More complex and challenging

November 2019 Cyber Security

The rate at which digital technology is evolving and disrupting traditional business models is frightening, yet cyber risks seem to evolve even faster. Despite declining business confidence in the ability to manage cyber risk, business leaders are now clearly recognising the critical nature of cyber threats and are starting to identify and embrace best practices to mitigate risks.


John Mc Loughlin.

Cyber risk has moved beyond data breaches and privacy. There are now sophisticated attacks that are disrupting entire countries, industries, businesses and supply chains. This is costing the economy billions and affecting businesses in every sector. Unfortunately cyber risk cannot be eliminated, but it can be mitigated and managed.

The most savvy businesses are building cyber resilience through comprehensive, balanced cyber risk management strategies, rather than concentrating solely on prevention. These more complex approaches account for the need to build capabilities in understanding, assessing and quantifying cyber risks in the first place, as well as adding the tools and the resources to respond to and recover from cyber incidents when they inevitably occur.

As cyber risks become increasingly complex and challenging, there are encouraging signs in the ‘2019 Global Cyber Risk Perception Survey’ (www.securitysa.com/*j2)1 that businesses globally are starting to implement best practices in cyber risk management. Most businesses recognise the magnitude of cyber risk and many are shifting aspects of their approach to match the threat, and most are doing a good job in traditional cybersecurity, protecting the perimeter.

Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal programme will depend on each company’s unique risk profile and tolerance.

This addresses many of the common and most urgent aspects of cyber risk that businesses today are challenged with, and should be viewed as signposts along the path to building true cyber resilience. Nonetheless, the survey shows that there remains a considerable gap between where cyber sits on the corporate risk agenda and the overall level of rigour and maturity of cyber risk management.

Strategic risk management principles

Many enterprises globally could benefit by applying strategic risk management principles to their cyber risk approach, supported by more expertise, resources, and management attention as they build cyber resilience.

Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence and the Internet of Things (IoT) to data availability and blockchain. Especially in an ‘Internet of Everything’ era with digitally dependent supply chains and innovative technology, yesterday’s practices and mindsets are not enough, and may actually inhibit innovation.

Optimising security from the castle to the wider community is harder, but inevitable. It requires a shift from solely focusing on enterprise security to embracing responsibility for network security across the entire supply chain.

The survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:

• Create a strong cybersecurity culture with clear, shared standards for governance, accountability, resources and actions.

• Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.

• Evaluate the cyber risk implications of new technology as a continual and forward-looking process throughout the lifecycle of the technology.

• Manage supply chain risk as a collective issue, recognising the need for trust and shared security standards across the entire network, including the company’s cyber impact on its partners.

• Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

New tech increases exposure

Security challenges can manifest whenever new technology is integrated into business infrastructure, bringing new and additional complexity to the company’s technology footprint. The risks and exposures presented by new technologies must be weighed against the potential transformative business effects, and risk tolerance varies both by industry and by individual company.

Businesses are embracing technological innovation, and most don’t see cyber risk as a barrier. But assessment of new technology cyber risk is not as rigorous and continual as it should be. The number of Internet-connected devices is estimated to be 75 billion by 2025. As the world moves closer to an Internet of Everything, the amount and variety of digital assets that are stored, processed and shared by enterprises rises.

Even traditional sectors such as manufacturing expect almost 50% of the products they develop to be ‘smart’ or ‘connected’ in some way by 2020, opening up new revenue streams in data-driven services.

Supply chain risk

In increasingly interdependent digital supply chains, cyber risk needs to be a collective responsibility. In a world of hyper-connected supply chains, there is a critical need for trust among partners; a lack of trust risks impeding business performance and innovation.

Every business needs to understand, have confidence in, and play a role in the integrity and security of the components and software of its digital supply chains. The concept of ‘technological social responsibility’ – the recognition and acknowledgement by each company of its role and cybersecurity obligations within the supply chain – is on the agenda for many industry leaders.

But while many companies recognise the potential risks their supply chain partners may pose to their own cyber posture, most don’t fully appreciate the risk in reverse.

Regulations and legislation

In recent years, regulators globally have enacted numerous measures to hold corporations and executives more directly accountable for ensuring effective cybersecurity and for keeping customers’ data safe. Many of these regulations and legal frameworks require a greater degree of transparency from companies at all levels of their data handling activities, and in their cyber risk management readiness.

