Home Slider Why Cybersecurity Is More Crucial Today Than Ever Before

Why Cybersecurity Is More Crucial Today Than Ever Before

by internationalbanker

By Joseph Moss, International Banker

 

It is an increasingly sophisticated game. As attackers evolve with successively more fiendish digital schemes, defenders respond by upping their safeguards to resolutely protect their most valuable digital assets—but not always with absolute success. And with data now the undisputed lifeblood of digitally aligned organisations, protecting the integrity and privacy of this hugely valuable resource at all costs means that cybersecurity is now invariably being propelled to the top of the agendas of corporate, investment, regulatory and governmental realms.

“In essence, cybersecurity is the guardian of our digital realm, preserving the confidentiality, integrity and availability of our data,” explained Accenture. Its “State of Cybersecurity Resilience 2023” report, published in June, involved 3,000 global respondents from 15 industries across 14 countries. “It’s the defensive frontline protecting against a myriad of cyber adversaries who seek to compromise the very essence of our digital existence, making it an inseparable component of both personal and organizational data and analytics protection.”

Those that embedded key cybersecurity actions into their digital-transformation efforts and applied strong cybersecurity operational practices across their organisations were almost six times more likely to experience more effective digital transformations than those that didn’t do both, the report also found. And the organisations that most closely aligned their cybersecurity programmes to their business objectives were “18 percent more likely to increase their ability to drive revenue growth, increase market share and improve customer satisfaction, trust and employee productivity”.

Such trends highlight just how intrinsic cybersecurity has become to organisations’ successes. Indeed, boards, managers and investors are now ensuring that their organisations have the requisite cyber defences in place as early as possible during the business-development lifecycle, ideally before bringing their solutions to the market. Gartner predicted that 70 percent of boards would include one member with cybersecurity expertise by 2026. “For cybersecurity leaders to be recognized as business partners, they need to acknowledge board and enterprise risk appetite,” the analytics firm noted in March 2023. “This means not only showing how the cybersecurity program prevents unfavourable things from happening, but how it improves the enterprise’s ability to take risks effectively.”

This laser-focused attention on cybersecurity makes more sense with every passing day, particularly as the age of generative artificial intelligence (GenAI) is now firmly upon us. By February 2024, ChatGPT had more than 180.5 million users, with 100 million users flocking to the application every week, according to OpenAI’s chief executive, Sam Altman. The ChatGPT website also notched up a mammoth 1.6 billion visits in December. And with organisations now keener than ever to integrate GenAI and large language model (LLM) applications, such as ChatGPT, into their business models, many new potential attack surfaces have been introduced that organisations need to identify and protect.

Cyber hackers can thus leverage AI to initiate phishing attacks, develop sophisticated malware and replicate threats across organisations more quickly, potentially leaving IT (information technology) security teams scrambling to safeguard against such threats without limiting the advancements produced by GenAI. “The rapid growth of GenAI is expanding the threat landscape. At the same time, the evolving regulatory landscape and the alarming frequency of cyberattacks are prompting SRM [security and risk management] leaders to increase their spending on security measures,” Shailendra Upadhyay, senior research principal at Gartner, noted in mid-February. “Organizations are also strategically improving their defences by adopting advanced technologies and security solutions which enable them to proactively identify potential vulnerabilities or malicious activities across various digital platforms.”

Have businesses been successful in this fight? Not necessarily. According to Aleksandr Yampolskiy, co-founder and chief executive officer of the IT security firm SecurityScorecard, threat actors still have the advantage, despite organisations upping their efforts to harness GenAI. “What will this look like? It may take the form of sophisticated phishing campaigns, a barrage of deepfakes and hackers gaining access to detailed information about their targets while also getting around endpoint security defences,” Yampolskiy warned in a recent piece for the World Economic Forum (WEF). “I advise security leaders to prepare for the coming wave of AI-generated threats.”

