By Elmar Geese, COO at Greenbone Networks
The coronavirus pandemic has seen a sharp increase in the number of cyberattacks, as cybercriminals take advantage of the current situation. Hackers are exploiting the increased number of vulnerabilities that pervasive homeworking has caused and are playing on people’s concerns over the pandemic.
Indeed, for the first time ever, cyber incidents are now the most important business risk worldwide, according to the 2020 Allianz Risk Barometer, pushing long-time frontrunner, business interruption, from first place. Companies are facing increasingly sophisticated attacks and expensive data scandals, and according to the Ponemon Institute, a serious data theft now costs an average of $42 million, eight percent more than last year.
Many companies are therefore looking for new, adaptable and sustainable ways to prevent the increasing number of threats. Cyber resilience is one of these solutions, a method that protects organizations against cyber incidents now and in the future. However, according to a recent study by Frost & Sullivan and Greenbone Networks, only 36% of organizations in six key industries across Germany, France, the UK, the US and Japan have reached a high level of cyber resilience. The problem is that it’s still often unclear what is actually behind the concept of cyber resilience and which factors and capabilities are decisive. Below we bust the three most common myths about becoming cyber resilient:
Myth #1: Cyber resilience is a purely technological issue
Cyber resilience describes the ability of a company to remain business-capable despite an adverse cyber incident and goes beyond the mere protection of IT networks and systems. The approach is to create security from within the business processes rather than building a protective wall around them. Technology is therefore only one aspect.
People, company culture, processes and organization are just as important, as the way in which a company designs processes and involves employees plays a decisive role. One key strategy is that responsibilities must be clearly defined – the Frost & Sullivan report shows that almost all highly resilient companies (95%) follow the best practice of placing the responsibility for a digital asset with its owner, such as an individual or a department.
The study also identified the following core competencies: the ability to identify critical assets of any critical business process that could potentially be compromised by a cyberattack (97% of highly resilient companies), and the ability to mitigate and remediate identified vulnerabilities (94% of highly resilient organizations), including both technical and organizational vulnerabilities.
Myth #2: Resistance to cyberattacks is a question of budget
The study shows that highly resilient companies have on average a higher turnover and IT budget than less resilient ones. However, a closer look reveals that there is no correlation between the level of IT expenditure and the level of cyber resilience. What is more important is a fundamental understanding of business processes and an awareness of what the business-critical digital resources in the company are.
Especially when IT budgets are tight, it is important to focus the available resources on the most important assets. This often involves decisions that only managers can make, because they have to weigh up risks against costs. The report found that in 97% of highly resilient companies, cybersecurity is regularly discussed in senior management meetings – cyber resilience must therefore be located at the management level, and not just with IT.
Myth #3: Cyber-resilience concepts are only for large organisations
Large organizations aren’t the only ones who are affected by cyberattacks. Hackers have long since discovered small and medium-sized enterprises (SMEs) as an attractive target. Data theft and industrial espionage aren’t limited to global organizations after all, and the fact that SMEs are often less well protected than large companies makes them an easier target. Per Verizon’s research, 28% of breaches in 2019 involved small business victims, and the Ponemon Institute found that 63% of SMEs reported a data breach in the past 12 months. The ability to adapt to such incidents, to act quickly, and to remain operational is therefore becoming a decisive competitive factor for companies of all sizes.
The road is long, but feasible!
Most companies in the world’s five largest economies are still in the early stages of their journey towards high cyber resilience, but there is still much work to be done. Companies can only achieve their goal by taking all three dimensions – “technology and infrastructure”, “people and culture” and “organization and processes” – into account in a comprehensive concept. Cyber resilience is not simply a question of technology, IT budget, or company size. Those who focus on their business-critical processes and assets, acquire key capabilities, and orient themselves to best practices are taking a big step forward.
Elmar Geese, COO, Greenbone Networks is a noted Entrepreneur, Leader, Advisor, Business Developer, and Community Member and has over three decades of experience within the IT sector, working as founder, manager, and consultant. Most recently, he was CIO at the Berlin health start-up machtfit, where he was responsible for the company’s SaaS platform for occupational health management. As head of product development and operations, he also contributed to the long-term acquisition of customers such as Bayer AG, Deutsche Bahn, Lufthansa, Edeka and Lanxess.