Tech Index 2022: CybersecurityNo respite in struggle to stay cyber secure
Businesses are caught in an uncomfortable pincer movement as they battle to stay cyber secure.
On one side they face ever more sophisticated threats from criminal and state-sponsored hackers using increasingly sophisticated technology to exfiltrate data.
The move to remote working during the pandemic has exposed new vulnerabilities in cyber defences that few organizations anticipated in their pre-COVID-19 incident response planning.
Hackers have been quick to exploit these weaknesses and we’ve seen a huge spike in ransomware attacks. Once the tactic was to lock up corporate networks to extort a ransom. These days, with value of data rising rapidly, they are more likely to suck data out of corporate networks, threatening to sell it on to third parties or to publish it on the dark web.
For every advance in cybersecurity systems, there is an equally speedy development in attack technology – a vicious arms race that shows no sign of abating.
“The move to remote working during the pandemic has exposed new vulnerabilities in cyber defences.”
At the same time, businesses are facing increasingly tough regulatory sanctions if they fall victim to an attack or suffer a breach.
Data Protection regulators have found their teeth and are imposing increasingly punishing fines. In addition, they continue to tighten up rules within existing regulatory regimes.
The EU’s General Data Protection Regulation (GDPR) gives businesses a 72-hour window to report breaches. But in a recent decision, Ireland’s Data Protection Commission indicated that the 72-hour notification period should start not from when the breach was discovered, but when it ought to have been discovered.
One of the strictest conditions of GDPR has suddenly got stricter.
The conflict in Ukraine has also raised new regulatory issues. The threat of state-sponsored cyber-attacks has obviously risen, but regulators are also taking a very hard stand if they uncover evidence that ransoms have been paid to sanctioned organizations.
Confidence high, despite threat levels
Given these twin challenges, our survey results are in some ways surprising. Companies express increasing confidence that EU and national regulation are having a positive impact on growth, (65% and 71%, respectively).
That is perhaps an indication that companies are getting used to operating in this highly regulated environment.
And we are seeing evidence that some are restructuring their businesses in a positive way to draw benefits from being part of what is a tough but relatively stable regime. For instance, some companies are headquartering in the EU to take advantage of the GDPR one-stop-shop mechanism.
Companies in our survey are also remarkably confident that they are cyber secure. A third say their systems are “extremely” secure, with 64% ranking them as “fairly” secure, roughly on a par with 2020.
Not that fears of being hacked have gone away. The proportion of companies saying they are extremely worried about falling victim to an attack or a breach has risen from 34% in 2020 to 37% in our latest survey, although this is lower than in 2018 (44%).
These findings match what we are seeing in our own practice. For many of our clients, cybersecurity is an ever-present and growing concern.
Guarding against complacency
But the findings are, in other ways, at odds with what we are seeing in the marketplace.
It is perhaps worrying that companies in our survey seem to be relying most heavily on technology to keep them safe. While it is important to stay up with the state of the art in this respect, it’s essential that companies continue to do the hard graft of basic governance as well.
Yet our survey suggests some are taking their foot off the pedal on governance.
For example, the proportion doing regular risk assessments has fallen quite sharply from 90% in 2020 down to 86% in 2022. Those regularly updating software has also dropped off, and there are still 23% who say they have no response plan in place.
This could indicate that a degree of complacency is creeping in. Alternatively, it could reflect cost-cutting as tougher economic conditions take hold.
Either way, it’s a very dangerous game, not least as attack threats are just one of the vulnerabilities companies must take account of. A high proportion of data breaches are still coming from inside the organization, whether that is a result of deliberate malpractice or purely accidental.
It’s vital that companies keep getting the simple things right. That includes proper training of staff to recognize suspicious phishing emails, efficient reporting systems to quickly escalate threats, regular risk assessments and proper risk management resourcing.
Defensive technologies, such as algorithms that can red flag suspicious emails, have a part to play, but can have unintended consequences.
Many financial services companies, for example, are deploying data loss prevention (DLP) technology and insisting that suppliers incorporate it into their own systems too. But DLP relies on close monitoring of content and individual emails and so may solve a cyber problem only to raise other privacy concerns.
It’s important that businesses seeking to cure one legal headache don’t end up giving themselves an entirely different one.