While companies around the world are experiencing numerous benefits from online transactions and interactions, the accompanying cyber risks remain less visible. Cyber threats continue to evolve and rapidly expand, in terms of sophistication, complexity and the scale of their consequences. Lone hackers have been replaced by well-funded and organized cyber-crime networks, state-backed groups, terrorist organizations, and even competitors seeking commercially valuable intelligence and intellectual property. As a result, companies must take new approaches to protection.
Verizon 2014 Data Breach Investigations Report
Traditional approaches to cyber security that focus on compliance and technology are not providing companies with the resilience that is required to seize new opportunities in the digital and hyper-connected world. Having originally developed as an offshoot of information technology security, cyber security is struggling to escape its origins and reshape itself in an effective form — in a world where company perimeters have become fluid, porous, and insecure.
Emerging Trends and Associated Risks
- Expansion of the corporate perimeter – As available bandwidth and connectivity continue to increase, we are seeing an explosion in the volume of interconnected devices and advanced applications that employees, suppliers and customers are using to stay connected. The expansion of the traditional secure perimeter is bringing new challenges to protecting company data that resides on users’ personal mobile devices, laptops, tablets, and even smart watches. New legal hurdles are emerging as to what a corporation can or cannot do to secure its fluid perimeters and corporate data.
- Sweeping industrial espionage – 3D printing technology is becoming economical and more accessible to large numbers of users, creating the possibility for thieves to readily recreate complex objects based on stolen industrial designs. These technologies will likely trigger a significant increase in the theft of intellectual property, which in turn will drive a new black market for counterfeit products.
- Massive data aggregation – Companies will continue to migrate to cloud-based applications and vendors for managing employee and customer information. The aggregation of this data in “the Cloud” will provide criminals with tempting targets for theft of aggregated information and will trigger massive jumps in financial and reputational liabilities. Traditional defenses will be rendered inadequate.
- Cyber terrorism and death – Our lives will become more dependent on complex technologies such as driverless vehicles, personalized genetic-level medical treatment, and advanced communication technologies. There will be unimaginable benefits with these advances, and governments will need to rethink how to license and regulate them. Sadly, many of the new technologies will also attract the attention of cyber criminals or terrorists, which could result in widespread havoc.
- Increased regulation and legislation – The combination of increased attacks and breaches will drive stricter regulation in cyber security, with privacy a key focus. However, in many countries regulation will be a knee-jerk reaction to attacks, which will result in poorly designed directives that make it extremely difficult for multinational companies to comply with the standards and regulations across all jurisdictions.
- Digital forensics and law enforcement – New, powerful technologies that will be adopted by consumers and businesses will offer the same advantages to criminals, potentially hampering investigations and rendering many traditional law enforcement techniques obsolete. Already, encryption — a powerful tool that is necessary to protect company data — has become an essential part of the modern criminal’s toolbox.
Balancing Cyber Risks with Business Opportunities
There are important implications for all businesses:
- Every organization will encounter a crisis and needs to be prepared.
- Attacks will cause massive leaps in financial and reputational liabilities, and render traditional defenses mostly inadequate.
- All corporate leaders must own the company’s cyber risks and need to be cyber savvy.
Cyber security is an enterprise risk. But risk isn’t bad — it is part of seizing opportunity. Cyber security is a strategic issue that has to be understood and led by boards and executive management. To manage and pilot the organization effectively, tomorrow’s leaders must be equipped to own technology risks and business risks — rather than handing off the cyber security “problem” to the chief information officer. Boards will need to be actively engaged and need to recognize how strategic plans may be exposing the business to new cyber threats.
The Chief Information Security Officers in this new age will be digital natives, born and raised in a hyper-connected world, and comfortable with the rapid pace of change. These essential skills will help them to deal with cyber security challenges that will have only increased in the years between now and then.
At the root, the thinking and approach around cyber security needs to shift from the traditional, narrow terrain of “Are we protected?” to the new and broader landscape of “Have we detected and are we aware of our security threats, and have we planned accordingly?” Once the company has a sound understanding of all of the cyber risks that it faces, then — and only then —it can develop the right cyber strategy that will generate demonstrable and measurable business benefits.
How Can Companies Prepare Today for the Uncertainties of the Future?
Four key questions:
- How will your company’s business model evolve in the future, and what cyber security opportunities / risks will it present?
- How will you identify and measure cyber security-related risks and evaluate them together with other business risks?
- What is your level of preparation with regard to resilience, and what needs to happen when incidents occur?
- How will you ensure compliance with cyber security regulations and standards, while not losing sight of other important cyber security issues?
A core principle of a modern and effective cyber strategy — and one that many organizations will struggle to accept — is the inevitability that attackers will get through company defenses and that breaches will occur, in ways that may elude existing indicators and warning bells.
Thus, defending against future cyber risks demands a focus on much more than technology. Truly protecting organizations against cyber threats requires deep business and operational understanding, and a pervasive risk-aware culture across and between organizations.
So why does cyber security need to be transformed? Put simply, as businesses have evolved, the threats to businesses have also evolved. However, cyber security has not kept pace with the risks, and the gap is widening.