Cybersecurity is no longer an issue only for the IT department. Today, I believe this must be top-of-mind for the entire enterprise.
Risks are no longer limited to hackers seeking confidential data from large financial institutions or retailers. Politically motivated attacks have been aimed at disrupting economies or destabilizing markets. And with the increasing use of ransomware, governments and organizations of any size can be targeted from anywhere. These global risks have placed the importance of cybersecurity at a whole new level.
It’s estimated that there was a ransomware attack on businesses worldwide every 14 seconds by the end of last year, according to Cybersecurity Ventures. By far, the single greatest vulnerability that companies continue to face is the infiltration of malware from phishing campaigns. Other vulnerabilities stem from the proliferation of IoT components, cloud storage and computing, and new data and financial apps that external vendors provide and install on the organization’s system.
To battle the threat, I believe a dedicated effort must go all the way up to the C-level to ensure that everyone is put to the task, because when an intrusion attempt succeeds, it’s already too late. It can take hackers as little as 19 minutes to get into a system and up to eight hours for many companies to respond due to their obligation to internal processes.
Many larger companies install a variety of specialized solutions to protect themselves in different areas, and it seems that endless products answer very specific threats. Too often, though, that buildup of solutions from a multitude of vendors exacerbates the risk that each patch is intended to guard against.
While each technological advance can help mitigate current risk, it can also provide hackers with new sophisticated tools. Only by constantly assessing future threats can companies and industries hope to anticipate what protective steps they will need to take.
At our company, for example, we confer with numerous academic researchers and startups in the cybersecurity field, and meet frequently with other financial-services colleagues to discuss current and future risks and potential vulnerabilities.
This combination of current risks, future threats, growing awareness, and technological advances has resulted in a rapidly changing landscape. As a result, several trends are currently taking shape, and I believe all of the trends—whether in the category of risk awareness or risk mitigation—are critical elements as businesses prepare for the future.
- Cyber-as-a-Service: As targeted cybersecurity solutions proliferate, the patchwork of fixes can actually increase risk. In response, we are seeing more inclusive cyber protection services being offered with the rise of Cyber-as-a-Service (CaaS). These CaaS providers oversee the management of vendors, the operations of tools, and the overall assessment of security coverage.
- Security in the Cloud: Migration to the cloud is becoming impossible to avoid. As such, securing multiple cloud applications by container computing is vital even as it moves through third parties. To further lock down these hosted applications, identity management systems that we use are incorporating homomorphic encryption technology.
- Blockchain and AI Security: Only in the past few years have blockchain and AI security features been developed to empower cyber and risk identifiers. While still in their early stages, they are showing great promise. And with the addition of machine learning and deep learning, this larger cyber ecosystem is expected to increasingly empower robust security controls.
- Working Together: Financial institutions and other industries are increasingly banding together in joint projects and working groups to unite against cyberthreats. Although bringing together competitors to work cooperatively is challenging, each risk is shared by all.
- Behavioral Analytics: Matching activity with customer profiles has become increasingly prominent in securing information, especially in areas such as financial transactions. While the added layer of protection (by matching a user’s pattern against attempts to access information) has been valuable, there is also an added dimension of risk. If the database is breached, the information is as sensitive as when a biometric database is hacked.
- Educating R&D: While cybersecurity awareness is growing, developers of new programs or products too often still fail to sufficiently consider cyber risks when they build something new. They are addressing the needs, or perhaps using open codes, without assessing the risks that might be present. But the recognition of this risk is increasing, and I expect more attention to be paid to this segment.
Reason for Optimism
No amount of preparation can guarantee that hackers will fail in their attack on any organization. But with the more aggressive and cooperative approach we are witnessing industrywide, there is good reason to be optimistic.
Four Tips to Remember
1. Employee Education: It takes only one employee to fall for a phishing campaign and to hurt the organization’s cyber posture.
2. Effective Crisis Response Process: There is always a bureaucracy and processes you have to go through. But if you have it all automated, you’ll have a much stronger and faster defense.
3. Know Your Enemy: Each large enterprise has threat intelligence technologies, but not all are using them efficiently to analyze who is targeting them and how.
4. Know Your New Tech: Many new technologies are implemented to offer customers a modern experience. But even AI, machine learning, FinTech, and cryptography have weak points.
This article first appeared in Forbes.