Another day, another cyber attack. Or at least, that’s what it feels like these days.
It’s estimated 64% of companies worldwide have experienced at least one form of cyber attack in the last year. Attacks and breaches have become so commonplace, organizations are at the point of cyber fatigue – they’re increasingly expected and accepted as ‘part of doing business’.
Unfortunately, growing awareness of attacks isn’t equaling better preparedness. In a survey of board directors, 65% felt that despite time and money investments, their organizations are still at risk of a material attack in the next 12 months, and almost half think they couldn’t cope with a targeted attack.
There’s a clear vacuum of responsibility and engagement at the very top that is preventing meaningful change and true cyber resilience. Bold claims that cyber is a priority isn’t enough, and few are yet to really ‘walk the walk’ of cyber best practices.
Attacks are rising, but accountability is not
The past year has seen a slew of high-profile attacks targeting big brands and cloud service providers – from Uber and LastPass, to Twilio and Reddit. What’s interesting is that these attacks are using a combination of social engineering and other hacking techniques to bypass multi-factor authentication (MFA) systems.
To be clear, attacks bypassing company MFA are not new, and MFA systems are still considerably more attack-resistant than single-factor authentication, but what is new is that these attacks are growing in both volume and sophistication. For businesses, the financial and reputational risks have never been higher.
Andrew Shikiar is Executive Director and CMO at FIDO Alliance.
Avoiding the ‘inevitable’ is possible
There are solutions out there that can prevent credential phishing and MFA bypass attacks – namely FIDO security keys. Several companies that have fallen victim to such attacks have implemented FIDO authentication *after* they have been victimized (Twitter, Twillio, for example), while Cloudflare sharing its experience of last year’s 0ktapus attack has proven how effective they are in preventing major damage.
These intense numbers of attacks can be prevented, so why aren’t they being?
Two scenarios are playing out generally:
A CISO or CSO is highly aware of the challenges, but is overworked and low on resources, funding and/or the business support to properly implement change. Or, and this is especially true in smaller organizations, IT teams are operating in silos, without any C-suite support, meaning strategies fall flat.
A recent survey of serving board members found less than half regularly interact with CISOs, and almost a third only see their CISOs at board presentations. Directors and security leaders are spending nowhere near enough time together to have a meaningful conversation about strategy - and it shows in perception of the topic.
What is consistent is that accountability and responsibility are notably lacking at the highest level, which is preventing real change despite the high risk of repercussions across the whole business and every department. But it can’t be an afterthought for much longer.
How do we move forward?
1. Don’t purpose wash cyber
Cybersecurity today feels reminiscent of ESG around a decade ago. Much like ESG, it needs to be taken seriously as a measurable, reportable business initiative. Purpose washing was a term coined around ESG, referring to organizations that made verbal commitments and promoted themselves as ‘ESG-friendly’ without much material action to back it up. Acting – or purporting to act - out of fear of reputational damage or to build credibility is counterintuitive: a security attack will do far more damage financially and reputationally, and be much trickier to rectify.
Boards need to take accountability to heart and implement stronger solutions that can mitigate MFA bypass and phishing attacks proactively not reactively. In time, we might also expect this to not become optional anymore – just as standards for sustainability and workplace equity reporting have been introduced in recent years, we’d expect and welcome similar mandates in cyber.
2. Become a C-Suite champion
Clearly, this can no longer be seen as just the remit of ‘IT’ – nor can it wait until problems arise to be considered again. Currently, boards are viewing cybersecurity as a technical topic, rather than an organizational and strategic imperative - half of surveyed board members valued CISO cybersecurity expertise the most, followed by technical expertise (44%) and risk management (38%). This means it becomes a topic too operational for attention in board meetings.
Businesses of all sizes should make cybersecurity part of company culture and should not shy away from cyber discussions in non-technical meetings. Taking an active role in talking about cyber at meetings, asking questions about what is being presented and sharing personal stories or even actively praising those who are making those changes within the business are all practical things directors can do to make a difference. At a Board/Business lead level, cybersecurity should be considered as vital a function as sales, HR, marketing…
And this is especially true for Cloud Service Providers (CSPs). Now trusted with other organizations' vital digital data, there’s an even higher imperative for them to prove their systems are as robust as possible internally – especially as attacks against cloud systems doubled in 2022. For customers selecting CSP providers, contractually mandating cybersecurity best practices like phishing-resistant MFA of employees internally may soon become more commonplace.
In time, we hope the culture of fear around cybersecurity will abate in the boardroom – it shouldn’t be seen as something big and scary in the corner to avoid, and we need to work closely with business leaders to ensure it is discussed and prioritized appropriately.
