A new report finds that most organisations lack the right mix of strategy and execution to tackle rising threats to cybersecurity. And the Internet of Things (IoT) is a growing part of the problem. Chris Middleton presents some solutions.
What keeps business people awake at night? The twin risks of cyber attack and fraud, says a new report from insurance giant, Hiscox.
The second Hiscox annual Cyber Readiness Report has just been published, and it presents an exhaustive study of responses to the cybersecurity challenge. To compile it, Forrester Consulting spoke to more than 4,100 senior executives in organisations of every size across the US, UK, Germany, Spain, and the Netherlands, in both the private and public sectors.
The report reveals that just under half of respondents (45 percent) have suffered a cyber breach in the past year – in 42 percent of cases due to an external hack. Of the organisations targeted, more than two-thirds (67 percent) suffered two or more attacks, while 21 per cent suffered four or more. A small number were hit more than ten times last year, says Forrester.
Novice or expert?
So how ready were they to fend off the attackers? Forrester measured organisations’ strategies (their oversight and resourcing) against their ability to execute (their processes and technology). From these findings, analysts sorted respondents into three categories: novices, intermediates, and experts.
The bad news is that nearly three-quarters of organisations (73 per cent) fall into the novice category, with just 11 percent qualifying as experts, says the report.
This is despite most respondents understanding the scale of the threat, explains Forrester. “While many firms lack adequate defences, most are keenly aware of the potential impact of a cyber attack. Two-thirds of respondents (66 percent) rank the cyber threat alongside fraud as the top risks to their business.”
So what sets an expert apart from a novice? Experts combine awareness of the business threats with strategy, professionalism, and proactive engagement, says the report.
“Cyber experts get support from the top and engage a broader range of stakeholders when setting their organisation’s cybersecurity strategy. Experts are more than twice as likely to agree that ‘there is formal support for cyber security from business leaders and executives on an ongoing basis’ (86 percent, versus 38 percent for cyber novices).
“In addition, more than two-thirds (68 percent) of cyber experts involve the board and executive management in setting strategy.”
The Internet of risks
A key challenge is that the Internet of Things (IoT) is emerging as a new cybersecurity risk, says the report.
Securing the IoT within the organisation was cited by 46 per cent of respondents as a goal for 2018 – above investing in malware detection (45 percent), and improving incident response capabilities, ensuring third-party compliance, and reviewing internal security procedures (all on 44 percent).
“2018 promises to be the year when mandatory reporting of cyber breaches raises awareness and risk to reputations further, as the EU General Data Protection Regulations (GDPR) come into force,” said Hiscox adviser Robert Hannigan, the former GCHQ director who set up the UK’s National Cyber Security Centre.
“The rapid growth of the Internet of Things will amplify insecurities by adding millions of new devices with minimal built-in security. For those trying to protect against attack, the shortage of cyber skills will continue to be chronic.”
The survey highlights a widening gulf between those who ‘get’ cyber security, take it seriously, and spend appropriately, and those who regard it as someone else’s problem, he added.
“Cyber security is not an IT issue, but rather a risk for the whole organisation; tackling it is more about people, behaviour, and culture than clever technology.”
Not good enough, says CEO
At least one person was unimpressed with the report’s findings: Gareth Wharton, cyber CEO at Hiscox. “As an end of term report, it might have the words ‘can do better’ scrawled on it in red ink,” he said. “It highlights the cyber readiness shortcomings of the majority of organisations in our sample, particularly the smaller ones.”
Indeed, size is part of the problem – along with budget, suggests the report. “The larger organisations in the sample are better prepared: more than one in five (21 percent) of those with 250 employees or more rank as experts. A further 17 percent qualify as intermediates. [By contrast] just seven percent of smaller firms rank as experts.
“Cyber experts had markedly bigger IT budgets than the novices ($19.8 million on average, versus $9.9 million) and devoted a higher proportion to cyber security (12.6 percent versus 9.9 percent).”
Nearly three out of five respondents (59 percent) plan to increase their cyber security budgets this year, explains the report. However, it warns: “Spending on technology is often the easy part. To be effective, you have to move on all fronts together. That means people, processes and technology.
“Simply spending on technology is not enough without a fully structured, rigorous set of processes, combined with people who are fully aware of the issues.”
Internet of Business says
Despite advising companies to throw money at the problem, the Hiscox report is a welcome reminder that cybersecurity is primarily a strategic business and people issue.
Security is as much a cultural challenge as it is a technology one, and awareness of organisational policy and good practice needs to reach all the way from the boardroom to the post room, and out into the extended network of partners and suppliers. Common sense is essential, especially when it comes to the IoT.
The only disappointment in the report (apart from the obvious lack of preparedness on the part of most organisations) is that, having called out IoT implementations as a new security risk, it offers little in the way of answers. And this is particularly the case with Hiscox/Forrester’s suggestion that big is better: with the IoT, even small organisations may have large sensor or smart-device estates.
With billions of connected devices coming on stream over the next few years – many produced by companies with no track record in enterprise security – one promising approach is that of companies such as Zingbox, which are deploying AI and machine learning to detect early signs of unorthodox usage patterns.
This, plus core systems that have trust embedded at hardware/firmware level, would seem to be a better approach than attempting to patch billions of insecure devices after the fact.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.