Sophisticated malware, integrity attacks, mobile invasions—the 2016 cybercriminal arsenal bursts with new toys and terrors. Yet their targets’ own shortsightedness might still be their most potent and reliable weapon.
Even more shocking, many corporate leaders are not responding to hackers’ growing threats and their own protection gaps. Out of the 1,755 organizations in the EY 2015 Global Information Security Survey (GISS), 88% called their information security insufficient, and a third either lacked confidence in their attack detection or had no threat intelligence program at all.
Despite rapidly escalating cybercriminal abilities, these security failures persist from the 2014 survey (awareness may be rising, though that means little without concrete changes). Worse still, yesterday’s exploits pale in comparison to the damage done by breaches today.
88% of surveyed organizations called their information security insufficient.
“We know that breaches are getting bigger,” says Ken Allan, EY Global Cybersecurity Advisory Leader. “The impact of a breach five years ago to now is much bigger as we go more digital.”
Take a step back and consider the decision-making landscape. Every conference table is a carousel of competing priorities, and managers look for results to capture and fires to extinguish. The urgency of cybersecurity precautions and protocols can be lost in this environment. If the servers aren’t smoking, where’s the fire?
That may be the most dangerous mindset of all. Allan contends that every organization has been hacked in some way, but many don’t know it yet, let alone the severity of the breach. He urges all boards to adopt Active Defense principles that help protect business interests and he seeks to reframe the incentives to care.
“A large component of new wealth is being added by the rush into digital,” Allan says. “Without digital trust, people will not embrace these changes. We need to think of cybersecurity as a business enabler.”
According to a 2014 Goldman Sachs forecast, US consumers will spend $626 billion via mobile by 2018, and the Gartner Group estimates that 85% of business relationships will be managed without human interaction by 2020. All organizations must take notice, because all hackers certainly are.
Just ask retailers who thought cybersecurity was only important for banks. Likewise media companies. The stakes are higher than ever as everything from consumer cars to key oil and gas assets come online. The internet of things and other digital integrations heighten capabilities but also deepen potential vulnerabilities.
We need to think of cybersecurity as a business enabler.
Counterintuitively, these developments limit the impact of technology on cybersecurity. Software patches and IT infrastructure alone are not sufficient barriers (and probably never were). Evolving organizations must look to human assets—high-level partnerships and entry-level risks. Individual employee susceptibility to phishing attacks and other manipulation remains high, and only increased awareness and training can strengthen the weakest links. Rising chatter and collaboration among hackers around the dark web must be met by intra-industry and multi-national efforts to share security information.
“We pretend that there’s cooperation, but generally it’s a bit superficial,” Allan says. “Having said that, organizations like the Financial Services Information Sharing and Analysis Center are a great forum to build upon.” Other institutional and law enforcement efforts are furthering a unified approach.
Perhaps before the next disappointing survey, more at-risk organizations will learn a simple lesson: the hackers’ growing arsenal of the latest tools of destruction is less useful if its targets take proactive precautions that keep them out of range in the first place.