Why risk-based security is the key to driving business value in 2019

Cyber security can be a difficult investment to quantify. In a world where breaches have become near ubiquitous, how much security is enough? Unfortunately, for many mid-sized firms, the default setting is to do just enough to get by, investing ad hoc to tackle new threats when they appear. One-in-three business decision makers across Europe and APAC told NTT Security last year that they would rather pay a hacker’s ransom than invest in better cyber security — despite the size of the ransomware threat.

Organisations must ditch this reactive, short-term approach to cyber security in favour of a more considered proactive risk-based strategy — that’s the way to drive long-term growth as we head through 2019.

Mid-sized firms are often targeted in their own right, but also because hackers believe them to represent a potentially weak link that can be exploited to reach larger partners.

(Image credit: Image Credit: Wichy / Shutterstock)

A digital revolution

Everywhere you look today digital transformation is redefining the rules of business. Cloud and mobile platforms; rapid, DevOps-based application development; IT and OT convergence under the banner of the Internet of Things (IoT); and many other emerging technologies, are helping to fuel a new era of agility and innovation. Yet as more data goes online, and organisations increasingly come to rely on these systems to drive business growth, they also become more exposed to the risk of IT disruption and data theft.

These threats have never been greater. According to NTT Security’s Global Threat Intelligence Report (GTIR) for 2018, ransomware was the leading malware type in EMEA, accounting for 29% and witnessing a 350% increase from a year previous. It’s not alone: spyware and keyloggers comprised 26% of global volumes, followed by trojans/droppers (25%) and viruses/worms (23%). Crypto-mining malware has since risen significantly, to become the number one threat by the end of 2018, according to one vendor. Meanwhile, Business Email Compromise (BEC) attacks have netted criminals over $12.5 billion globally between October 2013 and May 2018.

It’s perhaps no surprise that an estimated 43% of UK businesses claimed last year that they’d suffered a security breach or online attack over the previous 12 months.

Under pressure

At the same time, mid-sized firms are under immense pressure to grow amidst challenging macroeconomic conditions. IT security skills shortages — which have reached nearly three million professionals globally and 142,000 in EMEA — continue to bite, alongside limited budgets. The threat from the digital supply chain is so great that last year the National Cyber Security Centre (NCSC) was forced to issue advice for companies.

The cumulative impact of increased threats, a larger digital attack surface, reactive investments in security and other challenges could be severe. Major regulatory fines are on the cards thanks to the GDPR and NIS Directive, the latter applying to many critical infrastructure sectors. The financial and reputational impact of remediation and clean-up, forensic investigations, legal bills, customer churn, and falling share prices following a serious incident should not be underestimated.

Most business leaders responding to NTT Security’s Risk:Value 2018 report said they were concerned about the negative impact of a breach on customer confidence (56%), and brand reputation (52%), with economic impact cited by 40%. In reality, all three are very much interlinked. Perhaps even more importantly, without a proactive, strategic approach to cyber security, organisations can’t provide the secure foundations on which to build effective digital transformation initiatives.

Changing the culture

We should be seriously concerned that only half of global business leaders would prefer to invest in information security than reactively pay-off a ransomware author. Cyber security is still clearly not being thought of in strategic enough terms. Why? Partly because of a lack of leadership. We found confusion over who is responsible for security: 22% of business leader respondents said it was the CIO, versus 20% for the CEO and 19% choosing the CISO. This is matched by a lack of visibility and awareness. Nearly half (47%) said that they had not been affected by data breaches — a worryingly high figure given how hard it is to prove this with any certainty.

Perhaps as a result of this over-confidence, there’s been little change in preparedness levels. The proportion of firms with an information security policy in place jumped just one percentage point from 2017 (56%) to 2018 (57%).

We need to change this mindset from the top down. Reactive security can lead to serious gaps in protection, and fails to support the long-term strategic growth vision of a company. According to KPMG: “The question shouldn’t be ‘how much of my IT budget are we spending on cyber?’. The question should be ‘how much of my business change or innovation budget are we spending on cyber security?’.”

No silver bullet

There’s no silver bullet for security. It requires a long-term, risk-centric approach based on best practices including multi-layered protection at the endpoint, network, cloud/on-premises servers and email/web gateways. Security awareness programmes are key to turning your employees into a strong first line of defence, as are regular vulnerability and pen tests to spot and address security gaps.

Incident detection and response is another crucial component, enabling IT to get on the front foot to spot and block attacks before they can impact the organisation, and use intelligence to proactively improve cyber defences for the future. It’s concerning that the number of firms with an incident response program in place rose from 48% in 2017 to just 49% last year.

Many will find all of this difficult with limited in-house resources, which is when outsourcing to a third-party expert becomes an attractive option. As we head through 2019, organisations keen to drive value through proactive cyber security may find they need to enlist the help of a managed service provider.

Azeem Aleem, VP Consulting at NTT Security 

  • Also check out the best antivirus to keep your systems protected from the latest threats
Azeem Aleem

Azeem Aleem is the Vice President Cyber Security Consulting at NTT Security. He is an experienced information security executive with over 15 years of practitioner experience in cyber defence technologies, security operations, counter threat intelligence, data analytics and behavioural classification of cyber criminal.