Businesses today cannot afford to rest on their laurels when it comes to cyber security risk. Here, we share our observations of how business leaders are choosing to tackle cyber challenges in 2024.
Listen to the First Call podcast
Introduction
Companies are still struggling to understand how best to manage their cyber security risk footprints across their enterprises, specifically across distributed environments with multi-national or global footprints or where post-COVID remote workforce challenges are still prominent. Ultimately, adaptation of proper risk mitigation strategies hasn't bared the level of maturity advancement that we would have expected in the last three to four years.
The risk landscape is ever-changing and we're seeing an increase in the number of threat actor groups popping up, and more and more sophisticated phishing and other credential harvesting tools, tactics, and techniques being deployed. Ultimately, it's a game of 'whack-a-mole'. Many CISOs and other senior executives in the security and IT space struggle with where to make the right investments to best secure their companies.
In the second episode of our special podcast series, First Call, S-RM's Chief Executive Officer Heyrick Bond Gunning and Head of Cyber Security, Americas Paul Caron reflect on the ways in which they're seeing business leaders approach cyber security challenges in 2024. Are the approaches working or does more need to be done?
Zero trust framework
"We’re seeing some good investments in the identity and access management space, with the ever so clear buzzword of zero trust framework front of mind", says Paul Caron. What does that mean for businesses and how can they prevent unauthorised access from proliferating across their networks? There's a good trajectory in spend and desire to invest in those areas.
Zero-trust framework: A zero-trust framework requires all users to be authenticated, authorised, and continuously validated before gaining and keeping access to applications and data, regardless if those users are inside or outside the organisation’s network.
But, unfortunately, there is a lack of proper implementation and integration of these tools and technologies. So, for example, businesses may have implemented multi-factor authentication (MFA) but maybe not in a cross-border environment, or they could have single sign-on (SSO), or other identity and access management tools, but weak governance employed around them.
And, when we think about what's happening with AI right now, it gets pretty scary pretty quickly because what you're seeing is a race to enable businesses in a strategically, operationally, and fiscally sound fashion, but the security controls around AI are still lagging behind. So, it's a compounding problem.
Tabletop exercises
When it comes to cyber incidents, often it's a matter of 'when' not 'if'. As a result, we're seeing an uptick in the number of companies that want to support and embark on the tabletop exercise journey – preparing the board and the business in the event of an incident.
Looking back at the last 18 to 24 months, cyber incident tabletop exercises were very much seen as paper drills – the exercises might have fallen short because a key constituent or stakeholder was on holiday, for instance. What we're seeing now, which has been a breath of fresh air, is a lot more executive-level support and involvement in the planning and execution of these exercises. Because, ultimately, when these crises occur, it's not just contained within the IT or cyber security team, it really proliferates out to the executive sponsors, stakeholders, and decision-makers.
Back-ups
Luckily, there has also been a stronger push to really understand the resiliency component of cyber incident response planning beyond just the identification and detection of threats. Ultimately, when a cyber incident does occur, businesses should be aiming to come out on the other side stronger than before. Part of this improved resilience involves investing in back-ups. These days, it's not so much "We've locked up your systems and you're never getting your data back" because organisations are increasingly backing-up their data which allows them to return to business as usual much quicker following an incident.
"Conversely, one thing that we're still coaching a lot of clients on is that back-ups are great, but disaster recovery architecture is even better," comments Caron. There's still a little bit more education that we're helping our clients with to really understand the difference between back-up solutions and true disaster recovery, which includes back-ups but is so much wider.
Back-ups are great, but disaster recovery architecture is even better.”
Two years ago, maybe even three, there was a stronger interest in paying for the return of data even if back-ups were available. Paying your way out of it would really stave away that reputational risk. And, what we're seeing now, especially with the LockBit takedown, is that data sometimes isn't deleted, the risk is still there – data can still be resold on secondary and tertiary markets. Those clients that get how important disaster recovery architecture is are miles more resilient than others that don't.
Get ahead of the messaging
It's really important that business leaders consider how they are going to navigate speaking with regulators, shareholders, and board members or adjacent third parties that have strict requirements and expectations of them following a cyber incident. Getting ahead of the messaging and properly defining what the risk is going to be, whether that's operational, reputational, regulatory, or financial is essential.
One of the CEOs that we've partnered with recently on an incident did an amazing job of getting ahead on the communications and messaging front and really owning it. He was hyper-transparent and communicated that they were trying their best to make sure that all of their suppliers, vendors, end clients, and consumers of their data understood what they were doing to rectify the issue. That went a really long way.
Conclusion
Evidently, senior executives are increasingly aware of and involved in their organisations' cyber risk mitigation plans. Whether it's regulatory drivers like the SEC's new cyber disclosure rules, a reduction in the ability to transfer risk to cyber insurers – with more risk typically sitting within businesses themselves these days – or other motivations, what is clear is that there are many moving parts and, given the rapidly evolving risk landscape, cyber security risk needs to be at the forefront of every decision-maker’s mind in 2024.
For more from our Cyber Security team, catch-up on the latest edition of S-RM's Cyber Intelligence Briefing or learn about our Cyber Security Advisory practice.