The number of global data breaches reported so far in Q1 2019 has crossed 1900 with over 1.9 Billion records, much higher than ever before.
The systems and applications which were considered to be “safe” appear in the top 10 vulnerable vendors list.
The median time taken for APAC organizations to detect cyber breaches from suspected intrusion – the “dwell time” – is 498 days. This is about five times as long as the global median dwell time (101 days).
"Cut off one head, two more shall take its place." - Heinz Kruger (HYDRA operative in Captain America – The First Avenger)
We are witnessing unprecedented vulnerability disclosures including the biggest vendors and most popular systems and software this year. Social engineering attacks like “phishing” and “vishing” scams continue to deceive us. Advanced tools developed by state actors for government surveillance are falling into hands of criminal hackers who exploit them to personal gains.
Your security team i.e. if you happen to have one or the IT team, is probably struggling to plug all these vulnerabilities and keep your business running safely. The resources required to effectively manage this risk are always a challenge even for large organizations, let alone the small and medium ones. Just when we have spent all our resources and energy in patching a major vulnerability, another one raises its head – just like “HYDRA”..So are we fighting a losing battle here?
"I am inevitable!" - Thanos (Avengers: Endgame)
Business Leaders want to focus on business growth. Spending precious time, energy and resources on cyber and information security is an unnecessary distraction. However new regulations on data protection and privacy are springing up across the globe and making life difficult for businesses. Some of the regulations impose huge fines and have even suggested imprisonment for the responsible officials as penalties for data breaches.
When the “infinity stones” i.e. your confidential data or customer information fall in the hands of the “Thanos” hackers, half your world can get wiped off – this is not stuff in comic books anymore. We have seen multiple cases of companies losing millions of dollars in fines and market capitalization due to data breaches.
"Even if there's a small chance" - Black Widow (Avengers: Endgame)
So what can we do to protect our “infinity stones” from the villains in the cyberworld? The biggest issue is that cybersecurity is never “by design” – it is always an afterthought! We try to bolt on cybersecurity tools and patches after the solution is built and ready for launch. Once we run a security scan or penetration test, and find out security vulnerabilities, the business demand is always to go live immediately and hence work on remediation activities in parallel or fix it in next release.
“How do we know it's going to end any differently than it did before?” - Hulk (Avengers: Endgame)
It's a Business Issue, Not just an IT issue!
Business Leaders need to look at cyber security as a business issue and not just an IT issue. Most businesses want to ride the digital wave and are running multiple digital transformation projects. They need to understand that security risks are as important as the UI and UX, and not an afterthought or checklist item before go live.
They need to involve the security professionals at the design stage and during the sprints. In the agile world, we cannot have a security scan only before go live. The developers need to be trained on secure coding principles and should be doing self-checks on their code. The APIs need to be secured too.
Businesses are moving towards “mobile first” and “cloud first” strategies. While cloud offers multiple benefits, all cloud vendors do not offer the same level of security. It’s imperative for businesses to have secure cloud strategy and requisite assurance on cloud vendors. Similarly, mobile apps need to be secured as the mobile devices are prone to being lost and being connected to insecure wifi networks. The apps can be reverse engineered and fake apps with malware can be substituted for the real ones .
Do "Whatever it takes." - (Avengers: Endgame poster)
What can Business Leaders do differently to manage cyber risk?
1. Get a cyber risk assessment done for your business – take a 360 degree approach: insider threats, external threats, third parties, business partners and customers
2. Invest time in understanding security: get a briefing from your security team / experts on the top cyber risks for your organisation
3. Cyber security is a building block of your business, if the foundation is not built properly, risk is inevitable. Build and implement a robust security framework.
4. Involve security professionals right from the ideation stage not just for any IT project but for business projects including M&A activity.
5. Provide for optimal time, tools and resources for cyber security and risk management – give it the due importance it deserves.
6. Be prepared for breaches, build a playbook, rehearse and test the preparedness.