More complex and challenging

1 November 2019 Information Security

The rate at which digital technology is evolving and disrupting traditional business models is frightening, yet cyber risks seem to evolve even faster. Despite declining business confidence in the ability to manage cyber risk, business leaders are now clearly recognising the critical nature of cyber threats and are starting to identify and embrace best practices to mitigate risks.


John Mc Loughlin.

Cyber risk has moved beyond data breaches and privacy. There are now sophisticated attacks that are disrupting entire countries, industries, businesses and supply chains. This is costing the economy billions and affecting businesses in every sector. Unfortunately cyber risk cannot be eliminated, but it can be mitigated and managed.

The most savvy businesses are building cyber resilience through comprehensive, balanced cyber risk management strategies, rather than concentrating solely on prevention. These more complex approaches account for the need to build capabilities in understanding, assessing and quantifying cyber risks in the first place, as well as adding the tools and the resources to respond to and recover from cyber incidents when they inevitably occur.

As cyber risks become increasingly complex and challenging, there are encouraging signs in the ‘2019 Global Cyber Risk Perception Survey’ (www.securitysa.com/*j2)1 that businesses globally are starting to implement best practices in cyber risk management. Most businesses recognise the magnitude of cyber risk and many are shifting aspects of their approach to match the threat, and most are doing a good job in traditional cybersecurity, protecting the perimeter.

Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal programme will depend on each company’s unique risk profile and tolerance.

This addresses many of the common and most urgent aspects of cyber risk that businesses today are challenged with, and should be viewed as signposts along the path to building true cyber resilience. Nonetheless, the survey shows that there remains a considerable gap between where cyber sits on the corporate risk agenda and the overall level of rigour and maturity of cyber risk management.

Strategic risk management principles

Many enterprises globally could benefit by applying strategic risk management principles to their cyber risk approach, supported by more expertise, resources, and management attention as they build cyber resilience.

Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence and the Internet of Things (IoT) to data availability and blockchain. Especially in an ‘Internet of Everything’ era with digitally dependent supply chains and innovative technology, yesterday’s practices and mindsets are not enough, and may actually inhibit innovation.

Optimising security from the castle to the wider community is harder, but inevitable. It requires a shift from solely focusing on enterprise security to embracing responsibility for network security across the entire supply chain.

The survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:

• Create a strong cybersecurity culture with clear, shared standards for governance, accountability, resources and actions.

• Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.

• Evaluate the cyber risk implications of new technology as a continual and forward-looking process throughout the lifecycle of the technology.

• Manage supply chain risk as a collective issue, recognising the need for trust and shared security standards across the entire network, including the company’s cyber impact on its partners.

• Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

New tech increases exposure

Security challenges can manifest whenever new technology is integrated into business infrastructure, bringing new and additional complexity to the company’s technology footprint. The risks and exposures presented by new technologies must be weighed against the potential transformative business effects, and risk tolerance varies both by industry and by individual company.

Businesses are embracing technological innovation, and most don’t see cyber risk as a barrier. But assessment of new technology cyber risk is not as rigorous and continual as it should be. The number of Internet-connected devices is estimated to be 75 billion by 2025. As the world moves closer to an Internet of Everything, the amount and variety of digital assets that are stored, processed and shared by enterprises rises.

Even traditional sectors such as manufacturing expect almost 50% of the products they develop to be ‘smart’ or ‘connected’ in some way by 2020, opening up new revenue streams in data-driven services.

Supply chain risk

In increasingly interdependent digital supply chains, cyber risk needs to be a collective responsibility. In a world of hyper-connected supply chains, there is a critical need for trust among partners; a lack of trust risks impeding business performance and innovation.

Every business needs to understand, have confidence in, and play a role in the integrity and security of the components and software of its digital supply chains. The concept of ‘technological social responsibility’ – the recognition and acknowledgement by each company of its role and cybersecurity obligations within the supply chain – is on the agenda for many industry leaders.

But while many companies recognise the potential risks their supply chain partners may pose to their own cyber posture, most don’t fully appreciate the risk in reverse.

Regulations and legislation

In recent years, regulators globally have enacted numerous measures to hold corporations and executives more directly accountable for ensuring effective cybersecurity and for keeping customers’ data safe. Many of these regulations and legal frameworks require a greater degree of transparency from companies at all levels of their data handling activities, and in their cyber risk management readiness.

According to the survey, government laws and regulations are less effective in helping businesses improve their cybersecurity posture compared to ‘soft’ voluntary industry standards and guidance.

Cyber investments

Effective cyber risk management requires quantitative risk expression. Although more businesses measure their cyber risks economically, there’s a long way to go for all businesses to embrace this best practice, and then to apply that quantified measurement to drive sound cyber risk investment decisions.

Investments in cybersecurity technology are rising quickly and far outpacing spending on cyber insurance. The global cyber insurance market as measured by gross written premiums is forecast to be just under $8 billion by 2020, compared to a $124 billion global cybersecurity market.

Many companies focus their cyber risk management strategy on prevention by investing in technological frontline cyber defences. Meanwhile, spending on other tools and resources for cyber risk management, such as cyber insurance or event response training, remains a fraction of the technology budget.

This suggests that many businesses continue to believe they can eliminate or manage their cyber risk primarily through technology, rather than through a comprehensive range of planning, transfer, and response measures.

Best practices

Best practice calls not for parity of spending, but an investment strategy that, reflecting a company’s unique risk profile and appetite, leverages the complementary roles of technology and insurance to deter cyberattacks where possible and transfer the risk of those that cannot be prevented. However, the emphasis on cybersecurity spending and technology over other measures reveals that many businesses have not yet embraced this truth.

Despite cyber risk being ranked as a high priority, governance and ownership of it generally does not align with that ranking. Those who should be focused on cybersecurity are not, IT and information security roles continue to be seen as the primary owners of cyber risk management.

Businesses must build cyber resilience, approaching cyber risk as a critical threat that, with vigilance and application of best practices, can be managed confidently.

For more information contact J2 Software, +27 87 238 1870, [email protected],, www.j2.co.za

1. www.securitysa.com/*j2 redirects to https://www.microsoft.com/security/blog/wp-content/uploads/2019/09/Marsh-Microsoft-2019-Global-Cyber-Risk-Perception-Survey.pdf




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.