As we delve deeper into 2021, firms need to consider cybersecurity processes more than ever before.
The coronavirus pandemic has sped up tech adoption at an unprecedented rate, and the pace at which cyber-criminals are exploiting these changes means it is vital that business leaders keep up.
But building and maintaining effective cybersecurity measures is no easy task. Cybercriminals are becoming increasingly sophisticated in the ways that they carry out their attacks, and businesses will constantly have to adapt their tactics.
Another stumbling block is an aversion to taking up the challenge of building cybersecurity measures into a company. Cost, complexity, and confusing language are legitimate reasons why some firms are still falling behind.
However, as UKCSA CEO Lisa Ventura explains, there is no time to dawdle when it comes to protecting yourself from cybersecurity threats. Start acting now, or a cyberattack could be just around the corner.
The importance of cybersecurity to a leadership team
To begin the process of building strong cybersecurity measures into your business, you must build it into the very fabric of the company itself, says Ventura.
“Good security only works when it is well embedded as a culture within an organisation, and that starts from the top,” she says.
This is security buy-in; to ‘buy-in’ to the idea that cybersecurity is a vital part of your business culture. Unfortunately, leadership often gets stuck behind the stumbling blocks, the main one being cost.
“Even with the average cost of a breach reaching an eye-watering £3 million, many organisations still struggle with getting cybersecurity on the boardroom agenda,” Ventura says.
“This in turn leads to critical levels of under-investment in cybersecurity, which leaves organisations wide open to a cyberattack.”
But why are business leaders so averse to cybersecurity investment when it is so obviously a threat? Cyberattacks have clearly been an ever-increasing issue worldwide for many years.
- Tech industry the least secure against cyber attacks, say hackers
- Nearly half of UK businesses vulnerable to IoT cyber attacks
- Report reveals UK organisations need more consistent cyber resilience
In particular, the coronavirus pandemic has boosted cybersecurity incidents. According to the data analysed by Atlas VPN, 16.4 million Covid-19 related cyber threats were detected online in 2020.
As well as this, in May last year average of 192,000 coronavirus-related cyberattacks were occurring every week, including phishing attacks impersonating the WHO, United Nations, Zoom, Microsoft and Google.
However, communicating the importance of combating these cyber threats to a company’s leadership team is not easy. Cybersecurity metrics are often communicated in complex and technical language that is full of jargon and acronyms and lacking in human elements.
Ventura believes this means firms still, despite the obvious reasons for concern, have an inability to prioritise the cybersecurity risk.
“Given the volume of software vulnerabilities that are discovered daily, this is relatively unsurprising as an increase in officially designated vulnerabilities is coinciding with a decreased understanding of them and of the security landscape in general,” she says.
“In addition, a lack of management alignment on priorities is another way that firms are failing to prioritise cybersecurity, along with a lack of adequate funding.”
Building cybersecurity protection
Ventura says that, to begin the process of protecting yourself, you need to find the right tools for the job. New platforms are being developed that can help secure against new threats and threat actors, and these suit businesses of all shapes and sizes.
“Organisations should look at investing in security solutions that scale appropriately, but ever-fluctuating business cycles can make it difficult to sign on with platforms that are too rigid,” Ventura says.
“Looking into different solutions is necessary to keep your data secure, and while it is crucial to have your business operations fully locked down, there is a need to have digital periphery secured as well.”
Ventura comments on the importance of ‘locking down’ systems within your business that deal with data. Things like Wi-Fi, emails, messages, or data transfer must be kept safe and secure.
She continues: “It is essential for organisations to invest in cybersecurity as soon as possible – the shift to digital since the pandemic hit is happening far too quickly to ignore. Find solutions that secure every aspect of your organisation’s operations.”
As far back as 2019, research by Forescout revealed that around half of businesses in the UK were at risk of cyberattacks for something as simple as having an unknown device on their network.
