Even before considering the use of cyber weapons in war, the frequency and severity of cyber attacks are clearly on the rise. We should expect this from continued digitisation and the increased adoption of remote working and increasing mobility (through the growing uptake of mobile devices), all adding to the inherent risks of a cyber attack. The heightened threat of ransomware, driven by organisations shifting workloads and data to the public cloud, plus the rise of social engineering as a means to obtain sensitive information from individuals are just two examples of how the cyber security landscape is changing in line with our evolving working practices.
It is estimated that a ransomware attack occurred every 11 seconds in 2021. There’s little argument that the pandemic has dramatically escalated the threat level, with criminals seizing upon vulnerabilities created by the sudden shift to remote working. The Russian invasion of Ukraine has also further heightened the potential for state-sponsored malicious attacks and thereby increased disruption to global organisations, both public and private sector.
Disruption from cyber events is therefore increasingly inevitable, and when poorly mitigated or managed can lead to material detriment to shareholders, staff, and consumers. In this light, the UK Government has just launched its first Cyber Security Strategy. Although aimed at the public sector, it makes clear that even with effective risk management and protective measures, organisations will be significantly impacted by cyber incidents.
The ransomware ecosystem has evolved over the last few years. On one level, there are sophisticated teams of attackers operating as a well-funded criminal enterprise, and on the next, there are opportunists who have bought ransomware-as-a-service on the dark web. The fact that even an opportunist hacker can now access weapons-grade malware means the adversary ecosystem has suddenly become much more complex.
Given this rising storm, the goal of cyber risk management, therefore, isn’t to reduce risk to zero – it is to help businesses identify and mitigate those risks that threaten the organisation’s critical assets. It is about understanding the realistic risk appetite for the business. A business that is not taking any risks is almost certainly not moving fast enough, and a strategy aimed at complete risk avoidance would paralyse even the most agile digital strategy.
As we are learning to live with COVID-19, so too, perhaps, will we have to learn to live with ransomware. But that doesn’t mean surrendering to it. Here are our pragmatic suggestions about where to focus on in this storm:
- Cybersecurity is an enterprise-wide responsibility. Across an organisation, employees constantly make decisions with risk implications. It cannot be siloed to the technology department or delegated to a new cyber team. You can't rely on your IT service desk to protect you from ransomware. Everybody has a part to play. In practice, this starts with mapping all roles in an organisation to the operational components of safeguarding the business, and thereafter incorporating these into formally defined roles and responsibilities (e.g., job descriptions) and measuring against these. Do not reinvent the wheel: there will, of course, be existing defined roles and responsibilities that indirectly or directly influence the vulnerability of an organisation – these need to be understood and well-defined.
- Successful management of cyber risk begins in the boardroom. The CEO, the CFO and the COO all play important roles, firstly in ensuring that cyber risk is a board-level priority, but also in communicating the need for personal responsibility throughout the organisation. In our experience, communicating the relevance of cyber risks and the roles that they can play must be carefully framed for these individuals in a way that drives their immediate objectives. For example: the financial impacts of a cyber threats to the CFO, the customer detriment resultant from a cyber-attack to the COO, the regulatory impacts to the CRO. This, in turn, drives the mobilisation of cross-functional teams to identify and manage cyber risks.
- Hold your third parties to account. You can outsource cyber security tasks, but you can’t outsource the risk. It is critical to hold third parties to the highest standards. Do you have the right supply chain controls in place? Are you holding suppliers to account through your contracts, your audit function, your verification processes? In the financial services sector, this ties directly to establishing the suppliers whose services, if down, will adversely affect the firm’s impact tolerances. The guiding principle for all sectors is to apply sufficient upfront due-diligence and then undertake routine risk-based and proportionate assessments.
- It is a marathon, not a sprint. It is not enough to have a full-court press on cybersecurity and then move on to the next hot topic, or to put controls in place without ensuring they will continue to be monitored. It is critical to embed good practices into the fabric of your company, to protect yourself against ransomware, malware, and other threats. The threat landscape is continually adapting and evolving – and businesses must follow suit.
- It is essential to maintain visibility of your cyber risk profile – to allow nimble allocation of resources, to manage reporting to regulators and other external stakeholders, and to generate as much early warning as possible of escalating risks.