With security breaches on the rise, cybersecurity has become a serious enterprise-wide risk management issue that needs to be strategically and operationally addressed. In the past, cybersecurity was largely viewed as a technical issue that was the preserve of the IT department but in today’s post-pandemic world the cyber risk frontiers have multiplied exponentially.
According to a recent study by the Cyentia Institute the average number of publicly reported cyber events has jumped 44% over the last decade, with healthcare and finance among the most heavily targeted sectors. Combined, these incidents resulted in 72 billion compromised records and an estimated $57 billion of financial loss.
With regulators and insurance firms insisting organisations elevate their cyber and operational resilience or face the consequences, getting to grips with the day-to-day management of cyber and information security risks should be viewed as a mission critical priority.
Understanding the evolving cyber risk threat landscape
A number of factors are driving the exponential growth of cyberattacks that can lead to reputational losses as well as punitive fines and penalties for organisations. In addition to these damaging costs, IBM also highlights the disruptive consequences of cyberattacks for productivity and workflows; IBM’s research reveals it typically takes organisations an average of 280 days to recover from a cyber event.
Encompassing a wide range of threats that include data breaches, identity theft, financial fraud and disruptive cyber-attacks designed to cripple critical infrastructure, cybercrime has become an increasingly commoditised industry that is proving highly lucrative for today’s threat actors.
Working alone or in collaboration with other attackers or as part of an organised criminal group, they are taking advantage of the rapid evolution technology and the increased convergence and interconnectivity of today’s digitalised environments to perpetrate attacks anywhere in the world.
The professional and personal risks for cyber attackers are low. Adept at using software and proxy servers to hide their identity and evade detection or prosecution, the financial rewards on offer are proving a significant inducement to engage in these types of activities.
How much riskier can it get?
The proliferation of connected devices, the growth of remote working, and the shift to online service delivery has created a perfect storm for organisations looking to keep their systems, their people and their data secure. Especially when crime facilitators now provide a variety of ‘cybercrime-as-a-service’ offerings that make it easy to rent malware, launch DoS attacks or conduct phishing campaigns.
In addition to hardening system protections against an ever-changing threat landscape, organisations also need to ensure that users and customers are familiar with what constitutes safe online behaviours. No easy task when the emergence of generative AI tools has lowered the barrier to entry for those with malicious intent who may previously have lacked the skills to act.
The emergence of open AI tools like ChatGPT has raised significant concerns that hackers with limited technical skills are now able to write malicious code with ease, make phishing emails appear legitimate, and even clone people’s voices or images to take social engineering attacks to a new level. Today it takes as few as three seconds of audio to clone a voice that can be used to authenticate identity or conduct a scam.
Who’s knocking at the door?
Different types of threat actors use different techniques to achieve their goals, so an organisation’s cyber risk assessments will need to determine which groups are most likely to target its systems and data. That includes evaluating risk by association, as threat actors may target one organisation’s information systems in order to gain access to another’s environment.
Let’s take a look at the top types of threat actor and their approach techniques.
- Organised crime – these financially motivated syndicates typically come knocking after a successful ransomware attack to request a ransom payment or look to sell the data they’ve captured. Others may covertly hijack an organisation’s systems to mine for cryptocurrency.
- Nation state – government sponsored groups that are looking to capture government data, private sector IP or monitor financial markets by stealth. In times of geopolitical tension, they may attempt to overtly disrupt infrastructure and services.
- Idealogues – motivated by social or political causes, these so called ‘hacktivists’ like to use techniques that will get their message heard. This may take the form of denying access to services or defacing websites.
- Thrill seekers – intent on overcoming cyber defences just to see if ‘they can’, thrill seekers usually knock something over for fun, recognition or bragging rights but still represent a serious threat.
- Insiders – this group includes malicious insiders or disgruntled employees who have a specific intent. A particular threat for certain sectors such as government, defence or critical infrastructure providers.
Putting the focus on operational resilience
Today’s leadership teams need to be able to map and understand their organisation’s cyber risk profile and compliance responsibilities in relation to specific regulations. Next, it’s important to initiate organisation-wide control and reporting mechanisms that make it possible to monitor operational resilience, elevate incident response, and map and understand the resources needed to prevent, withstand and recover from an attack. That includes evaluating supply chains and any third party services on which the organisation depends.
In the UK and the EU, regulatory changes for the financial sector place strong emphasis on third-party risk management that cannot be ignored. The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have set out potential measures to strengthen and ensure that financial services firms are accountable for the resilience of services provided by critical third parties (CTPs). Similarly, the EU’s Digital Operational Resilience Act (DORA) is enforcing obligatory rules for third-party risk management, with accountability at a senior management level.
The stark reality is that cyber risk management is becoming increasingly interconnected with a broader risk and resilience strategy, and organisations will need to be confident they can demonstrate to regulators their operational resilience and business continuity capabilities.