50% of large organisations have reported a cybersecurity breach in the last six months – are we doing enough to protect ourselves?

Global 2000 enterprises suffer an average loss of around $20 million from cyberattacks, according to research from the International Data Center Authority (IDCA), with 50 percent of them reporting a breach within the last six months. Recent research from IBM has estimated that the average cost of data breaches now reaches almost $5 million, and that 70 percent of organizations experiencing one reported “significant or very significant disruption.”

Drastic as those numbers may seem, an average doesn’t paint the entire picture. Damages from a few infamous cybercrime attacks have run into the billions of dollars. Beyond that, cyberwarfare has become a weapon that represents an existential threat to companies, service grids, and entire nations.

So, when asking whether we are doing enough in the area of cybersecurity to protect ourselves, the short answer will simply be “no.”  Cyber-intrusion is a ubiquitous, global phenomenon. It is conducted around the clock by national governments and other maleficent state actors, criminal gangs, and individuals with a range of skills and wrong intentions. In the cyber world, the offensive will always try to stay a step ahead of the defense.

Digitization Breeds Cyber Vulnerabilities 

The most fundamental concept to understand here is that the journey to digitization is not risk-free. With the onboarding of new automated tools, apps, and services, we are also potentially opening attack vectors that did not exist before. The core of this problem resides in our not becoming holistically digital. We just deploy more apps and tools, and automation without really thinking about the key KPIs and critical components of any system, other than just the business functions that those tools are delivering to us. Many of the cybersecurity issues are at the application layer, which is typically neglected. We should have cybersecurity policies at the top level of any organization, followed by explicit cybersecurity requirements and specifications that we demand from every single application or service provider. Simply signing up for any 3rd party service provider that hasn’t been duly vetted is not going to make life any safer in the cyber world. Ultimately, of course, understanding the specifics of the actual infrastructure that each service provider is using to deliver these tools are key questions that need to be addressed before onboarding any new contract.

What To Do – NIST and Beyond 

An organization with significant IT – in other words, any organization – must contend with a panoply of threats today that includes trojans and ransomware, botnets, backdoor attacks, security camera attacks, sophisticated advanced persistent threats (APTs), and plain old information-stealing probes. Worldwide, these threats total tens of millions of separate attacks each month.

But there are specific policies and actions an organization can take to protect itself as much as possible, whether in business, government, or the NGO sector.

The growth of more rigorous demands for cybersecurity as data grows and attack surfaces widen has given birth to ways to defend against them. Cybersecurity regulations and frameworks are an increasingly dense, global patchwork of mandatory rules, voluntary guidelines, and sector-specific standards. Some are government-mandated (like FISMA in the U.S.), others are industry-driven (like PCI DSS for payment systems).

At the IDCA standards framework level, we guide stakeholders to the NIST 800-53 standards that have long been followed as the normative cybersecurity standards in the United States. These standards provide a comprehensive catalog of security and privacy controls for federal information systems and organizations, and entail a smart approach that all organizations can use.

Cybersecurity standards specs are organized into categories such as access control, risk assessment, and incident response. They are continually updated and focus on protecting organizational operations and assets (and people) from hostile attacks, human errors, natural disasters, structural failures, hostile state actors, and general privacy risks. The NIST standards specifically are “derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines,” according to the agency.

Other NIST standards include NIST SP 800-171, which provides security for unclassified information in non-federal systems, the Security controls for protecting Controlled Unclassified Information (CUI) in non-federal systems, and the NIST Cybersecurity Framework (CSF), which is voluntary and widely used within the private sector.

A sibling to these standards can be found with FISMA (Federal Information Security Management Act, required of federal agencies, and which enforces adherence to NIST 800-53 as well as NIST 800-37 risk-management practices.

Europe and much of the rest of the world follow the ISO/IEC 27000 standards. Identity management, access control, and threat identification remain at the heart of this approach. Within this group, ISO/IEC 27001 is the international standard for information security management systems (ISMS). It focuses on risk-based management, continuous improvement, and management oversight. ISO has noted that “most organizations stick to the most basic form of threat intelligence,” and urges them to be more curious about the benefits of incorporating a more rigorous cybersecurity environment.

The EU has incorporated cybersecurity into its well-known GDPR (General Data Protection Regulation), which regulates personal data protection and privacy for EU citizens, and requires rigorous technical and organizational security measures, data breach notification, and risk assessments. Additional rigor comes from the ENISA Cybersecurity Act. (ENISA is the European Agency for Cybersecurity, headquartered in Athens.)

The general frameworks discussed above can complement industry-specific frameworks such as:

• PCI DSS (Payment Card Industry Data Security Standard), which is required for organizations handling credit card data, covers data encryption, access control, regular testing, and security management.
• The US’s notorious HIPAA (Health Insurance Portability and Accountability Act) rules, meant to ensure data confidentiality for patients, as well as data integrity and availability.
• The GLBA (Gramm-Leach-Bliley Act), dating all the way back to 1999, regulates the financial services sector in protecting private data.
• CIS (Center for Internet Security) controls which deliver action plans that defend against common cyber threats. These plans can be adopted by smaller companies as well as large enterprises.
• COBIT (Control Objectives for Information and Related Technologies) is from the professional association ISACA. COBIT provides a governance and management framework for enterprise cybersecurity.

The SEC Enters the Picture 

The US Securities and Exchange Commission (SEC) has also been active in the cybersecurity space, with new rules in 2023 that cover cybersecurity risk management, strategy, governance, and incident disclosure for public companies.

Within the new frameworks (found in Forms 8-K and 10-K), public companies must disclose material cybersecurity incidents promptly in determining materiality, along with a potential impact report. They must also identify their processes for assessing, identifying, and managing cybersecurity risks, and disclose whether cybersecurity risks can materially affect business strategy, operational results, or financial reports.

Keeping in line with much recent SEC activity, the rules also outline the responsibility of management and boards in assessing and managing threats to cybersecurity.

How AI Changes the Landscape 

The widespread use of AI has, not surprisingly, wrought changes to the cybersecurity landscape.  NIST produced its AI Risk Management Framework in January 2023, which remains voluntary for now and is designed to help organizations manage risks associated with AI systems, including cybersecurity vulnerabilities.

For its part, Geneva-based International Standards Organization/International Electrotechnical Commission (ISO/IEC) produced ISO/IEC 42001, which it touts as the first international management system standard for AI. Cybersecurity is integrated with data confidentiality, integrity, and availability, along with security in model training, deployment, maintenance, and monitoring AI behavior for unusual activity.

The Biden Administration jumped into the fray in October 2023 with an Executive Order on “Safe, Secure, and Trustworthy AI,” which directs NIST, CISA, the Department of Commerce, and other organizations to develop AI guidelines, look at risk management, and focus on the security of AI models. In Europe, ENISA has been active in AI as well, with threat analyses that cover several aspects of cyberattacks from several angles.

The Way Forward  

Cybersecurity vendors are projected to grow by at least 12 percent annually for the next several years and reach a collective $400 billion in 2029, according to Boston-based BCC Research. There is also a continuing need for regulatory frameworks, security policies and practices, and general awareness among users to be vigilant, including being distrustful of unusual messages and behavior. The cyber offenders and criminals are not going away, AI is making systems more powerful (and thus more potentially vulnerable), and the need to manage large amounts of data on a global scale will only continue to increase.

Written by Mehdi Paryavi.
Have you read?
The World’s Best Medical Schools.
The World’s Best Universities.
The World’s Best International High Schools.
The World’s Best Business Schools.
The World’s Best Fashion Schools.
The World’s Best Hospitality And Hotel Management Schools.