Digital transformation is a priority for most companies across all sectors. Organisations are looking to seek new business opportunities whilst improving their operational efficiency and delivering the best possible services to customers. The digital transformation journey is leading companies to embrace the cloud, the internet of things (IoT), big data and other digital initiatives. Meaning that they must in turn, reinvent and automate everything from decision-making to customer service.
These technological innovations, whilst imperative for business growth, also lead to inevitable cybersecurity challenges. The threat is real, and it is growing. Gartner predicts that 60 per cent of digital businesses will suffer major failures due to the inability of security teams to manage digital risk.
The problem is, cybersecurity just isn’t seen as a critical business problem by senior executives and board members.
Companies of all sizes and across all sectors are finding themselves targets for cyber criminals. In fact, our research found that 85 per cent of respondents had suffered a breach in the past two years, with almost half reporting a malware or ransomware attack.
Changing the approach
Our recent Global Enterprise Security Survey uncovers the need for the board to broaden its awareness of security. The report found that despite of a clear and present threat, almost half of IT decision makers don’t think that security is a top priority for the board. 77 per cent strongly believed that IT security needs to be more scrutinised by the board. According to our research, the board only takes action as a result of security breaches in 93 per cent of cases, leaving the responsibility with IT the rest of the time.
It should come as a surprise that the recent increase in high-profile cyberattacks has not led to deeper scrutiny from the board. Even though boards do react when an attack occurs, their response is largely reactive rather than prescriptive. It’s often the case that boards are more involved in post-breach management, rather than actually implementing the preventative measures. For example, 77 per cent of boards demand to know what happened after a security incident occurs, and 67 per cent review or increase security budgets. There is obviously still much work to be done by security leaders when it comes to up-levelling security to the board level. It is not enough to increase security spend in the wake of a breach, once the damage has already been done. Even then, there is still a lack of understanding that security is the responsibility of the entire company, with the board blaming IT after 70 per cent of breaches, with only 60 per cent recognising inadequate investments as partially responsible.
The road ahead
Fortunately, it’s not all doom and gloom, and many businesses are coming around to the idea of investing in security.
Whilst 67 per cent of businesses are investing in keeping existing solutions up to date, there is also more expenditure on new security solutions and services, which reflects the ever-changing threat landscape, and the fact that the board is finally waking up to the need to invest before the damage is done. 60 per cent of businesses invested in new security solutions and services in 2017 and 56 per cent plan to do so in 2018.
There are many factors which are driving boards, executives and IT decision-maker to make cyber security a top priority.
· Security breaches and global attacks- It’s safe to say that the vast majority of organisations have experienced a breach of some kind, and 49 per cent of respondents said that their organisations had increased their focus on security following a global attack such as WannaCry. It is this increased publicity and scrutiny, along with the negative impact on reputation and business operation which finally makes security a board-level issue rather than simply the domain of IT.
· Attack Surface- The adoption of the cloud, proliferation of IoT and growth in big data expands the circumference and complexity of the attack surface. 74 per cent of survey respondents indicated that cloud security is becoming more of a focus for their organisations. In fact, half of respondents have plans to invest in cloud security over the next 12 months. The spread of IoT is also contributing to the expanding attack surface, with 3.1 billion devices predicted to be connected to businesses by the end of the year. These devices are difficult to protect and experts predict that more than 25 per cent of all security attacks will be targeted towards IoT devices by 2020.
· Regulatory compliance- New government and industry regulations are also increasing the importance of security. 34 per cent of respondents indicated that these regulations heighten the awareness of security at the board level. GDPR being implemented by the EU is an example of this.
Another huge driver for security becoming a board priority is the transition of business-critical infrastructure and operations over to cloud environments, which is becoming less of an option and more of a requirement.
Cloud cybersecurity challenges
The business benefits of cloud are undeniable, and 77 per cent of IT professionals believe that the transition to the cloud is a key priority for the board and half of all businesses surveyed are already planning investment in cloud security over the next 12 months.
One of the biggest challenges of cloud adoption is reduced visibility into data usage and movement. This limitation makes it more difficult to detect unusual user behaviour and data movement that could indicate a compromised system. IT professionals often find it difficult to monitor cloud-based network traffic patterns in order to detect anomalous activity. To mitigate this challenge, cloud adopters often deploy an entirely new set of cloud-enabled security tools in order to gain security insight into data usage.
These trends are leading cyber security to be viewed as more of a strategic issue and part of organisations’ broader risk strategy, rather than a simple IT investment. If IT security leaders wish to succeed with digital transformation plans, they must rethink their cybersecurity approach with a view to extending visibility across the attack surface shortening the window between time to detection and mitigation, delivering robust performance and automating security intelligence and management.
Steve Mulhearn, Director, Enhanced Technologies UKI & DACH
Image Credit: Konica Minolta Business Solutions UK