendations. The first was that board members had to be more prepared to ask questions about cybersecurity so that they understood not just how much was being spent but also how effective the systems in place were. The second is to re-examine the role of the chief information security officer. The post was increasingly common but was often taken up by people from technological backgrounds. An understanding of the technology was clearly crucial, but to be effective the CISO needed “a multitude of qualities,” analysts added. Pointing out that they should share some of the attributes of an effective chief operating officer, he said they needed to be able to lead transformational change and, in the event of a breach, to be able to identify which parts of the business would be worst affected.
Given the devastating effects that cyber-attacks can have on organizations and their reputations, it is inevitable that there is an increasingly crowded and confusing, field of companies offering security solutions. One approach being pioneered by Illumio, a 10-year-old US company based in California, is “zero trust segmentation.” Running slightly counter to the vogue for flat hierarchies with free-flowing information, the idea is that when breaches occur, they are contained and so do not become serious threats to the whole organization. Unsurprisingly, many of the company’s early adopters were banks. But, as businesses and governments recognized that cyber risks were “existential” and as serious as financial risks, all sorts of other organizations became interested, said CEO Andrew Rubin in a recent interview.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.forbes.com/sites/rogertrapp/2023/04/18/combatting-cyber-attacks-requires-more-than-just-money/
Comments