The World Economic Forum releasing today its first Global Cybersecurity Outlook report. Raghu summarises the specifics from the report, as well as highlighting the disappointing presentation in the report of cyber risks as technology risks and not enterprise risks that directly impact the business.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p><span lang=\"EN-US\">Even though ransomware is on the rise and is hyped in the media, we should not forget about the 95% of other threats, which are just as dangerous as ransomware threats. These may be less visible but can lead to data breaches or Zombie systems, waiting for an outbreak to compromise IT systems. <u></u><u></u></span><span lang=\"EN-US\"> </span><u></u><u></u></p>
<p><span lang=\"EN-US\">According to </span><span lang=\"EN-US\"><a href=\"https://www.ibm.com/uk-en/security/data-breach\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.ibm.com/uk-en/security/data-breach&source=gmail&ust=1642693307440000&usg=AOvVaw1MbPMy3rhYg7j6ggTbNnSS\">IBM</a></span><span lang=\"EN-US\">, data breach costs rose from $3.86 million to $4.24 million. This increased during times of WFH and bring-your-own-device (BYOD) and has meant that the danger of an incident has become more likely. </span><u></u> <u></u></p>
<p><span lang=\"EN-US\">In our internal studies, we have seen that educating <wbr />users has not been very effective. Attacks are too sophisticated to be detected by someone outside of the security team(s) – meaning it falls to the SecOps Team to prevent threats reaching the system of the end-user. </span><span lang=\"EN-US\"> </span><u></u><u></u><u></u> <u></u></p>
<p><span lang=\"EN-US\">Often, cybersecurity is an afterthought that is neglected. This must change. IT Security should be a conversation across all business units: The survival of your company could depend on it.</span></p>
<p>Firstly, I welcome this report from the World Economic Forum, it’s good to see this level of detail. While the findings are generally expected, it’s good that the WEF are highlighting these areas and setting a global benchmark that can be used by cyber leaders to help with strategy and their own digital transformation programs with a heavy security focus. The takeaways that interested me the most was the acknowledgement around digital transformation being the main driver for improving cyber resilience, all too often we see a rush around digital transformation with security being an afterthought. The discussion around ransomware and its significance in the current climate is clearly a hot button topic and one that is front of mind for cyber leaders. </p>
<p>If I was to criticize the report, I would have liked to see more detail around security fundamentals and appropriate mitigations, while patching is acknowledged as an issue, greater focus in its importance would be useful. Similarly with passwords and MFA; all key components to a robust security programs were found to missing. Broad level mitigations will help mitigate a large number of attacks / ransomware.</p>
<p>The WEF Global Cybersecurity Outlook reinforces 2 very specific items – both of which are essential to the continued improvement in risk posture overall. The first of these is that cyber resilience, despite being a relatively new concept, has seen focused investment and is seen as essential to reducing the amount of residual cyber risk. Furthermore, the importance of cyber resilience has grown as security executives identify their biggest fear to be the collapse of their infrastructure due to a cyber attack. This is a shift we have been encouraging for a while since security capabilities truly deliver value when they are harnessed together to not only provide protection but also ensure that the environment can react and recover from an incident – as it’s this benefit that truly reduces risk and makes possible the change from risk acceptance to risk mitigation. The second key takeaway, and this is more disappointing, is that cyber risks are still treated as technology risks by most business leaders as opposed to enterprise risks that directly impact the business. This is a significant awareness hurdle we need to overcome if cybersecurity is to get the appropriate amount of C-level attention. Importantly, the attention should not come on the back of an incident – i.e., after the bottom line has been affected – but rather business leaders should understand the correlation between cyber risk and enterprise risk and invest in reducing the former as a way of improving the latter. From this perspective, security should always be framed in the context of the business it is supporting – and being able to understand and articulate this context is the responsibility of both security and business leaders.</p>