Has your leadership team spent much of the past two years in firefighting mode, responding to the issues that COVID-19 has created? Join the club. Around the region, organisations of all industries and sizes have gone through similar experiences: pivoting to remote work, shoring up supply chains, managing cash flow, and combatting the staff shortages that two years of closed borders have created.
In many instances, identifying and mitigating risk in a rigorous, systematic way has taken a backseat. This is hardly a surprise when teams are fully engaged in grappling with the everyday challenges of trekking through COVID-19.
But with the economy and society continuing to open up, that's likely to change. Finding smarter and better ways to deal with governance issues and manage cyber risk and compliance will be a popular boardroom agenda item, as decision-makers look to reduce the risk of being blindsided by adverse events.
The cyber-crime onslaught
One of the most dangerous events your organisation may have to grapple with in 2022 is also one of the most likely: cyber-crime.
Over the past two years, COVID-19 hasn't been the only thing that's spread like wildfire. The already thriving cyber-crime “industry” has seen significant growth lately, as hackers and cyber-criminals have sought to cash in on the fear, anxiety, and confusion the virus has caused.
Shortly after the pandemic was officially declared, we saw individuals bombarded with opportunistic, COVID-19-themed phishing campaigns and scams. Businesses, meanwhile, have been subjected to a barrage of ransomware attacks: by the Australian Cyber Security Centre's reckoning, their incidence increased by 60 per cent between 2020 and 2021. Scores of entities have fallen victim.
Moreover, the remote and hybrid working arrangements many organisations adopted on the fly (and continue to persist with, two years on) opened up an extraordinary new attack surface, comprised of distributed mobile devices and not always adequately secured connections.
Tallying the damage
Despite the cyber-crime pandemic the country is experiencing, many organisations have continued to assess the risks it poses – to revenue, reputation, and business continuity – using legacy tools and technologies.
While quantifying risk is not an exact science, manual or antiquated processes make it desperately inexact.
In today's digital business landscape, heatmaps and systems that score cyber risk as ‘high', ‘medium' or ‘low' do not reflect the extraordinary, enterprise-wide effect a major attack can have – and just how much is at stake if organisations fail to adopt a robust cyber-security posture.
Indeed, organisations need to ask themselves how much risk they are prepared to stomach. For example, as organisations become increasingly reliant on digital technologies, is the risk they face increasing or simply changing in nature? Just how aware are businesses of the risk landscape that exists? Should a greater proportion of IT budgets be allocated to security? How much? What implications does the growing use of cloud platforms have for an organisation's risk profile?
All the more critical with legislation such as Australia's Critical Infrastructure Bill, a major piece of legislation that sets out new rules for how organisations deemed ‘critical' to Australia's national interests need to prepare for cyber attacks. The legislation represents a major consideration for Australian business and security leaders as it will set new cyber standards and compliance requirements.
Tools to make the task easy
What's needed is detailed reporting that analyses the impact of cyber incidents in numerical terms and assesses the damage in dollars and cents.
An advanced cyber-risk quantification platform can provide this analysis, taking assumptions and guesswork out of the process. Modelling tools can be used to simulate a range of scenarios and produce insights that can be used to inform cyber-spending priorities and projects.
Being equipped with this precise cyber-risk quantification allows senior leaders and those in the C-suite to appreciate and act on cyber-risk – or understand the risks they run - if they fail to do so. In addition, by quantifying risks, CISOs can better prioritise which risks are deemed most important. From there, they can allocate their risk budget to put a greater spend toward those higher-priority risks.
Investing in a more secure future for your enterprise
Such platforms are not yet ubiquitous in Australia and New Zealand, but it's likely they very soon will be. Forward-looking chief risk officers and chief information security officers are already cognizant of their value as a strategic decision-making aid, one which can help them measure, manage, and understand cyber-risk holistically.
The insights they produce can make a material difference to the size and allocation of cyber-security budgets and result in more robust protection across the enterprise for systems, data, customers, and employees.
Article by MetricStream APAC managing director, Michel Feijen.