As well as this, in February 2020, weeks before the pandemic came into full force, research showed that 18% of hackers believe the tech sector had the most room for improvement in cybersecurity.
More than a year on, the cybersecurity landscape has become considerably more complicated, and cyber-threat actors more brazen.
“With so many high-profile data breaches taking place, these have taught us that organisations will be breached, and consumer data will be stolen,” Ventura says.
“Despite these high-profile data breaches such as the recent Microsoft data breach that is still ongoing, organisations continue to stumble in the way they respond to a cyberattack, which in turn magnifies and extends the damage both to their reputation and their customers.
“Not being transparent about what happened is one of the biggest mistakes that many organisations make, along with poor customer service and dragging their feet when it comes to dealing with a cyberattack.”
The Covid-19 question
Covid-19 has likely stretched the cybersecurity capabilities of thousands of firms. What should business leaders be looking out for when it comes to Covid-19 related cybersecurity, and as we begin to see the wind-down of Covid-19 in the coming months, why should they continue to take these attacks seriously in the future?
Post-pandemic, organisations should take a guided approach to cybersecurity and shape a responsible course of action that balances short-term goals with medium to long term imperatives, Ventura says.
To do this, organisations should be encouraged to “foster a culture of cyber resilience, focus on protecting their critical assets and services and balance risk-informed decisions during the pandemic and beyond.”
- Poor remote working habits creating cybersecurity risks
- Scotland continues to impress as UK tech attracts record VC investment
- Three Scottish sustainable tech projects take share of £27m funding pot
Firms should also update and practice their organisation’s response and business continuity plans from a cybersecurity perspective as the world transitions to a “new normal” and strengthen their ecosystem-wide collaboration.
“The Covid-19 crisis has generated unprecedented challenges for organisations, forcing everyone to juggle professional responsibilities with important personal ones,” Ventura comments.
“The coming weeks and months are likely to bring more uncertainty as the government slowly eases restrictions and we come out of the third national lockdown.
“By adhering to these cybersecurity principles, organisations can better uphold their cybersecurity and maintain business continuity while also meeting their obligations to their business stakeholders.”
Humanising cybersecurity language
So, what are Ventura’s suggestions for boosting cyber-awareness and the integration of cybersecurity infrastructure into a business? She suggested humanising the language.
“To engage with the board, you need to talk business, not cybersecurity,” she states.
“By focusing on the business and risk of cybersecurity rather than the technical side of it, the board are more likely to pay attention to it. They will be more likely to make the jump from cybersecurity being an IT issue to cybersecurity being a business and risk issue.”
Looking forward to 2021, cyberattacks are only set to become harder to handle. Covid-19 continues to be a useful topic for targeting victims, and many firms are still not taking cybersecurity seriously. Many, Ventura believes, do not realise how valuable their data can be to a hacker.
“To help bolster your cybersecurity, organisations should know what is valuable,” she says. “There is a misconception that smaller businesses would not be a target for hackers because they are too small. But things like ransomware are hitting smaller businesses harder than others.
“All businesses should consider what assets they have that can be monetised by hackers, such as personal information about customers.
“Once you have identified what is valuable, you should look at implementing things such as 2-factor authentication, set appropriate access levels, bring your own device (BYOD) policy, implement device policies, keep your infrastructure and computers up to date, dispose of your old hardware correctly, vet any new employees and provider’s and don’t forget your physical security to help your cyber security.”
However, even these steps, Ventura says, may still not be enough: “The passage of time has proved that no matter what organisations do, hackers will always be in front, and organisations need to ensure they constantly keep on top of the growing cyber threat.”
Join the Debate | Scot-Secure 2021
Cybersecurity language and a changing cyber landscape will be key areas of discussion at the upcoming Scot-Secure Cybersecurity Conference on March 24-25th.
Hear from leading experts from across the cybersecurity sector and explore the crucial issues.
Register your free place now at: https://www.scot-secure.com