CEO outlines how businesses can reduce risk of cyber attacks
As technology becomes more sophisticated, so does the nature of cyber attacks.
From the recent LockBit attack on Royal Mail to reports of a ransomware attack on a hospital in Barcelona, it is also clear that hackers do not discriminate. The speed and complexity of these attacks has prompted government bodies like the EU to act, introducing the NIS2 Directive in January as a response to growing threats.
But how prepared are businesses for a potential attack? The World Economic Forum’s latest Cybersecurity Outlook Report found that 43% of business leaders expect a cyber attack to impact their organisation within the next two years. Indeed, time and time again, businesses face the same common shortcomings that increase their risk of being attacked. From not outlining who is responsible vs. who is accountable for shoring up security defences, to rushing to digitalise too quickly.
It’s therefore critical to ensure that business and security leaders consider how they can create a stronger first – and second – line of defence against cyber attacks. But what common risky practices are compromising these efforts?
Manage risks during digital transformation
The pandemic acted as a catalyst for digitalisation, fundamentally changing the way that most businesses around the world operate. The rapid roll out of new technologies has had a huge impact on customer service offerings, supply chain operations, and the day to day running of organisations.
However, blending and/or moving from legacy technology to SaaS applications or cloud infrastructure without a- robust strategy and timeline in place is incredibly risky. As more devices and access points are added to an organisation’s stack, this opens up more potential vulnerabilities.
To ensure that they don’t increase their risk of being attacked, digital transformation project leaders must assess and manage the potential risks at every stage of their digital transformation journey: before, during and continuing to manage it as their digital strategies evolve. Creating this first line of defence is critical to managing the growing risk to operations.
But central to understanding and mitigating the overall cybersecurity risk to a business is also considering the risk posed by their vendors and suppliers. This is where it is critical that organisations consider their second line of defence; the security processes of the third-party organisations they interact with.
Don't cut back on cybersecurity
Consumers and businesses alike have it tough at the moment. Just as we were finally seeing the skies clear from the pandemic, we’re now hit with rising inflation, battling against increasing costs of living, and all the while heading into one of what is predicted to be the deepest recessions the country has ever seen. It is therefore no surprise that budget holders within organisations are looking at where they can make quick savings. And this includes tech.
When balancing priorities, some IT decision-makers will cut back on defences like end-point security. I’m increasingly – and worryingly – seeing more businesses viewing it as a ‘nice to have’ rather than recognising the vulnerability introduced by remote/hybrid working and bring-your-own-device (BYOD) policies.
Security is not something to budget. Putting to one side that organisations are expected to adhere to national and sector-specific security and privacy regulation/legislation, the sheer number of cyber attacks – and the knock-on effect they can have on a business – shows that cybersecurity efforts are something to invest in the long-term.
It is vital for businesses to also look ahead and recognise that prioritising security doesn’t just save organisations money by preventing threats, it also allows them to spot the right opportunities to maximise efficiencies. Today, most businesses work with third parties and having strong processes in place to view potential risks posed by these external relationships. But this also allows them to strengthen their relationships with these third parties and make sound decisions relating to the partnership, which in turn can increase the revenue of a business.
When an organisation is multidisciplinary – for example, those comprised of departments focused on manufacturing, customer service, distribution and so on – it’s harder to instil accountability for cybersecurity. It is fair to say that everyone in a business must manage their own cybersecurity and privacy risks. However, the lines of responsibility and accountability aren't always entirely clear.
In larger corporations, the board should ultimately be accountable for all risk but that doesn’t necessarily mean they will be doing the actual work to manage this. There should be one person/team responsible – but the board or its equivalent does remain accountable. Smaller companies can follow the same principle, but it may fall on the shoulders of the CEO or founder to take on both the accountability and responsibility (via managing a team or outsourcing to a third party) for their cyber defences.
Make cybersecurity a priority
'People are your first line of defence' is a well-known cybersecurity adage. But while employee education on cyber risks can go some way in curbing the threats of phishing attacks or downloads from untrusted sources, without reinforcement – and indeed, enforcement – there may be clear cracks in company defences.
It was reported very recently by Gartner that 69% of employees bypass their organisations cybersecurity measures , with nearly a third of respondents citing ‘’speed and convenience’’ as reasons for doing so.
To tackle this, business leaders must start developing security policies which acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity, and very rarely from insider/malicious hacking efforts. Leaders must also take steps to involve employees in the process of developing and testing said policies and equip them with the tools they need to follow these as easily as possible.
Build strong lines of defence
Contrary to most people’s perceptions of cyber criminals, they are increasingly planning and running their attacks in an organised fashion – and this is helping them reap greater rewards. Take the notorious Lockbit collective as an example. It is estimated that they have generated up to $100 million in ransom payments.
With this in mind, it is crucial that businesses are taking proactive steps to reduce their risk of falling victim to an attack and ensure prevention. Organisations need to have an individual who is responsible for their cybersecurity strategy, stop cutting corners with security practices internally and in their supply chains, and most importantly, create a workplace culture that encourages safe cybersecurity measures, and embeds it into their values.