2023 also saw a pronounced resurgence in ransomware attacks, with cloud-security company Zscaler’s research unit, ThreatLabZ, reporting a 37-percent surge in ransomware attacks during the year, along with an average enterprise ransom demand of $5.3 million and an average payment exceeding $100,000. March, in particular, saw 459 attacks logged—a whopping 91 percent more than in the previous month and 62 percent more than in March 2022. Analysts noted that the Clop ransomware gang was chiefly responsible for this spike, having executed an attack that stole data from 130 companies in 10 days. Clop’s zero-day attack on file-transfer tool MOVEit, meanwhile, impacted around 83 million individuals and almost 3,000 organisations during the year.

ThreatLabZ also observed more encryption-less extortion attacks as ransomware gangs became “stealthier” in 2023. “The absence of encryption allows attackers to eliminate development cycles and decryption support and quietly exfiltrate data before making ransom demands,” ThreatLabZ noted. It also highlighted the rising popularity of ransomware-as-a-service (RaaS), whereby gangs make their services available on the dark web. “The ransomware family BlackCat group, or ALPHV, emerged as a significant contributor to this unsettling trend, linking back to multiple high-profile attacks against casinos.”

Perhaps even more concerning for businesses is the sheer multitude of emerging attack vectors, with attackers often using combinations of malware, ransomware and DDoS (distributed denial-of-service) assaults to become more uniquely evasive. And while large corporations were once the almost-exclusive focus of digital-threat actors, a much wider range of institutions are now in the crosshairs, including individuals, small businesses, healthcare and educational institutions and even government agencies.

Yet, despite such threats proving hugely damaging to organisations and individuals, much of the evidence in 2024 suggests that sufficiently robust cybersecurity measures are still not being deployed. A study by Embroker found that not only did a whopping 78 percent of the VC (venture capital)-backed startups surveyed by the digital insurance brokerage experience a cyberattack in 2023, which was comfortably more than the 67 percent recorded in the 2022 edition of its report, but nearly half still thought they wouldn’t face a potential data breach or ransomware attack. “While its usefulness is undeniable, founders long considered cyber coverage an optional side to their business coverage entrée, furthering a disconnect between perceived risk and reality,” Embroker noted. “Even as more people directly experience a cyberattack, nearly half continue to believe they are unlikely to encounter one themselves.”

Businesses are increasingly advised to implement cybersecurity systems that are preventative rather than reactive, involving a wide range of relevant stakeholders, including investors. Indeed, Embroker noted that cybersecurity discussions surged within the fundraising community last year, with the volume of founders reporting frequent cybersecurity conversations with their investors and boards more than doubling from 41 percent in 2022 to 83 percent in 2023. This suggests that investors’ purse strings will not be loosened until startups demonstrate more convincingly that sufficient cybersecurity measures are in place.

Regulators will also have to play their parts in the battle against cyber hackers. The US’ main financial-services industry watchdog, the U.S. Securities and Exchange Commission (SEC), for example, adopted rules effective December 15, 2023, that require registrants to disclose any material cybersecurity incidents they experience and to divulge material information regarding their cybersecurity risk management, strategy and governance annually.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Even cyber warfare at the international level has necessitated massive investment increases to defend against malicious hacking endeavours that are being backed by adversary states. According to the World Economic Forum’s “Global Cybersecurity Outlook 2023”, growing geopolitical instability was a key driver of heightened cyber risk, with 86 percent of business leaders and 93 percent of cyber leaders surveyed believing that global geopolitical instability was “moderately” or “very” likely to lead to a catastrophic cyber event in the next two years. Moreover, 74 percent of organisational leaders stated that global geopolitical instability had influenced their cyber strategies “moderately” or “substantially”.

Countries could be given a significant boost should they agree to the United Nations’ treaty on cybercrime that is currently being negotiated as potentially the first legally binding framework for cooperation on cybercrime prevention and investigation, as well as cybercriminal prosecution. That said, prospects for consensus on such an agreement remain slim; it may take years for its final passage.

 

Related Articles

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.