By Angel Grant, CISSP, Director, Digital Risk Solutions, RSA
We still have a few months left to close out 2019 and already more than four billion data records this year have been breached or compromised. We can expect this number to rise in the coming years as our world becomes more digitally connected and technology advancements like 5G, autonomous vehicles and artificial intelligence become commonplace. With the number of vulnerabilities and endpoints multiplying, it’s no surprise that the leaders responsible for securing a business’ data and managing risk are worried about cybersecurity.
Around the globe, increased attention is being paid to cyber preparedness and training – particularly during the month of October, which marks a number of cybersecurity awareness activities around the globe. In the United States, National Cybersecurity Awareness Month celebrates its 16th anniversary. Over this span of time, spending on information security has grown and solution advancements have multiplied, yet we’re still talking about mitigating challenges like phishing and password strength.
National Cybersecurity Awareness Month is celebrating its 16th anniversary this month.
As we look toward 2020 and beyond, the security and risk challenges your organization will face extend beyond end-user cyber hygiene. A recent RSA study shows that more than a quarter of organizations say implementation of a digital transformation project happens so quickly that there isn’t enough time to assess and implement proper risk management controls. This means that cybersecurity is an afterthought – a sure recipe for disaster as the risk landscape expands.
As organizations embrace digital transformation at a quickening pace, what is keeping your Chief Information Officer (CIO) and Chief Information Security Officer (CISO) awake at night? These three digital risk management priorities are top-of-mind as leaders face increased pressure to secure their businesses, bottom lines and reputations:
1. Managing Cyber Attack Risk
For more than half of organizations, the threat of a cyber attack is the number one digital risk priority. Despite the best of efforts and more investment in cybersecurity, it’s not a matter of “if,” but is now a matter of “when” a cyber attack will impact your business.
It’s not a matter of “if,” but is now a matter of “when” a cyber attack will impact your business.
Organizations must evolve to stay in front of a growing risk landscape that features more complex cyber threats. Cyber criminals are more savvy and understand the traditional IT perimeter is blurring as the workforce becomes mobile and third-party vendor relationships multiply.
To manage and mitigate the risk of cyber attacks, organizations must determine what data matters most, classify it, make it useless to others, back it up and then monitor it so they can quickly detect security incidents. In this process, it’s essential for security, risk management and business teams to work together to respond to attacks efficiently and manage the potential fallout.
2. Monitoring and Keeping Track of a Dynamic Workforce
The workforce is undergoing profound changes sparked by globalization, shifting demographics and digital transformation. Considering that bring your own device (BYOD), SaaS solutions, mobile apps and gig workers are pillars of the modern enterprise, it’s easy to see that today’s workforce is more dynamic than ever.
While these advancements have made it easier for employees to get work done, it’s creating complex risk challenges for the CISO and CIO. More employees accessing systems and data from more devices means there are more digital identities to manage. This increases the odds that one (or thousands) of these identities will be abused or compromised.
What happens when identities are compromised? Today more than 2.2 billion compromised user credentials (usernames and passwords) from high-profile breaches are available on the dark web. These can later be manipulated for credential stuffing attacks. In 2018, credential stuffing was behind more than 30 billion login attempts – and this threat will continue to grow.
For security leaders and CIOs, this means transforming workforces must be met with a modern authentication and risk management strategy.
3. It Depends on Who You Ask
IT transformation is occurring faster than ever before. As a result, few organizations have been able to implement cybersecurity and risk practices quickly enough to manage new vulnerabilities. As such, the third area of concern for the CIO and CISO is a toss-up between data privacy and process automation.
Regulations like GDPR in Europe were an impetus for organizations to have important conversations about data privacy and compliance. Looking ahead, a litany of U.S. states are reviewing bills or implementing new laws that will govern data privacy. With more at stake – including financial damage in the form of breach-related expenses – regulatory fines and the potentially irreparable loss of customer trust, securing critical assets must be a top priority for organizations.
At the same time, organizations are also concerned with process automation. The very technologies needed to compete in the modern economy – machine learning, cloud, IoT, etc. – create vulnerabilities that attackers can exploit. The adoption of emerging technologies also raises concerns about transparency and accuracy, and it leaves organizations trading in traditional risks of operational failures (errors, mistakes, disruptions, etc.) for a new wave of unforeseen risks.
With 63 percent of organizations “extensively engaged” in digital transformation initiatives, technology is extending deeper into day-to-day business operations.
With 63 percent of organizations “extensively engaged” in digital transformation initiatives, technology is extending deeper into day-to-day business operations. Security leaders and CIOs need to have bolder voices in the boardroom and across the organization to ensure that managing digital risk is an organizational priority. It’s not enough to focus on implementing digital transformation on its own. Today, innovation must be underpinned by security. On the frontline, the CISO and Chief Risk Officer must take the immediate steps – perhaps using National Cybersecurity Awareness Month as a catalyst – to “Own IT. Secure IT. Protect IT,” and develop security postures that add the resilience needed in the digital era.