Phishing and social engineering, both of which are commonly used to infect critical systems with malware or ransomware, have reached epidemic proportions. In fact, there are no signs that it is slowing down. Statista estimates that cybercrime costs will increase by nearly 70% over the next five years, reaching $13.82 trillion by 2028.
Cyber incidents can adversely impact a company’s operations, brand reputation, trust, and finances. In addition to crippling revenue-generating and service-delivery processes, they can also lead to legal and regulatory fines, negatively affecting a company’s financial performance and valuation. When critical infrastructures are involved, those risks can also have a detrimental effect on the environment and even put human lives at risk. Because of this, the World Economic Forum’s latest report on global risks cites cyber as one of the most significant sustainability risks for businesses, along with climate change, highlighting why regulatory authorities and corporate boards are focusing on cyberthreats and cybersecurity governance.
Oversight has increased due to growing cyber risk
As cyber risks and cybersecurity become increasingly prevalent, regulators are paying greater attention to this issue. A data privacy law and breach notification laws were enacted in the United States in 2002. Other regions have enacted even stricter privacy laws, such as California’s Consumer Privacy Act (CCPA) of 2018 and the General Data Protection Regulation (GDPR) adopted by the European Union in 2016. Additionally, the Federal Trade Commission (FTC) has recently imposed disclosure standards for cybersecurity, making it clear that this issue is broader than just IT. An enterprise-wide risk management program is an integral part of an organization’s overall risk management program. In addition to reporting material cybersecurity incidents, these rules require public companies to disclose their cybersecurity risk management strategies and governance processes, effectively shifting cybersecurity governance responsibilities from the CIOs and CISOs to their boards.
Regulators are tightening compliance requirements, which requires the board and executives to engage actively in cyber-risk and cybersecurity governance programs. This includes the CEO, CFO, CSO, and CISO. It is their responsibility to ensure that appropriate leadership and strategies are in place for addressing cyber risks within the organization in order to achieve this goal. It is essential that senior management be involved in cyber-risk governance to ensure that it aligns with the company’s overall goals.
Managing cyber risks begins at the top
Organizations have a duty to understand and monitor critical cyberthreats that can adversely affect their operations irrespective of their structure. Ensure there is an appropriate response plan in place to limit the impact of a compromise by overseeing strategies, policies, and procedures. Moreover, they must ensure that they have systems in place that enable them to detect, investigate, and eradicate intrusions, and to comply with legal, regulatory, and contractual requirements. A cyber-risk governance plan requires continuous assessments of a company’s business operations once it has been endorsed by senior management. Assessing cyber-risks and identifying cybersecurity gaps and vulnerabilities can prevent cybersecurity crises from occurring.
Information security programs should be based on well-known security standards, such as ISO and NIST. As well as aligning with the organization’s security and privacy regulatory requirements, such as PCI-DSS, HIPAA, NERC, CJIS, NIS2, GDPR, and PIPEDA, the security policy must also be consistent with its external stakeholders’ expectations. Achieving information security certifications is essential for protecting data as well as providing customers and investors with assurances that the organization is prepared to defend itself against evolving cyber threats.
Management’s endorsement of policies and procedures and setting a tone from the top are essential to fostering the adoption of new tools and behaviours critical for protecting the organization’s most valuable assets. When cybersecurity policies and objectives are defined and explained, the entire organization will understand the purpose of the security controls and how they are implemented correctly. The cyberthreat landscape is ever-changing, so such policies will need to be updated regularly to reflect the organisation’s ever-changing security posture and the business’s ever-evolving security posture.
Building a Cybersecurity Culture at All Levels
It is a team sport when it comes to cybersecurity. It is possible for anyone in the organization to become a target or to fall victim to a compromise through phishing or social engineering campaigns, accidentally misconfiguring or not patching a vulnerable system, or inadvertently developing code that could be exploited by a threat actor. Last year, 81% of organizations experienced malware, phishing, and password attacks that targeted individual users, according to eScan’s 2023 Security Awareness and Training Global Research Brief. Additionally, it was found that over 90% of leaders believe that increased employee awareness of cybersecurity will reduce the incidence of cyberattacks. To prevent an initial breach, regular training and continuous awareness are essential to building a “human firewall.”
Leading organizations implement cybersecurity awareness training, software developers must be proficient in secure code development practices, and members are periodically tested in their readiness to detect cyberthreats via simulated phishing campaigns, table top exercises for incident response, and robust threat-hunting practices.
An organization’s cybersecurity culture takes time to build, but regular participation at every level ensures that all employees are aware of their role in protecting the organization from cyberthreats. A proactive approach to risk mitigation and remediation is enabled by effective training. When your cybersecurity culture is mature, your organization will become more cyber-resilient, preventing headlines from being made about you.
eScan offers a variety of offerings to help organizations build comprehensive security awareness programs. Included are:
1. eScan’s Phishing Simulation Service: Real-life simulations prepare employees to identify phishing threats and to train and reinforce proper practices when they encounter targeted attacks.
2. eScan Security Awareness and Training service: Delivers timely and relevant awareness training about the most relevant security threats through its SaaS platform. Cyber-awareness training helps IT, security, and compliance leaders build a culture where employees recognize and avoid cyber-attacks.
3. Users can learn how to identify and protect themselves from various types of threats, including phishing attacks, with eScan’s Network Security Expert (NSE) training modules, which are free online and self-paced.
Cybersecurity Strengthens Business Resiliency
There has been a tendency to view cybersecurity as a technology issue for too long. There is no such thing. Managing cyber risk must be considered an imperative for enterprise risk management. Because cyber threats can negatively impact business resilience as well as increase regulatory requirements for both the public and private sectors, organizations need to demonstrate clear oversight, processes, and procedures for preventing, detecting, and responding to cyberthreats.