According to the survey, government laws and regulations are less effective in helping businesses improve their cybersecurity posture compared to ‘soft’ voluntary industry standards and guidance.

Cyber investments

Effective cyber risk management requires quantitative risk expression. Although more businesses measure their cyber risks economically, there’s a long way to go for all businesses to embrace this best practice, and then to apply that quantified measurement to drive sound cyber risk investment decisions.

Investments in cybersecurity technology are rising quickly and far outpacing spending on cyber insurance. The global cyber insurance market as measured by gross written premiums is forecast to be just under $8 billion by 2020, compared to a $124 billion global cybersecurity market.

Many companies focus their cyber risk management strategy on prevention by investing in technological frontline cyber defences. Meanwhile, spending on other tools and resources for cyber risk management, such as cyber insurance or event response training, remains a fraction of the technology budget.

This suggests that many businesses continue to believe they can eliminate or manage their cyber risk primarily through technology, rather than through a comprehensive range of planning, transfer, and response measures.

Best practices

Best practice calls not for parity of spending, but an investment strategy that, reflecting a company’s unique risk profile and appetite, leverages the complementary roles of technology and insurance to deter cyberattacks where possible and transfer the risk of those that cannot be prevented. However, the emphasis on cybersecurity spending and technology over other measures reveals that many businesses have not yet embraced this truth.

Despite cyber risk being ranked as a high priority, governance and ownership of it generally does not align with that ranking. Those who should be focused on cybersecurity are not, IT and information security roles continue to be seen as the primary owners of cyber risk management.

Businesses must build cyber resilience, approaching cyber risk as a critical threat that, with vigilance and application of best practices, can be managed confidently.

For more information contact J2 Software, +27 87 238 1870, john@j2.co.za,, www.j2.co.za

1. www.securitysa.com/*j2 redirects to https://www.microsoft.com/security/blog/wp-content/uploads/2019/09/Marsh-Microsoft-2019-Global-Cyber-Risk-Perception-Survey.pdf


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Cyber futures in 2020
Issue 1 2020 , Cyber Security
MJ Strydom, managing director of cybersecurity specialist company, DRS, discusses what can be expected in 2020.

Read more...
Seven security trends for 2020
Issue 1 2020 , Cyber Security
What challenges await the security professional in 2020? Lukas van der Merwe looks at the trends for the year ahead.

Read more...
Security is not a single product solution
Issue 1 2020 , Cyber Security
Adopting a phased approach to security allows companies to develop a layered security posture to help control costs as well as the complexity.

Read more...
From physical security to cybersecurity
Access & Identity Management Handbook 2020, Genetec , Cyber Security, Security Services & Risk Management
Genetec discusses the security-of-security concept as a means to protect cameras, door controllers and other physical security devices and systems against cybercriminal activity.

Read more...
Minding the gaps to protect industrial PLCs from cyber threats
November 2019, AVeS Cyber Security , Cyber Security
PLCs, designed to control machinery and specific processes, were never built with cybersecurity threats in mind and protecting PLCs against these threats requires healthy isolation from the Internet.

Read more...
African trust centre launches cyber division
November 2019 , Cyber Security
Advancing cybersecurity to more stringent heights, LAWtrust has launched a new division focusing on cybersecurity services to complement its identity, encryption and digital signature offerings.

Read more...
What are the cybersecurity issues in video surveillance?
November 2019, Axis Communications SA , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security
he importance of the data captured by surveillance cameras – and what can be done with it – has led to a new breed of cybercriminals, looking for insights to steal and sell.

Read more...
Protecting the outer perimeter with cloud services
November 2019 , Cyber Security
Business leaders now have a choice whether they want to continue using their trusted firewall or move to a next-generation firewall delivered by appliances or as cloud services.

Read more...
Information security outsourcing service
November 2019, Condyn , Cyber Security
SearchInform launches information security outsourcing service for companies that face the problem of corporate fraud and data leakage.

Read more...
Block threats before they target your business
November 2019 , Cyber Security
The antivirus solutions of a decade ago are woefully inadequate weapons in the fight against today’s complex threats.

Read more...