Cybersecurity must be seen as an enterprise risk-management imperative and with the impact on business resiliency and increased regulatory requirements for public and private sectors, it is now vital for organisations to demonstrate they have clear oversight says Rafi Brenner at Fortinet.
Cybercrime tactics such as phishing and social engineering, commonly used to infect critical systems with malware or ransomware, have reached epidemic levels. And there are no signs of it slowing down. According to Statista, the global cost of cybercrime is expected to increase by nearly 70% over the next five years, growing to $13.82 trillion by 2028.
Cyber incidents can damage corporate operations, brand reputation, trust, and financial conditions. They can cripple revenue-generating and service-delivery processes and materialise into legal and regulatory fines, adversely impacting a company’s financial performance and valuations. And in cases in which critical infrastructures are involved, those risks can also affect the environment and even put human lives at risk.
As a result, the World Economic Forum’s latest report on global risks ranks cyber as the most significant sustainability risk to businesses, along with climate change, reaffirming why cyberthreats and cybersecurity governance have become top issues for regulators and corporate boards alike.
Increasing oversight
The widespread concerns about cyber risks and cybersecurity have led to heightened attention from regulators. Data privacy and breach notification laws were enacted in the United States in 2002. Even stricter regulations have been implemented in other regions, such as the General Data Protection Regulation, GDPR enacted by the European Union in 2016 and enforced since 2018 and the California Consumer Privacy Act, CCPA of 2018.
In addition, the US Securities and Exchange Commission, SEC recently adopted cybersecurity disclosure requirements, making it clear that cybersecurity is not just an IT issue. Instead, it is an integral component of a company’s broader enterprise wide risk-management structure.
These rules require public companies to report material cybersecurity incidents and disclose their cybersecurity risk management strategy and governance, effectively shifting cybersecurity governance responsibilities from the CIO’s and CISO’s offices to the board of directors.
As regulators tighten compliance requirements, effective cyber-risk and cybersecurity governance programmes must be implemented at the board level and include active engagement from the board and key corporate executives, such as the CIO, CEO, CFO, CSO, and CISO.
To achieve this, boards must show their expertise and oversight in ensuring appropriate leadership and strategies are in place to adequately manage cyber risks inside the organisation. Senior leadership must be involved in cyber-risk governance to ensure that the companywide governance plan aligns with overall corporate objectives.
Start at the top
Regardless of the organisation’s structure, those at the top have a duty to understand and monitor the critical cyberthreats that could impact the organisation. They need to oversee the strategies, policies, and procedures required to adequately mitigate risks and ensure that there is a response plan to contain the impact of a compromise.
They also need to ensure that they have systems to detect, investigate, and eradicate an intrusion and to comply with contractual, legal, and regulatory requirements. Once senior leadership is on board, a cyber-risk governance plan requires continuous assessments of the organisation’s business operations.
These cyber-risk assessments can help identify cybersecurity business risks and the organisation’s cybersecurity gaps and vulnerabilities before they become a crisis.
A robust information security programme should be anchored on a recognised security standard or framework, such as ISO and NIST. It also needs to be aligned with security and privacy regulatory requirements the organisation is subject to and that are recognised by external stakeholders, such as PCI-DSS, HIPAA, NERC, CJIS, NIS2, GDPR, PIPEDA, or CCPA.
Pursuing information security certifications is essential to protecting data and providing assurances to customers and investors about the maturity of the organisation’s readiness to defend itself against evolving cyberthreats.
The endorsement of policies and procedures by management and setting a tone from the top is essential to foster the adoption of new tools and behaviours critical to protecting the organisation’s key assets.
Taking the time to define and educate on cybersecurity policies and objectives helps ensure that the entire organisation understands the purpose of the security controls and that they are used correctly and consistently. Such policies are not static documents but require regular updates to reflect the evolving security posture of the business and the ever-changing cyberthreat landscape.
Cybersecurity culture
Cybersecurity is a team sport. Any person in the organisation can be a target or fall victim to a compromise through a phishing or social engineering campaign, accidentally misconfiguring or not patching a vulnerable system, or inadvertently developing code that a threat actor could exploit.
Research from Fortinet’s 2023 Security Awareness and Training Global Research Brief revealed that 81% of organisations faced malware, phishing, and password attacks last year that were targeted at individual users. It also showed that more than 90% of leaders believe that increased employee cybersecurity awareness would help reduce the occurrence of cyberattacks.
Periodic training and ongoing awareness about the most common cyberthreats and techniques used by adversaries are essential to build a human firewall and prevent an initial breach.
Leading organisations implement robust cybersecurity awareness training, require software developers to be proficient in secure code development practices, and periodically exercise their members’ readiness to detect cyberthreats through simulated phishing campaigns, tabletop exercises to evaluate incident response, and implementing robust threat-hunting practices.
Developing a cybersecurity culture can take time, but active participation at all levels of the organisation helps to ensure that all employees understand their significant role in the organisation’s defence against cyberthreats. Effective training helps users become initiative-taking in risk mitigation and remediation. A mature cybersecurity culture creates a more cyber-resilient organisation and helps keep you out of the headlines.
Business resiliency
For too long, cybersecurity has been treated as a mere technology issue. It is not. Cybersecurity must be seen as an enterprise risk-management imperative. Given the potential impact of cyber risks on business resiliency and increased regulatory requirements on the public and private sectors, it is now vital for organisations to demonstrate they have clear oversight, processes, and procedures to prevent, detect, and respond to cyberthreats.
