Why do many organisations have a hard time keeping up with the evolving threat landcape and effectively managing their cyber-risks?
By Amer Oweida
Financial services companies have been a popular target for cybercriminals for a long time. Not without good reason, since beyond working with money, financial companies handle a slew of sensitive client data that criminals utilize in various fraud schemes or sell off on dark web bazaars. According to Verizon’s 2020 Data Breach Investigations Report, in the past year alone the financial industry has suffered more than 1,500 incidents, with 448 confirmed data disclosures.
In addition to the long-standing threats, most
companies have had to contend with the rapid transition to remote work. The
shift happened on extremely short notice, leaving companies with little time to
deploy adequate cybersecurity measures or to prepare employees for looming
cyberthreats. And while the pandemic will eventually subside, remote work is
here to stay – adding to the list of challenges that companies need to cope
with when they are preparing their cybersecurity plans and policies. This is
something they often struggle with already due to various factors – we have
rounded up five of them:
Talent gap
While many companies may be on the hunt for either
seasoned or up-and-coming cybersecurity professionals to join their ranks and
help them establish a defensive perimeter against various threats, there just
aren’t enough of them to go around. In fact, although the cybersecurity
workforce gap has shrunk for the first time in years, there is still a global shortage of 3.12 million workers. Actually, to
make up the global talent shortfall, the employment levels would need to grow
by 41% in the United States and 89% worldwide. So, to attract the best and
brightest cybersecurity minds, companies will have to offer competitive
salaries and fulfilling work opportunities.
Insufficient
budgets
A key area that is preventing companies from
tackling cyberthreats head-on is that they have insufficient budgets allocated
to cybersecurity. According to a survey conducted by consulting firm Ernst and Young, 87% of surveyed
organizations said that they did not have a sufficient budget to achieve the
levels of cybersecurity and resilience they were aiming for. The lack of
resources means that companies can’t hire enough cybersecurity talent or
institute technical measures they need to be resilient when facing off against
various cyber threats.
Overestimating
their own cybersecurity
One common mistake companies make is that they
overestimate how good their cybersecurity measures are. While they may believe
that they are on top of things, companies may not have the best vulnerability
patch-management policies in place. A good – but at the same time, unfortunate
– example is the BlueKeep vulnerability present in Windows. The patch was
issued in
May 2019, with Microsoft urging everyone to patch
immediately; a month later, the National
Security Agency issued its own warning, yet in July
there were still more
than 805,000 machines susceptible to the
security flaw and it culminated with the first BlueKeep attacks
in November. It goes without saying that patching such a
severe vulnerability should under no circumstances take six months.
Lack of
awareness training
Another common occurrence that undermines a
company’s cybersecurity is that employees do not receive enough cybersecurity
awareness training. Arguably the risks of employees being tricked into
downloading malware or parting with their company credentials have been
amplified due to the COVID-19-powered shift to remote work. According
to a study conducted by the Ponemon Institute, although companies have
registered a surge in cyberattacks during the pandemic (including phishing and
social engineering attacks), 24% of respondents felt that their organizations
have not provided sufficient training about risks associated with remote work.
Worryingly, the study also discovered that over half of the companies had no
security policies at all covering requirements for remote employees.
Underestimating
the value of cybersecurity
Some organizations underestimate the value of
cybersecurity for their business and instead opt to invest in other aspects
they deem more worthwhile, such as financing expansions or developing new
products. They could argue that the costs outweigh the benefits, such as the
cost of cybersecurity measures outweighing potential losses from a data breach.
However, while the potential fines and losses may be lower in the short term,
the reputational damage could lead to greater fallout including losing client
trust, which would hit revenue streams. Alternatively, if successful,
cybercriminals could gain access to intellectual property that they could sell
along with the client data on the dark web. Therefore, cybersecurity shouldn’t
be an afterthought, as it serves to protect both the company and its clients.
Conclusion
Any combination of the aforementioned factors could
spell a perfect storm for most organizations when faced with a cyberattack. On
the bright side, financial services companies have begun taking cybersecurity
concerns seriously on the highest level. Global management consulting
firm McKinsey
found that 95% of the board committees that they
surveyed say they discuss cyber-risks and tech risks at least four times a
year. It’s worth noting, however, that building awareness in top management has
to go hand in hand with investing adequate sums in cybersecurity solutions and
training personnel to the best possible standards.