John Maynard, chief executive officer at Adarma.
getty
For years now, organizations have had to make a critical decision—either embrace the digital transformation project or see business growth stagnate, if not wither away. There is simply not enough room in today's competitive market to accommodate those who don't. With that said, we have witnessed a mass migration to cloud-based technologies and, simultaneously, an increasingly intricate and inescapable threat environment. This leads businesses, once again, to a crossroads—recognize cybersecurity as a business problem as opposed to an IT issue or find oneself in a vulnerable position when combatting cyber threats.
Any modern business that is not already aware of the importance of cybersecurity is poised for failure and, certainly, has not been paying attention to the news. The last couple of years, in particular, have caused turmoil, bringing in a procession of ransomware attacks, phishing schemes and exploited software vulnerabilities. Some of these breaches will no doubt go down in history books.
We talk at length about security and the CISO having a seat at the boardroom table, and this is critical now more than ever. It is critical that threat intelligence and IT teams work closely with the board, making members aware of the risks and threats posed to the organization's digital platforms in a timely, relevant and coherent manner. In doing so, the business can then make informed decisions on investments and implement necessary changes to bolster its defenses. In fact, the U.K.'s National Cyber Security Centre (NCSC) has gone so far as to create a "Cybersecurity Toolkit for Boards," highlighting this exactly and offering recommendations on the steps that board members should be taking.
Yet, with the attack surface growing at record speed and attackers ramping up efforts, it can inevitably feel overwhelming. Where should the board put its focus?
There are three notable areas: ransomware, insider threats and supply chain risk.
Extortionate Demands
Perhaps unsurprisingly, the key concern that should be top of mind (if it isn't already) is ransomware. In fact, we found that almost 60% of U.K. businesses with over 2,000 employees have fallen victim to ransomware. According to Verizon's Data Breach Investigations Report, ransomware made up 10% of breaches in 2021, doubling in frequency from the previous year. Just recently, Costa Rica's president declared the country was "at war" with the ransomware group Conti.
This just goes to show the power that such groups are accumulating. Add to that ransomware as a service, and we've got ourselves the perfect storm; now, anyone in the criminal underworld can hire the technical tools they need to run a successful strike.
The Imposter Among Us
The next threat actually lies from within the organization. When employees are onboarded, they are often provided with the keys to the kingdom—gaining access to confidential data and logins to privileged systems. If organizations do not pay due attention, some employees may have too much access beyond what is required to do their jobs, which can further increase risk.
In a minority of cases, cyber incidents arise as a result of malicious intentions; an employee might see an opportunity to gain financially by selling classified information to a competitor or may harbor resentment toward an employer. According to a recent Ponemon Institute report, malicious insiders caused 26% of incidents over a 12-month period at an average cost of $648,062 per incident.
Nevertheless, it is the negligent employee whom organizations should be most wary of because the leading cause of an incident tends to come down to human error. In fact, the Ponemon report found that 56% of incidents are due to employee or contractor negligence.
Partners In Crime
Last but not least is supply chain risk. Businesses are becoming increasingly reliant on third-party partners to operate and thrive. However, in order for these partnerships to work, information must be shared. As sensitive data frequently changes hands through the supply chain, it is crucial that each party takes the necessary steps to guard it against prying eyes. If not, organizations may quickly find themselves in hot water, as a data breach could occur that is outside of their control and much harder to contain. Regardless of where an incident originates that leads to a breach, the reputations of all those involved are impacted as well, making cybersecurity a mutually beneficial endeavor.
In all three cases, the best means of protecting one's organization is to be prepared. Granted, the biggest step toward achieving this is being aware of the threats and receptive to the advice that your security team offers. Next, you will want to look to invest in technologies and services that can help you monitor your IT estate for vulnerabilities, high-risk threat vectors, unauthorized devices, security misconfigurations, etc. Even better, solutions should provide a means of remediating these efficiently. Finally, prepare yourselves for the worst-case scenario by building a comprehensive incident response plan. In return, your CISO or security team should embrace digital transformation as a business imperative and drive it with the same passion and rigor as the rest of the board—this means moving to an enablement mindset.
The CISO as the "office of no" is now so out of date.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
