Why risk-based security is the key to driving business value in 2019

Cyber security can be a difficult investment to quantify. In a world where breaches have become near ubiquitous, how much security is enough? Unfortunately, for many mid-sized firms, the default setting is to do just enough to get by, investing ad hoc to tackle new threats when they appear. One-in-three business decision makers across Europe and APAC told NTT Security last year that they would rather pay a hacker’s ransom than invest in better cyber security — despite the size of the ransomware threat.

Organisations must ditch this reactive, short-term approach to cyber security in favour of a more considered proactive risk-based strategy — that’s the way to drive long-term growth as we head through 2019.

Mid-sized firms are often targeted in their own right, but also because hackers believe them to represent a potentially weak link that can be exploited to reach larger partners.

(Image credit: Image Credit: Wichy / Shutterstock)

A digital revolution

Everywhere you look today digital transformation is redefining the rules of business. Cloud and mobile platforms; rapid, DevOps-based application development; IT and OT convergence under the banner of the Internet of Things (IoT); and many other emerging technologies, are helping to fuel a new era of agility and innovation. Yet as more data goes online, and organisations increasingly come to rely on these systems to drive business growth, they also become more exposed to the risk of IT disruption and data theft.

These threats have never been greater. According to NTT Security’s Global Threat Intelligence Report (GTIR) for 2018, ransomware was the leading malware type in EMEA, accounting for 29% and witnessing a 350% increase from a year previous. It’s not alone: spyware and keyloggers comprised 26% of global volumes, followed by trojans/droppers (25%) and viruses/worms (23%). Crypto-mining malware has since risen significantly, to become the number one threat by the end of 2018, according to one vendor. Meanwhile, Business Email Compromise (BEC) attacks have netted criminals over $12.5 billion globally between October 2013 and May 2018.

It’s perhaps no surprise that an estimated 43% of UK businesses claimed last year that they’d suffered a security breach or online attack over the previous 12 months.

Under pressure

At the same time, mid-sized firms are under immense pressure to grow amidst challenging macroeconomic conditions. IT security skills shortages — which have reached nearly three million professionals globally and 142,000 in EMEA — continue to bite, alongside limited budgets. The threat from the digital supply chain is so great that last year the National Cyber Security Centre (NCSC) was forced to issue advice for companies.

The cumulative impact of increased threats, a larger digital attack surface, reactive investments in security and other challenges could be severe. Major regulatory fines are on the cards thanks to the GDPR and NIS Directive, the latter applying to many critical infrastructure sectors. The financial and reputational impact of remediation and clean-up, forensic investigations, legal bills, customer churn, and falling share prices following a serious incident should not be underestimated.

Most business leaders responding to NTT Security’s Risk:Value 2018 report said they were concerned about the negative impact of a breach on customer confidence (56%), and brand reputation (52%), with economic impact cited by 40%. In reality, all three are very much interlinked. Perhaps even more importantly, without a proactive, strategic approach to cyber security, organisations can’t provide the secure foundations on which to build effective digital transformation initiatives.

Changing the culture

We should be seriously concerned that only half of global business leaders would prefer to invest in information security than reactively pay-off a ransomware author. Cyber security is still clearly not being thought of in strategic enough terms. Why? Partly because of a lack of leadership. We found confusion over who is responsible for security: 22% of business leader respondents said it was the CIO, versus 20% for the CEO and 19% choosing the CISO. This is matched by a lack of visibility and awareness. Nearly half (47%) said that they had not been affected by data breaches — a worryingly high figure given how hard it is to prove this with any certainty.

Perhaps as a result of this over-confidence, there’s been little change in preparedness levels. The proportion of firms with an information security policy in place jumped just one percentage point from 2017 (56%) to 2018 (57%).

We need to change this mindset from the top down. Reactive security can lead to serious gaps in protection, and fails to support the long-term strategic growth vision of a company. According to KPMG: “The question shouldn’t be ‘how much of my IT budget are we spending on cyber?’. The question should be ‘how much of my business change or innovation budget are we spending on cyber security?’.”

No silver bullet

There’s no silver bullet for security. It requires a long-term, risk-centric approach based on best practices including multi-layered protection at the endpoint, network, cloud/on-premises servers and email/web gateways. Security awareness programmes are key to turning your employees into a strong first line of defence, as are regular vulnerability and pen tests to spot and address security gaps.

Incident detection and response is another crucial component, enabling IT to get on the front foot to spot and block attacks before they can impact the organisation, and use intelligence to proactively improve cyber defences for the future. It’s concerning that the number of firms with an incident response program in place rose from 48% in 2017 to just 49% last year.

Many will find all of this difficult with limited in-house resources, which is when outsourcing to a third-party expert becomes an attractive option. As we head through 2019, organisations keen to drive value through proactive cyber security may find they need to enlist the help of a managed service provider.

Azeem Aleem, VP Consulting at NTT Security 

  • Also check out the best antivirus to keep your systems protected from the latest threats
TOPICS
Azeem Aleem

Azeem Aleem is the Vice President Cyber Security Consulting at NTT Security. He is an experienced information security executive with over 15 years of practitioner experience in cyber defence technologies, security operations, counter threat intelligence, data analytics and behavioural classification of cyber criminal.

Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently revealing the full cast for Avengers: Doomsday, and I think it's going to be a long-winded announcement
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow