By Jo Stewart-Rattray
In my discussions with colleagues and peers, it is pleasing to see the importance of cybersecurity awareness is growing among business leaders and board directors. Unfortunately, this awareness and understanding of cyber threats has come at a price, as the recent WannaCry and Petya ransomware attacks demonstrate how vulnerable and unprepared many organisations remain.
According to ISACA’s State of Cyber Security 2017 research, 65 percent of organisations now have a dedicated chief information security officer (CISO) on staff. This is a 15 percent increase compared to last year. Additionally, a recent study by The Australian Computer Society and Deloitte Access Economics predicts information and communications technologies (ICT) management and operations roles will grow in Australia by 2.4 percent per annum, with ICT technical and professional workers growing at 1.9 percent per annum.
However, the ISACA research also showed that, while cybersecurity budgets have expanded, the rate of growth is slowing. Only half of the survey respondents anticipated growth in their budget – down 11 percent compared to the previous year. This decreased growth comes at a time when cyber threats are increasing and becoming more sophisticated. As the research highlights:
- 80 percent of security leaders believe their enterprise will experience a cyberattack this year
- 50 percent of enterprises executed their incident response plan
- 53 percent report an increase in the year-over-year number of attacks.
Stagnant or reduced budgets could lead to an inability to keep up with the growing threat landscape, especially considering many enterprises are still experiencing a shortage of skilled cybersecurity professionals. This may result in CISOs having less budget available to prevent and respond to attacks.
Data is the New Black
At the turn of the century, the mantra for businesses was ‘knowledge is power’. As the knowledge economy continues to evolve, data is now a currency being traded on the darknet like commodities on the stock market.
To take another example, consumers used to worry about having their wallets stolen, resulting in loss of money and credit cards. Today, with credit card companies having systems in place to immediately deal with theft, while still an annoying and time-consuming process, consumers are more concerned about the theft of a mobile. This results in a higher value loss – the loss of personal information, such as contacts and photos, and sensitive financial and business-related data.
Thankfully, with businesses addressing mobile security and encryption, this threat is decreasing rapidly. Now, hackers see a viable opportunity in the emergence of the Internet of Things (IoT). IoT has overtaken mobile as a primary focus for cyber defences, as 97 percent of organisations see a rise in its usage.
The rise of sophisticated ransomware further illustrates that data is now a currency. Half of respondents indicated that the motivation of attackers is most likely to be financial gain, and recent research from IBM showed most organisations pay the ransom. Financial motivations by hackers are likely to spur the development of increasingly sophisticated ransomware in the future. This may mean an uptick in the amount of malware and its complexity. Just as credit card companies have systems and processes in place to deal with theft, enterprises need to treat data like money and protect it vigorously.
What can Businesses do to Protect Data?
1. Information sharing is paramount. Enterprises must consider expanding participation in information sharing and collaborative-analysis venues. Both better dissemination of what is known and better intelligence gathering so that more is known is needed to ensure that organisations are as well connected to information on the latest threats as their adversaries are.
2. Build and maintain a strong cybersecurity workforce. Security professionals must not only be trained, but have their skills maintained using hands-on technical training and performance-based assessment, which is why this year ISACA developed the Cybersecurity Nexus (CSX)™ Training Platform. And this must be done while also assuring that these professionals understand the nature of the businesses for which they work.
3. Provide cybersecurity the resources required. Sixteen percent of survey respondents stated they do not have an incident response plan, and one in four organisations have training budgets of less than US$1,000 (A$1330) per cybersecurity team member. Companies still do not have the skills they need or the plans in place to prepare for advanced cyber threats. These things take resources.
My colleague, Christos Dimitriadis, Ph.D., CISA, CISM, past ISACA board chair and group head of information security at INTRALOT, commented recently, “There is a significant and concerning gap between the threats an organisation faces and its readiness to address those threats in a timely or effective manner. Cybersecurity professionals face huge demands to secure organisational infrastructure, and teams need to be properly trained, resourced and prepared.”
Enterprises should begin planning strategies now to ensure that they are prepared by investing in talent retention, professional growth opportunities, cross-training and other activities that maximise current staff and minimise the impact of attrition. The future viability of their organisations could well depend on it.
Jo Stewart-Rattray has over 25 years’ experience in the IT industry. She specialises in consulting in information security issues, with a particular emphasis on governance in both the commercial and operational areas of businesses. Jo provides strategic advice to organisations across a number of industry sectors, including banking and finance, utilities, automotive manufacturing, tertiary education, retail and government. Jo heads ISACA’s Connecting Women Leaders in Technology and chairs the Branch Executive Committee of the Australian Computer Society. She is also past chair of ISACA’s Audit Committee, Leadership Development Committee and Security Management Committee.
This article is an extract of the ISACA State of Cyber Security 2017, Part 2: Current Trends in the Threat Landscape. The full report can be read at: https://cybersecurity.isaca.org/state-of-cybersecurity