Since the start of the pandemic, the cyber landscape has continued to evolve at a pace.
With more employees required to work remotely and flexibly, business processes—including security controls—were forced to adapt accordingly, which exposed weaknesses and heightened the risk of cyber attacks considerably.
Historically, the focus of organisations when it came to cyber security was on prevention and shoring up defences to ensure the likelihood of cyber incidents occurring was minimised.
However, as the frequency and severity of cyber incidents have continued to grow—with a 13 per cent increase in the number of cybercrimes reported in Australia over the 2020-21 financial year compared to the previous period—businesses are now recognising cyber attacks as an inevitability, rather than a vague possibility.
Adequately preparing for the inevitability of a cyber incident must involve a shift in mindset from prevention to resiliency; transforming your cyber strategy to put the business in the best possible position when it comes to preparing for, responding to and recovering from cyber incidents.
Time is of the essence during a crisis and the speed at which organisations can restore key processes after experiencing a cyber incident goes a long way in minimising both financial and reputational impacts.
Ensuring cyber resilience
In Q4 2021, Kroll observed a 356% increase in common vulnerabilities (such as malware, security bugs, phishing or social engineering) and zero-day vulnerabilities (recently disclosed security flaws that have not yet been patched or mitigated) being exploited for initial access into a network, when compared to Q3 2021.
By the end of December 2021, Kroll saw a spike in new actor-controlled ransomware sites (a person or group intending harm through malware that renders a device unusable) and new ransomware variants as cybercriminals adapted and regrouped in the wake of weaknesses in companies’ defences.
This kind of cyber intelligence solidifies the anecdotal evidence being shared by many cyber practitioners at present. It highlights the speed at which cybercriminals are adapting their tactics and demonstrates why organisations must evolve accordingly to ensure an adequate level of resilience and a security posture commensurate with the sophistication of attacks.
Key to ensuring cyber resilience is a focus on both enterprise risk management and resiliency planning, which consist of a number of mutually reinforcing components, including:
- Risk assessment, an overall process of risk identification, analysis and evaluation of the threats and vulnerabilities.
- Crisis management, is the overall coordination of an organization’s response to a crisis effectively and in a timely manner, with the goal of avoiding, containing or minimising damage to the organisation’s profitability, reputation and ability to operate.
- Business continuity planning, which identifies the mission-critical business processes that must survive through a significant disruption or disaster in order for your company to remain solvent.
- IT disaster recovery, a foundational element of an enterprise business continuity plan that addresses the recovery of technology. This includes the recovery of IT infrastructure, systems, applications and third-party vendor-supplied technologies and telecommunications.
- Emergency preparedness, the capability that enables an organisation to respond to an emergency in a coordinated, timely and effective manner to minimise the severity of its impact.
The gap that exists in many organisations between security leaders and business executives can hamper the identification and remediation of security risks, which businesses cannot tolerate in today’s environment. The old-fashioned mindset that you can relegate cyber security to a subgroup of the IT department is no longer appropriate for organisations facing modern-day cyber threats.
Cyber security and resilience, done correctly, are business enablers. They must be factored into business-wide strategic planning and efforts should be led from the boardroom to ensure they achieve buy-in from management and across the business. There are few cyber controls that wield more influence than an engaged management team.
With virtually every area of businesses today being digitally connected, management must demonstrate a commitment to cyber resilience by prioritising risk mitigation efforts across all levels of their business.
Kroll recommends 10 Essential Cyber Security Controls for Increased Resilience which is now recognised as industry standards. These mechanisms allow businesses to meet reasonable and appropriate safeguard thresholds while also increasing their opportunity for cyber insurance coverage.
Managing supply chain vulnerabilities
The interdependency of modern supply chains further supports the importance of ensuring a resilient cyber security posture. Failing to implement cyber security controls has the potential to cause system downtime, monetary loss and reputational damage to everyday business operations.
Compounding this, the COVID-19 pandemic has disrupted global supply chain networks in unprecedented ways. Labour and resource shortages, for example, have had a significant impact on the economy and have changed market dynamics over the past few years. These jeopardise the strength and security of supply chains and expose vulnerabilities that cybercriminals continue to exploit.
Other major supply chain challenges include geopolitical uncertainty, regulatory changes, supply chain reconfigurations and an increase in the number of natural disasters. Companies need to proactively address these evolving challenges as well as other hidden risks to improve resiliency to avoid costly disruptions to production and service delivery.
The length and complexity of today’s supply chains mean that cyber attacks on anyone organisation can reverberate through the entire chain. Attackers often shift their approach from focusing directly on a target organisation to instead looking for weaknesses in their supply chain.
Small third-party vendors who don’t have the same financial or operational means to invest in cyber security controls may not present as a prize in isolation, but they can allow a cyber threat actor the means to easily bypass the security controls of their target, as they enter from a trusted third-party environment.
To build cyber resiliency in this milieu of heightened geopolitical—and therefore cyber—risk, businesses must be proactive in identifying, assessing, mitigating and monitoring their less-visible supply chain risks.
This is a growing area of concern for many organisations and highlights the need for a supply chain cyber security assurance program to identify an organisation’s greatest security risks in the supply chain.
As governments and regulators around the world look to mitigate cyber risk, we see both a global and domestic trend of increasing regulation and corporate obligations for managing cyber risk that will continue to gain momentum.
With stronger enforcement action being deployed by regulators, which can lead to significant reputational damage and financial penalties, businesses cannot ignore their cyber security obligations.
This includes efforts taken not just to prevent or minimise the impact of a cyberattack, but also those taken to ensure the business is adequately prepared and able to detect, manage and recover from incidents in line with what is required from a regulatory perspective.
As the cyber security landscape grows even more complex and multifaceted, a mindset shift when it comes to maintaining cyber resilience and effectively managing cyber risk must become a top priority for today’s businesses.
Risk management and resiliency planning must involve all levels of business—it is most effective when it extends beyond the remit of security executives and is led from the boardroom. More than ever before, cyber security is everyone’s business.
Visit Kroll here: https://www.kroll.com/en/about-us/global-locations/asia-pacific/sydney
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.