Cybersecurity breaches pose a major business risk and are no longer solely a technology concern. According to analyst Gartner’s 2022 Board of Directors Survey, 88% of respondents viewed cybersecurity as a business risk, not just a technology risk. However, only 13% of boards responded by instituting cybersecurity-specific board committees overseen by a dedicated director.
This could prove a costly omission. The average cost to business from a cybersecurity breach is around $3.6m, according to the World Economic Forum’s (WEF) 2022 Global Cybersecurity Outlook. The report also found that, in addition to the financial cost, a public breach has seen the average share price of a hacked company underperform in the Nasdaq by -3%, even six months after the event.
Ransomware attacks rose by 151% in 2021, with an average 270 cyberattacks per organisation, representing a 31% increase from 2020, according to the WEF. The sheer volume and increased sophistication of attacks means these breaches are “outpacing societies’ ability to prevent or respond to them effectively”, says the report. Given the potential damage of a cyberattack, are business leaders making cybersecurity enough of a priority?
GlobalData principal analyst David Bicknell highlights UK retailer Tesco’s cyber stress test detailed in its 2022 annual report as a warning to other corporations and something that CEOs should consider seriously. The stress test found that a cyber breach could cost the company up to £2.4bn and bring with it reputational harm. In addition, GlobalData thematic research outlines increased mandatory reporting of such a breach, which may pose further reputational risk and incur significant fines. “It shows there are no shortcuts when it comes to cybersecurity,” says Bicknell.
Companies need a dedicated chief security officer to keep data safe
Making cybersecurity a priority has much to do with executive reporting lines, according to travel company TUI’s chief security information officer (CISO) Nick Jones. “The only way a business can effectively tackle this problem is by education at board level, and that means CISOs reporting to boards or at the very least becoming the peers of chief information officers,” he says. If a board only hears from a CISO when something has gone wrong, then the company is going about things the wrong way. “The CISO needs a direct line to the board and a clearly defined remit,” adds Jones.
According to thematic research by GlobalData, the use of CISOs by businesses is patchy at a time when they are most needed. Nearly half (45%) of companies surveyed did not employ a CISO, according to a November 2021 report from managed cloud service provider Navisite. In addition, many existing CISOs are under pressure to secure a growing number of remote workers while facing an increased volume and complexity of attacks. CISO burnout can put organisations at increased risk because they lack time to hire talent, attend non-departmental meetings, communicate with customers and keep up with industry trends, according to GlobalData thematic research.
A legal requirement for businesses to create dedicated CISO board positions may improve the standing of the role, says Jones. Nordic countries are leading the way in making it a requirement to have a CISO on the board and there are “rumblings” that other jurisdictions may follow, says Jones. In terms of government support, Jones notes the example of the US government taking cybersecurity seriously following the Colonial Pipeline Attack in May 2021, during which hackers compromised critical oil infrastructure. Jones view this breach as the “last straw” for any complacency. The cyberattack prompted a level of coordination between businesses and the US government that has created a more robust defence against such events in the future. Overall, Jones believes the US is leading globally on cybersecurity, both on government support and “because the maturity of larger US corporations means they probably have the level of cybersecurity funding they need”.
However, corporate investment in cybersecurity elsewhere in the world is generally too low, according to Jones. “Research shows many cybersecurity functions are underfunded and in many industries this is further impacted by the Covid-19 pandemic,” he adds. “You will find that companies that have experienced a breach tend to invest more, but now is the time for ramping up investment across the board.”
Investing in cybersecurity skills first
As cybersecurity issues enter boardroom discussions, budgets are on the increase, according to GlobalData. The rise in sophisticated ransomware attacks such as the US Colonial Pipeline Attack amid growing geopolitical tensions, notably the Russia-Ukraine conflict, has made cybersecurity one of the most talked-about technologies across mainstream media and in boardrooms during the first quarter 2022, according to GlobalData thematic research. A December 2021 security priorities survey by cybersecurity company Kaspersky found that 85% of IT decision makers in North America believe cybersecurity budgets will increase by anywhere up to 50% in 2022. The survey also found that spending in 2022 will be spread over several areas, with 20% allocated to on-premises infrastructure and hardware, 16% to on-premises tools and software and 19% to skilled staff.
However, UK cybersecurity training company Capslock co-founder and cybersecurity consultant Lorna Armitage says there is little point in increasing infrastructure and hardware spend amid a critical skills shortage in the sector. For example, in the UK, demand for cybersecurity engineers doubled in 2022 compared with 2019, according to Tech Nation. Over the eight years tracked by cybersecurity research organisation Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350%, from one million positions in 2013 to 3.5 million in 2021. Although the cybersecurity skills gap is levelling off a little, there will likely be the same number of openings in 2025 as there are in mid-2022, according to GlobalData’s thematic research.
Armitage believes addressing the sector’s lack of diversity would go a long way to helping the skills shortfall, while giving under-represented candidates an opportunity to improve their socio-economic standing. “We measure future potential rather than looking at barriers to entry such as professional experience and qualifications, as well as removing financial barriers to training,” she adds. Eliminating these barriers means around 40% of Capslock’s trainees are women. According to GlobalData thematic research, women are expected to represent 30% of the global cybersecurity workforce by 2025, with that figure reaching 35% by 2031.
Capslock eschews traditional cybersecurity training for a more practical and immersive approach. The company has around 100 employees in partner programmes with companies of various sizes, from small and medium-sized enterprises to multinationals including Deloitte, Pwc and BT. Nearly 250 Capslock alumni are now working for partners, and the company’s overall employment rate, post-graduation, is 75%.
Cybersecurity spend needs to be ‘focused’, not necessarily increased
Whether investing in people or infrastructure, are companies investing enough capital and are they doing it quickly enough? PwC cybersecurity partner Richard Horne says that while investment is required, securing a business is more about focusing on the complexity of the organisation’s technology architecture. Legacy systems present flexibility constraints and an ever-expanding dimension of complexity that drives cyber risk.
“Increased spend on the latest tools is not the issue here; it is more about making the company more resilient, simplifying its organisation and focusing the spend on where it is needed,” says Horne.
Different organisations will have different cybersecurity needs and investment requirements. “For many businesses it is simply about understanding how they are dependent on technology, what their critical business processes are and then embedding cybersecurity considerations into every business decision they make – that is the way to secure an organisation,” says Horne.
A key method of reaching a critical level of understanding about how cybersecurity can be most effectively deployed is conducting a company-wide cyber stress test, as Tesco did in 2022. “I think all organisations should be undertaking two kinds of stress tests,” says Horne. “One using ethical hackers to simulate actual attacks and test cybersecurity controls. The second is an executive-level stress test to discover how you would respond as a business and deal with the crisis.”
This level of understanding will show how every business decision impacts the cybersecurity risk profile of an organisation, for good or for bad, says Horne. Whether a company is entering a new market, launching a new product, making acquisitions or divesting, the key challenge for organisations is to embed cybersecurity thinking in every part of that decision-making. With the increased volume of attacks over the past two to three years, the level of cybersecurity risk has become very real to organisations and the time has come to make some tough decisions about changing business processes in order to fight cybercrime – it is no longer optional but critical for the survival of every business.