Large-scale cyberattacks rank third in likelihood among global risks identified by the World Economic Forum's Global Risk Report 2018. Released this month ahead of the forum's annual gathering of world and business leaders in Davos, Switzerland, the survey report predicts a heightened global risk environment, with the tentacles of cyber threats factoring into business and geopolitical risks. Think cyberwarfare and attacks on major companies, banks, and markets.
"Geopolitical friction is contributing to a surge in the scale and sophistication of cyberattacks," says John Drzik, president of Global Risk and Digital with insurer Marsh, in a press release accompanying the report. That risk continues to grow for businesses, as well, even as they become more aware of cyber threats, Drzik points out. "While cyber risk management is improving, business and government need to invest far more in resilience efforts" to avoid protection gaps.
Dire warnings about cyber threats are pushing boards to reconsider their business plans. In EY's latest
Global Information Security Survey, 56 percent of C-suite respondents say the increased impact of cyber threats and vulnerabilities has led their organization to change or plan to change business strategies. Only 4 percent say they have fully considered the security issues arising from their current strategy.
It's not the large-scale attacks envisioned by the World Economic Forum report that worry the nearly 1,200 respondents to the EY survey. It's the less sophisticated attackers that have targeted their organizations. "The most successful recent cyberattacks employed common methods that leveraged known vulnerabilities of organizations," says Paul van Kessel, cybersecurity leader for EY's Global Advisory.
Couple that with new technologies and increased connectivity, and organizations are facing more vulnerabilities than before, he notes. As they look to transform their businesses, organizations need to assess their digital environment "from every angle to protect their businesses today, tomorrow, and far into the future," he says.
A Question of Money
Executives clearly see a need for more resources to face cyber threats. Although 59 percent of respondents say their cybersecurity budgets increased in 2017, 87 percent say they need to allocate as much as 50 percent more. Twelve percent expect more than a 25 percent increase this year.
For many organizations, it might take a major breach for them to make significant cybersecurity investments, respondents report. Three-fourths of respondents say an incident that caused damage would result in a higher cybersecurity outlay. Conversely, nearly two-thirds say a less damaging attack would not lead to an increase.
Three Levels of Attack
Budgets aside, respondents acknowledge the vulnerabilities and threats are rising. Chief among the vulnerabilities are employees who aren't following good cybersecurity practices. Malware and phishing far outpace other threats.
In the face of increased threats, resilience may be the best way for organizations to fight back. "To get there, the organization needs to understand the relationship between cyber resilience and the objectives of the business, as well as the nature of the risks it is facing and the status of the current safeguards," the EY report says. "It must also assess how much risk it is prepared to take and define an acceptable loss."
To become more resilient, the EY report notes that organizations need to take steps to address three levels of attack: common, advanced, and emerging.
Common. Although the vast majority of attacks target known weaknesses, three-fourths of respondents say their organization's ability to identify vulnerabilities is immature or moderately mature. Twelve percent lack a breach detection program, and 35 percent say their data protection policies are ad hoc or don't exist.
To defend against common threats, EY proposes five components:
- Talent-centric, with everyone in the organization responsible for cybersecurity.
- Strategic and innovative, with cybersecurity embedded into decision-making.
- Risk-focused, with "well-governed risk alignment."
- Intelligent and agile, to detect and respond to threats timely.
- Resilient and scalable, to minimize disruptions and grow with the business.
Advanced. These sophisticated attacks target unknown or complex vulnerabilities, and are carried out by organized crime groups, cyber terrorists, and nation states. To respond to such attacks, the EY report recommends organizations centralize cybersecurity activities within a security operations center (SOC). This center should focus on protecting the organization's most valuable assets, defining normal operating conditions as a basis for identifying unusual activity, gathering threat intelligence, and carrying out "active defense" missions to identify hidden intruders.
Emerging. These unanticipated attacks are made possible by advancing technologies. Responding to them requires agility to imagine the attacks that could be possible and act quickly when they happen, the report notes.
In Case of Emergency
Beyond these measures, the EY report says organizations need a cyber breach response plan that automatically springs into action when an incident occurs. The cybersecurity function plays a part, but the plan also involves business continuity planning, compliance, insurance, legal, and public relations. This is an area where many respondents fall short. Nearly 70 percent have a formal incident response capacity, but problems arise when drilling down to specifics.
Communication is a glaring problem, with 43 percent saying their organization doesn't have a communication strategy to respond to attacks. Just 56 percent say they would notify the media within a month of an incident that compromised data. That could prove costly, with the European Union's Global Data Protection Regulation set to take effect in May. Organizations that fail to respond timely to data breaches could face tangible penalties beyond the damage caused by attacks.