The accelerated shift to remote working during the covid-19 pandemic, with recent high-profile cyber attacks, have resulted in bringing cyber security top of mind among key decision-makers. So says Jeremy Jurgens, MD of the World Economic Forum, the Swiss think-tank which famously holds (pre-covid) an annual conference in Davos each January.
He says in a foreword to a WEF global cybersecurity outlook 2022 report that cyberspace transcends borders: “We therefore need to mobilise a global response to address systemic cybersecurity challenges.” Much still needs to be done to arrive at a shared understanding of how to strengthen cyber resilience, he warns: ‘decision-makers and cyber experts are often not on the same page in terms of prioritising cybersecurity, integrating cyber risk into business strategy and integrating cyber leaders into business processes’.
The report argues that the coronavirus pandemic has ‘thrust the global population onto a new trajectory of digitalisation and interconnectedness. One consequence is ‘the increasingly frequent, costly and damaging occurrence of cyber incidents, sometimes even paralysing critical services’. Hence the WEF canvassed some 120 cyber executives from 20 countries. They reported that the biggest threat is ransomware, followed by social-engineering attacks. The report says: “As many as 80 per cent of cyber leaders stressed that ransomware is a dangerous and evolving threat to public safety. The survey confirmed that ransomware attacks are at the forefront of cyber leaders’ minds, with 50pc of respondents indicating that ransomware is one of their greatest concerns when it comes to cyber threats.”
On the personal, or personnel level, majority of respondents rank talent recruitment and retention as a concern, making it ‘challenging to respond to a cybersecurity incident due to the shortage of skills within their team’. The report quotes Alejandro N Mayorkas, Secretary of the United States federal Department of Homeland Security, that ‘malicious cyber activity threatens our national and economic security and impacts the daily lives of individuals’. By comparison, the report points out that the criminals are agile; and ‘are seizing every opportunity’; the dark web is ‘teeming with hacking services’. Those services, the report adds, are ‘often relatively affordable …. depending on the complexity of the required hacking activities, the desired outcome and the victim’s profile’.
The report talks of a ‘new generation of breaches’, ‘security vulnerabilities in the most popular software tools and systems’, that bring pressure on a victim’s share price, and ‘sowing of doubt in the minds of consumers’, besides the actual damage. Here the report quotes the author and thinker Bruce Schneier, who argues that poor cyber security ‘makes too many of us easy targets’.
The report suggests it’s time for a transition, and distinction between, cybersecurity and cyber resilience. For the report in full, visit the WEF website.
Comments
Adam Hunt, CTO at RiskIQ – a subsidiary of Microsoft, says that the WEF report is right to call for cybersecurity as a business priority, but to develop a holistic view of potential threats to a business, security teams need actionable security intelligence that provides a bird’s eye view of the global attack surface. He says: “This shows precisely how their organisation’s unique internet relationships sprawl across the web. Businesses need security intelligence with a view of this attack surface to develop keen insight into threats most critical to the enterprise’s one-of-a-kind digital footprint.
“To maintain cybersecurity as a business priority, security programmes also need a robust budget for threat intelligence and forensic hunting capabilities. Security teams must be able to respond immediately and decisively to attacks and investing preemptively into threat intelligence data and systems is critical. CISOs must also have an advanced incident-response function and accompanying data. Indeed, it’s important CISOs can answer questions, such as what is the nature of the attack? Which features of the network are vulnerable? Has the company been breached? What clues exist as a result of the attack? Answering these questions when the attack is already happening is challenging.
“To this end, it is vital to rely upon in-depth internet reconnaissance to understand the different threat actors. After all, specific threat actors will exhibit different tactics, techniques, and procedures – they will also possess different assets and exploit unique vectors. Intelligence gathering on the deep and dark web – the natural hiding place of threat actors – will provide additional context of an adversary; for example, where have they attacked before and where might they attack again or what sort of information they are stealing.”
And Gernot Hacker, Sales Engineering Manager EMEA at Appgate, says: “Every cybersecurity expert is constantly worrying about the threats their organisation is exposed to and how they can stop them. However, the other great challenge for cybersecurity experts is how to stop the current skills shortage seen in the industry.” He quotes from the report that less than 25 per cent of companies with 5,000 to 50,000 employees, “have the people and skills [they] need today”. He adds: “This skill shortage can leave organisation’s vulnerable to cyberattacks with security teams no longer having the knowledge and experience to deal with certain situations. Individuals within security teams have the constant pressure of not feeling prepared, ultimately leading to stress and the eventual departure of the industry altogether. According to the report 88pc of security-focused executives describe being “moderately or tremendously stressed’ – those who are stressed are not going to stay in the industry for long and therefore the skills gap is exacerbated.”
“Part of the reason why so many companies have this shortage is due to the max exodus of baby boomers taking early retirement due to the pandemic, which has forced younger generations to step up and take their place without necessarily having the skills to do so. Organisations must find the right balance in security teams and ensure that different generations are working together.”
Separately, the WEF has brought out a global risks report to also coincide with its annual meeting.
Photo courtesy of the WEF: Klaus Schwab, WEF founder.
