Spiraling costs and a lack of skilled cybersecurity professionals are putting pressure on IT teams—and it shows
When I think of IT departments and cybersecurity, I’m reminded of the fable of the little Dutch boy who put his finger in a leaking dike to save Holland from a North Sea flood.
Trying to secure the enterprise is a lot like trying to hold back the ocean with your hands while also being tasked with continually streamlining and supporting the function of the business, its stakeholders and its technology. As digitalization rapidly progresses through every business in every sector, spiraling costs and a lack of skilled cybersecurity professionals are putting pressure on IT teams … and it shows.
Startling Cybersecurity Statistics
According to a recent survey of 300 small and midsized businesses, 80% ranked IT security as a top business priority, with 56% claiming that recent security breaches will affect their security roadmap moving forward. But 52% said they do not have dedicated in-house IT security professionals on staff and 48% list budget constraints as the main barrier faced when it comes to IT security.
And it’s not only small businesses. When a coordinated ransomware attack was launched in August against the computer systems of 22 Texas municipalities, one mayor said the hackers infiltrated his external systems integrator, as “a lot of folks in Texas … don’t have a staff big enough to have IT in-house.”
Cost is both a huge barrier and a pressing danger. British technology researchers released a report in August presenting 3,700 data points from eight key global regions forecasting that “the annual cost of worldwide data breaches will surpass $5 trillion by 2024, with North American businesses absorbing the highest share.” Furthermore, “most breaches through 2024 will target small and medium-sized enterprises with budgets that are insufficient to adequately defend against cyberthreats.”
Even great size is not a guarantee of reduced threat. Large, well-staffed and technologically well-resourced organizations such as Dun and Bradstreet, Facebook, Equifax and Chegg have all been subject to damaging cyberattacks in recent years, impacting millions of customers and averaging $347 million in costs to affected companies.
Meanwhile, Kapersky’s Cyberthreat Real-Time Map shows hundreds of thousands of active network attacks, trojans and other assorted cyberthreats flowing freely across the globe every second of every day. It’s an ocean of digital danger and no IT department can shore up all potential vulnerabilities or prevent every potential breach.
Untenable Menace at Global Scale
The World Economic Forum (WEF) Global Risks Report 2019 presents the mounting magnitude of cybersecurity threats as an untenable menace, largely fed by rising “cyber dependency”—the increasing digital interconnection of people, things and organizations. Thus, cyberattacks rank solidly in the middle of the WEF’s top 10 global risks in terms of both likelihood and impact.
This year’s report highlights the destructive potential of large-scale cyberattacks or malware causing enormous economic damage, geopolitical tension and widespread loss of trust in the internet—all compounded by massive incidence of sensitive data fraud, theft and exploitation on an unprecedented scale.
The WEF conducted a Global Risks Perception Survey (GRPS) in late 2018 among its multi-stakeholder communities, extensive professional and civic networks, advisory associations and with members of the Institute of Risk Management. Three in five GRPS respondents expect the risks associated with loss of privacy to companies and governments to increase this year; 82% predict increases in cyberattacks leading to theft of money and data as likely and 80% anticipate cybersecurity-related disruption of operations. Insights were drawn from massive data breaches in 2018, revelations of new hardware weaknesses, and research indicating “the potential uses of artificial intelligence to engineer more potent cyberattacks.”
According to the WEF, “Technology continues to play a profound role in shaping the global risks landscape for individuals, governments, and businesses … The survey reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life.”
Feasible Protection and Cyber Resilience
Given the scope and scale of cybersecurity threats, what can IT departments and the businesses they serve reasonably do to defend themselves? Under this onslaught, the most practical position for an enterprise is to establish and maintain feasible protection by aiming for cyber resilience. But how?
Multinational professional services firm KPMG defines cyber resilience as “being able to prepare for, withstand, rapidly recover, and learn from” cyberattacks. For an organization, this condition can be achieved by building on expert guidance: The National Institute of Standards and Technology (NIST) has established the Cybersecurity Framework, detailing five functions to achieve cyber resilience:
- Identify: Organizational understanding of systems, people, assets, data, capabilities and business context.
- Protect: Safeguards on critical infrastructure, containment capability for potential attacks or intrusions, protections for identity management and access controls
- Detect: Identification and timely discovery of attack/breach incidence, continuous monitoring capability.
- Respond: Establish and enable appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Maintaining plans for resilience and restoration of any capabilities/services impaired due to a cybersecurity incident, mechanism for learning from cyberthreats and improvement implementation.
Authors Chris Clearfield, a former derivatives trader, and András Tilcsik, a professor at the University of Toronto’s Rotman School of Management, suggest that adjusting our attitudes about risk prevention can also help. Their book “Meltdown” discusses how the increasing complexity of our systems creates ever greater opportunity for failure, outlining why neither organizations nor individuals can possibly keep up on their own. Though their work addresses issues beyond IT and cybersecurity resilience, their advice is particularly fitting in this context:
“We need to face reality with a blameless process that not only identifies specific issues but also looks at broader organizational and systemic causes … recognizing early warning signs, building skepticism into organizations, using structured decision tools, and managing our crises better.”
None of those are really IT’s responsibility; they all belong to everyone.