Over the past decade, organisations have struggled with an uncomfortable position: In an increasingly complex world, it’s becoming virtually impossible to understand cyber risk and have a measurable response. Cyber-attacks are increasingly pervasive and present a fundamental threat to companies, and CEOs, Boards and leadership teams need ways to evaluate cyber risk, even if they can’t grasp the technical details. This has led to an explosion in the demand for services to assist organisations with understanding their cyber-risk profile, both inside organisations and among external stakeholders.
Organisations have problems and the way they govern and consume these services is contributing to the issue. It’s partly driven by organisation culture and internal processes such as investment, which have contributed to an overcomplication of the environment and a continued escalation of the problem. That escalation is making to problem appear to be unsurmountable, so organisations struggle for a path forward.
What has happened consequently is organisations, unable to break it down into manageable chunks, have made the problem so large and complex, that they are struggling to make rational choices. Executives are routinely bombarded with statistics like:
- 6.95 million new phishing and scam pages were created, making it the most common attack in 2020, according to the FBI.
- Nearly 3 out of 4 companies experienced a phishing attack in 2020.
- 25.6% of all website traffic was made up of bad bot traffic, according to Imperva.
They then see breach reporting including:
- Cybersecurity analytics firm, Cognyte, experienced a database breach of 5 billion records in May of 2021.
- The LinkedIn breach exposed 700 million records in June-August 2021.
- Social media giant Facebook also experienced a breach of more than 533 million accounts, which is uncovered in March 2021.
- Bykea, the Pakistani ride-hailing app, experienced a breach of 400 million records in November.
- Brazilian Ministry of Health faced a loss of 223 million records in January 2021.
Each year at the PwC Annual Global CEO event, they survey attendees on these and other risks. Nearly three-quarters of US CEOs said they are “extremely concerned” about cyber threats. They even put it ahead of the pandemic and other health crises. Add to this that during the response to the COVID-19 pandemic, organisations implemented a rapid transformation towards flexible working, with many employees starting working remotely, increasing organisations’ digital footprint—and their cyber risk profile.
The key to making good decisions is having the right information to support understanding, but the survey also found only 33% of directors say they think their board understands the company’s cybersecurity vulnerabilities very well. That is despite this being a major topic on board agendas for several years.
The regular questions CEOs, Boards and leaders ask is
- what is my organisation’s risk profile?
- What can I do to mitigate cyber risks?
- If I cannot afford to do everything, what choices can I make?
The challenge of complexity
In my experience part of the issue at play is how organisations silo activities and the data related to them. IT, CISOs, Finance, Information Management, Privacy and others, all create their view of an organisation to explain the complexity from their perspective.
Coupled with that, the data related to those views can be locked away in proprietary IT Service Management, Financial Management or Records management solutions, unable to be integrated and unleashed to inform organisational decision making.
Organisations need to simplify their organisational data to become data-driven, integrating the different perspectives, to successfully navigate the complexity and reduce risk.
How can you adequately manage the risk around your operations and data, if you do not have any visibility of what it takes to deliver value to your customers? In an overly complex environment, that visibility is significantly compromised.
Organisations lean on specialised experts to try to gain an understanding of their cyber risk, and these activities are successful to some degree. But they rely on organisations having data to start with. But really, can you truly understand that complexity, which was created over numerous years, within a few weeks? And even more, how can your staff, who are responsible for supporting your cyber security posture, understand that complexity if you needed an expert to decipher it.
For years, organisations have accepted this complexity as a natural consequence of doing business and because of that, they have effectively surrendered to those consequences. Their only response is to build ever bigger walls around their network, which with the shift to cloud and remote working, have now been compromised.
I say that does not have to be the case.
Understand your environment to understand your risk
In this complex world, there is a tendency to leap to complex solutions. As we all know however you can’t build a house on a shaky foundation, so getting the basics right is imperative.
If you have exposed vulnerabilities in your digital systems, then it doesn’t matter who the threat actor is, state-sponsored or kiddy coder, they have an opportunity. Organisations will tend to focus on their high-risk business systems, forgetting that the old Project time recording system sitting on an old Windows XP computer run by the EPO.
Vulnerabilities can exist anywhere in your environment, providing a gateway to your high-risk systems. Because of this complexity, however, organisations are falling short of the basics. Results for Edgescan a smart vulnerability management services provider, in their 2022 vulnerability statistics report:
- 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old
- 1.5% of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999
Also, according to PurpleSec, 98% of cybercrime rely on social engineering to accomplish.
Organisations are falling short on the basic vulnerabilities because they are unable to gain clear insights due to complexity. If you do not have good data to drive insights into your systems, you cannot manage your risk.
Its starts with data
If you don’t know what systems you have or how many remote access gateways you have open, then how can you understand cyber risk. Any system vulnerability can allow a threat actor to compromise your environment, so concentrating just on the high-risk systems won’t be enough. The primary objective of the approach is to A few tips:
- Your data must be enterprise-wide. Break the data silos and bring together that data to provide a holistic view.
- Cyber risk isn’t just IT’s problem so the whole organisation needs to contribute.
- Expose your shadow IT! There is a reason it is there, it’s better to know than to hide it.
- There is probably already a wealth of data in organisations to describe their operating environment, as I previously covered. Don’t start again, reuse and refine these datasets.
- Make sure there is something in it for those collecting and maintaining the data. It’s not all about the executive dashboard we need to staff the value of the data and understand why it’s important.
- Start small and take an agile approach to create your data capability. Progresses over Perfection at all times. Iterate to improve quality and consistency.
- Start working with those that need to create and utilise the data for operational purposes, they know what makes sense and where that data can come from.
- Understanding what system you have, why you have them (the business value they create) and what data they hold, is the starting point for all follow-on actions.
Once you have that data then there are so many processes that can be supported from cyber risk through to resource management, planning and investment, but that’s for another article.
But there is a catch. The collection and maintenance of this data MUST become part of your DNA. My experience is when organisations get a BA or consultant to develop this data, it falls into disrepair very quickly. There must be the staff understanding and buy-in, after all, they are the ones you need to maintain the data once the BA or consultant are gone.
The maintenance of this data must become a standard part of your team’s work. That effort will be rewarded in time.
“Get the fundamentals down and the level of everything you do will rise” Michael Jordan
Next Steps
If you would like to talk more about the challenges to understanding your Cyber risk and how to get started with data-driven diction making, or how I could help with your own initiatives, contact me via the link below.