What Organizations are Mistaken about Cybersecurity?
By Osman Faiz, CIO, Standard Chartered Bank (Singapore)
On Friday, 12 May 2017, the world witnessed one of the most severe cyberattacks in recent years, WannaCry which paralyzed almost 230,000 computers in 150 countries and threw the world into chaos. Before everyone could fully realize the impact of this attack, Petya struck Ukraine, again on a massive scale, before rapidly spreading across Europe. If there is anything we have learned from these painful events, it is that many organizations— big and small, government and non-government, private and public— are poorly prepared, if not utterly unprepared for cyberattacks. A recent Cybersecurity Trends report by Crowd Research Partners confirms that 62 percent of companies aren’t confident with their security measures against cyberattacks. Here are the five things that many organizations have mistaken about cybersecurity, which may land them on the wrong end when the next cyberattack happens:
1. Hackers only target big organizations: Cyberattacks on big organizations such as banks are often well covered with the biggest headlines. This has led to a dangerous falsehood that only big organizations are the target. While it might be true in the past when hackers often targeted the ones with the most money, it is no longer the case today as hackers often target the ones with the weakest defense. Symantec reported that 65 percent of cyberattacks targeted small and medium-sized enterprises in 2015 compared to just 50 percent in 2011. With small and medium-sized enterprises lagging far behind the established multi-national corporations in cybersecurity, this percentage will continue to grow further in the next three years. Therefore, all organizations, regardless of size, need to build adequate cybersecurity defenses.
2. Cybersecurity is an IT issue: In many organizations, senior leaders have alarmingly little understanding of cybersecurity and still treat it as an IT problem.
It is important to realize that cyber security is not an IT issue but a strategic issue
Cybersecurity then becomes an afterthought of the business strategy being formulated or business decisions being taken. The danger of this is that their chief information officers (CIOs) or chief information security officers (CISOs) are always in the catch-up mode trying to identify and patch cybersecurity holes, which leaves their organizations constantly vulnerable to cyberattacks. This must be changed if organizations want to stay ahead on cybersecurity. It is important to realize that cyber security is not an IT issue but a strategic issue. It is an integral part of the business. CEOs need to push cybersecurity higher on their agenda and directly consult their CIOs or CISOs in making key business decisions. Forward-looking CEOs are already making cybersecurity as part of their customer value proposition.
3. Hackers only go after core systems: Strong defenses for core systems are essential but not sufficient to protect organizations from cyberattacks. The recent 2016 DDoS attack on Dyn exposed a serious problem of cybersecurity for internet-of-things (IoT) devices. Attacks on Target and Wendy’s earlier, which involved third-party vendors, was also a stark reminder for organizations to look at cybersecurity from a complete ecosystem point-of-view. It is critical for organizations to ensure that the vendors they engage with have robust security controls to minimize their vulnerability to cyberattacks. A single lax security control of a single vendor can be detrimental to their entire organization.
4. Cybersecurity threats are mainly external: It is not uncommon to see that many organizations put enormous effort into dealing with external cybersecurity threats and little into internal ones. However, IBM found in the 2016 Cybersecurity Intelligence Index that the biggest threat may reside right inside their organizations. A whopping 60 percent of cyberattacks were in fact carried out by insiders with 75 percent of them involving malicious intent and the remaining inadvertent actors. These numbers should be a wake-up call for organizations which have not paid enough attention to internal cybersecurity threats. More dangerously, insiders, unlike outsiders, have extensive knowledge and direct access to the systems, making it difficult to detect. In addition to that, they can also erase evidence to impede any possible investigations.
5. It is too costly to invest in cybersecurity: Cost is one of the reasons why some organizations are reluctant to invest in cybersecurity. Advisory firm Gartner reported that worldwide spending on cybersecurity is estimated at $90 billion in 2017 and would reach $130 billion by 2020. However, not investing in cybersecurity can be even more costly. Cybersecurity is a $440 billion problem, and it is expected that cyberattacks would cost the world up to $6 trillion by 2021. This does not take into account damages which can’t be measured by dollars and cents, such as loss of corporate reputation and customer confidence. Besides, organizations should also realize that digitization comes with greater productivity and efficiency. Part of these gains should be invested in cybersecurity. In other words, cybersecurity is an inseparable part of digitization investment, and no organization can use cost as an excuse to compromise on cybersecurity.