Cyber Risk Management Has More Work to Do


Posted on by Robert Ackerman

No question about it. The management of cybersecurity risk among enterprises and small businesses has never been more difficult. The physical world is broadly connected to and controlled by the digital world, which is awash with cybercriminals. Moreover, the adoption of cloud services, inundated with errors and glitches, has been exploding for years.

 

Reliance on third-party vendors has never been more widespread. A recent study by Ponemon Institute estimates that the average company shares confidential information with 583 third parties. And if a third party processes data on behalf of an enterprise, it is the enterprise—not the third party—that is held accountable.

 

What can be done about all this?

 

Other than continuing to fight the war against cybercrime, it’s unclear. The advent of cyber analytics and artificial intelligence have been evolving and improving cybersecurity for years, but not to the extent that they’re diminishing the growing tide of attacks and breaches. The hope is that cybersecurity risk management will eventually mitigate the ever-changing attack landscape, powered by the mantra that continuous cyber improvement is essential among as many companies and organizations as possible.

 

Also vital down the road is cybersecurity governance, the system by which an organization works to control cyberattacks and provide oversight to ensure that risks are adequately mitigated. Traditionally, this was viewed through a limited lens, mostly addressed by cyber pros. Fortunately, this has been changing into far more, with seats at the table going to CIOs, CFOs, CEOs, and, in some cases, even CISOs, the most advanced cyber technologists.

 

This is a promising development. As is the case with cyber risk management, however, more needs to be done. As just one example, only 12% of CISOs today sit on corporate boards, according to executive search firm Heidrick & Struggles.

 

Among all the entities plagued by cybercriminals, two, in particular, stand out. One is the remote workforce, which now accounts for more than a quarter of all American workers. The other is small businesses, which, like big companies, rely heavily on cloud computing and other technologies; however, unlike big companies, they don’t have the resources to properly protect themselves from cyberattacks.

 

Remote workers are at a disadvantage in terms of cyber protection because they work outside of better-protected offices. Making matters worse, too many of them fail to take cybersecurity seriously. According to recent research by Malwarebytes, nearly 20% of them didn’t think cybersecurity was a priority, and nearly 30% said they used less-secure personal devices for work-related activities more than their work-issued devices.

 

At the same time, ironically, a majority of managers interviewed scored their organizations relatively high in evaluating the readiness of employees to transition to work-from-home (WFH). Nearly 75% of managers said WFH employees were ready to make the at-home transition, and more than 60% said they didn’t urge employees to use antivirus software on their personal devices. Too many also failed to provide cybersecurity training focused on potential threats of working from home.

 

Small businesses fare even worse on the cybersecurity front. A recent study by Corvus, a cybersecurity insurance company, found that only 18% of companies with more than 250 employees have a dedicated cybersecurity budget. Separate studies have found that a whopping 60% of small companies close within six months of being hacked.

 

It’s widely believed that small businesses are too small to be a cyber target, but they have weaker cyber defenses, which hackers know all too well. Attackers have recently begun automating attacks, simultaneously attacking hundreds of small businesses at once. Moreover, many small businesses are third-party vendors to big companies, and attacks on them sometimes also wind up impacting their big customers.

 

Brand-new types of attacks may be coming down the pike in five or 10 years or so when quantum computing hits the market. This is viewed as the next logical step in the production of faster and more efficient computers. Classic computers manipulate ones and zeros to crunch through operations, but quantum computers use quantum bits—or so-called qubits. They use ones and zeros, just like classic computers, but also have a third state—a “superposition”—allowing them to simultaneously represent a one and a zero and enabling them to make several calculations at once. This substantially enhances computer speed.

 

Unfortunately, there is a negative downside to this technology. Quantum computer experts say it can shorten the time it would take to break into encrypted systems, possibly with severe consequences. Cybercriminals are said to already be collecting encrypted data today so that they can attempt to break into it in the future.

 

For now, prior to the advent of commercialized quantum computing, enterprises, small and large, still must deal with a slew of cybersecurity issues. If they haven’t already, they should start by assessing their cyber risks so their cyber teams can practice communication and cooperation to play a critical role in future risk management. They should also prioritize the importance of their assets and all possible threats and vulnerabilities in their company. This may not ultimately stop a breach. But it might—and it’s a big step in the right direction.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Risk Management & Governance

cryptography

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs