Operational complexity and risk are increasing. As the pandemic and the war unfolding in Ukraine have laid bare, risk can manifest unexpectedly. On the cybersecurity front, the risk faced by organizations is increasing steadily year-over-year, with threat actors continuously refining attack methodologies. This in part explains why the cost and impact of cybercrime damages is expected to reach $10.5 trillion by 2025 – a 350%+ increase from 2015.
Cyber threats are increasing
In response to this shifting cyber threatscape, the US government issued an Executive Order on the 12th of May 2021, recognizing the need to strengthen the nation’s cybersecurity posture for public and private sectors alike. The war against Ukraine has increased the threat of nation-state cyber attacks and has underscored the need to improve cyber resiliency for both the public and private sectors. This has prompted the US Cybersecurity and Infrastructure Agency (CISA) to issue a Shields Up notice for heightened awareness and increased protection for critical assets.
The Shields Up guidance includes the following recommendations:
Reduce the likelihood of a damaging cyber intrusion
- Validate remote access
- Ensure software is up to date
- Disable all non-essential ports and protocols
Take steps to quickly detect a potential intrusion
- Identify and quickly assess unusual network activity
- Ensure the organization’s network is protected by antivirus/anti-malware software
Ensure that the organization is prepared to respond if an intrusion occurs
- Designate a crisis-response team
- Assure availability of key personnel
- Conduct a table-top exercise so that all participants understand their roles during an incident
Maximize the organization’s resilience to a destructive cyber incident
- Test backups procedures to ensure that critical data can be rapidly restored i.e. Recovery Time Objective in hours vs days
The Shields Up guidance also calls for empowering CISOs, lowering the barriers to reporting threats, as well as focussing on investments and resilience that support critical business functions. It also recommends planning for the worst-case scenario, like disconnecting high-impact parts of the network in the event of an intrusion.
As CISA rightly pointed out, basic cybersecurity best practice is important, too. This includes:
- Multi-factor authentication
- Updating and patching software
- Improving email security defenses to prevent phishing attacks
- Having an effective password policy in place and using strong passwords
The importance of a risk-aware culture
Moving beyond the Shield Up guidance, improving cybersecurity for critical industries and non-critical industries starts with ensuring that organizations have adopted a risk-aware mindset and culture. Evidence of this includes having well-developed and routinely exercised business continuity and disaster risk reduction plans – and ensuring that these are updated in accordance with the business strategy and objectives regularly.
Routinely reviewing the risk and threatscape is important, too. In addition to cyber risk, some of the other key risks for consideration in risk mitigating planning include environmental disaster risk, biological risk and man-made risks, such as insider threats, accidents and geopolitical risk.
But, the reality for most organizations is that it’s difficult to balance risk mitigation with a slew of other competing priorities.
Part of the challenge facing risk managers and risk mitigation efforts often includes inadequate resourcing (financial and non-financial). But the greatest impediment concerns the lack of prioritization of risk mitigation by the C-Suite as a business critical function.
Although the importance of prioritizing cybersecurity is starting to get due attention, the roots of the problem stem from the early days of viewing cybersecurity as a strictly IT function. As businesses digitally transform, data and information systems are now seen as the lifeblood of business.
Successful businesses are increasingly fostering a risk-aware culture that prioritizes the importance of cybersecurity along with key business objectives. These leaders understand that the robustness of the risk and the cybersecurity posture can determine whether a business survives a cyber disaster event.
Viewed this way, the cybersecurity resiliency of a business is integral to a business achieving its desired objectives.
Getting C-Suite buy-in
Often getting C-Suite buy-in for cybersecurity initiatives can be challenging. We have detailed a number of ways on how to get the necessary buy-in. At a high-level, we provide an overview of the three steps below:
Firstly, it’s about getting the C-suite to understand the risk and whether the current cybersecurity posture is commensurate with the threatscape.
The second step entails quantification of that risk. It’s important to quantify what the financial fall-out would be from a successful cyber attack. There are also important non-financial aspects that need to be considered, such as reputational damage and a loss of customer trust.
Finally, it’s about understanding the business criticality of being able to successfully recover your data and information systems in the event of an attack, in the shortest possible time frame. The longer that a business does not have access to its data and information systems, the greater the risk of catastrophic business failure.
Taking a business critical approach to risk and cybersecurity planning
Given the importance of fostering a risk-aware culture and prioritizing cybersecurity as a business critical function, it is imperative that businesses routinely review the current and emerging threatscape – and take appropriate action.
As the past 24 months have borne out, risks that might not have been in the purview for decades can manifest within a short time-frame.
A key part of taking a business critical approach to risk and cybersecurity entails regularly testing cyber defenses and ensuring that emerging threats are addressed as they arise, and with the urgency that they deserve.
To help ensure you’re prepared for today’s threats, we’ve included some resources from CISA and the UK’s National Cyber Security Center (NCSC)
CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure:
CISA: Shields Up guidance:
CISA: Known Exploited Vulnerabilities (KEV) Catalog:
CISA: Insights on Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure:
CISA: Free Public and Private Sector Cybersecurity Tools and Services:
And guidance from the UK’s NCSC on what actions to take when the cyber threat is heightened: