Estimated reading time: 5 minutes

Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organisations, their critical systems and sensitive information from digital attacks.

What does cybersecurity mean for your business?

Cybersecurity is a business problem that has been presented as such in boardrooms for years, and yet accountability still lies primarily with IT leaders. 

In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk. Still, a 2021 survey showed that the CIO, the chief information security officer (CISO) or their equivalent were held accountable for cybersecurity at 85% of organizations.

Organisations have become far more vulnerable to cyberthreats because digital information and technology are now so heavily integrated into day-to-day work. But the attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated. 

Cyber-risk incidents can have operational, financial, reputational and strategic consequences for an organization, all of which come at significant costs. This has made existing measures less effective, and it means that most organizations need to up their cybersecurity game. 

What is a cyberattack?

The most common and notable types of cybersecurity attacks include:

• Phishing and social-engineering-based attacks.
  Attackers trick legitimate users with proper access credentials into taking action that opens the door for unauthorized users, allowing them to transfer information and data out (data exfiltration).
• Internet-facing service risks (including cloud services).
  These threats relate to the failure of enterprises, partners and vendors to adequately secure cloud services or other internet-facing services (for example, configuration management failure) from known threats.
• Password-related account compromises.
  Unauthorized users deploy software or other hacking techniques to identify common and reused passwords they can exploit to gain access to confidential systems, data or assets.
• Misuse of information.
  Authorised users inadvertently or deliberately disseminate or otherwise misuse information or data to which they have legitimate access.
• Network-related and man-in-the-middle attacks.
  Attackers may be able to eavesdrop on unsecured network traffic or redirect or interrupt traffic as a result of failure to encrypt messages within and outside an organisation’s firewall.
• Supply chain attacks.
  Partners, vendors or other third-party assets or systems (or code) become compromised, creating a vector to attack or exfiltrate information from enterprise systems.
• Denial-of-service attacks (DoS).
  Attackers overwhelm enterprise systems and cause a temporary shutdown or slowdown. Distributed DoS (DDoS) attacks also flood systems, but by using a network of devices.
• Ransomware.
  This malicious software infects an organisation’s systems and restricts access to encrypted data or systems until a ransom is paid to the perpetrator. Some attackers threaten to release data if the ransom isn’t paid.

What is a DDoS attack?

Cyber attackers deploy DDoS attacks by using a network of devices to overwhelm enterprise systems. While this form of cyber attack is capable of shutting down service, most attacks are actually designed to cause disruption rather than interrupt service completely.

Thousands of DDoS attacks are now reported each day, and most are mitigated as a normal course of business with no special attention warranted. But cyber attackers are capable of increasing the scope of the attack — and DDoS attacks continue to rise in complexity, volume and frequency. This presents a growing threat to the network security of even the smallest enterprises.

DDos attacks also increasingly target applications directly. Successful and cost-effective defense against this type of threat therefore requires a multilayered approach:

• Internal: defenses inside your network behind the firewall.
• Edge: on-premises solutions (physical devices on or in front of the enterprise firewalls and edge routers)
• External/cloud provider: outside the enterprise, such as internet service providers (ISPs)
• People and process: include incident response and the mitigation playbook along with the skill sets needed to stop an attack

DDoS mitigation requires skills distinct from those required to defend against other types of cyberattacks, so most organisations will need to augment their capabilities with third-party solutions.

What are cybersecurity controls and cyber defense?

A range of IT and information system control areas form the technical line of defense against cyberattacks. These include:

• Network and perimeter security.
  A network perimeter demarcates the boundary between an organisation’s intranet and the external or public-facing internet. Vulnerabilities create the risk that attackers can use the internet to attack resources connected to it.
• Endpoint security.
  Endpoints are network-connected devices, such as laptops, mobile phones and servers. Endpoint security protects these assets and, by extension, data, information or assets connected to these assets from malicious actors or campaigns.
• Application security.
  It protects data or code within applications, both cloud-based and traditional, before and after applications are deployed.
• Data security.
  It comprises the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include encryption, which ensures sensitive data is erased, and creating data backups.
• Identity and access management (IAM).
  IAM enables the right individuals to access the right resources at the right times for the right reasons.
• Zero trust architecture.
  It removes implicit trust (“This user is inside my security perimeter”) and replaces it with adaptive, explicit trust (“This user is authenticated with multifactor authentication from a corporate laptop with a functioning security suite”).

Technology controls aren’t the only line of defense against cyberattacks. Leading organizations critically examine their cyber-risk culture and relevant functions’ maturity to expand their cyber defense. This includes building employee awareness and secure behaviors.

Why does cybersecurity fail?

Simply put, cybersecurity fails because of a lack of adequate controls. No organisation is 100% secure, and organisations cannot control threats or bad actors. Organizations only control priorities and investments in security readiness. 

To decide where, when and how to invest in IT controls and cyber defense, benchmark your security capabilities — for people, process and technology — and identify gaps to fill and priorities to target.

Notably, the human element features heavily in cybersecurity risks. Cybercriminals have become experts at social engineering, and they use increasingly sophisticated techniques to trick employees into clicking on malicious links. Making sure employees have the information and know-how to better defend against these attacks is critical.

How much should I spend on cybersecurity?

The amount you spend on cybersecurity does not reflect your level of protection, nor does what others spend inform your level of protection compared to theirs.

Most monetary representations of risk and security readiness (i.e., “Is that a £5 million risk or a £50 million risk?”) are neither credible nor defensible, and, even when they are credible, they do not support daily decision making related to priorities and investments in security.

Use outcome-driven metrics to enable more effective governance over cybersecurity priorities and investments. ODMs don’t measure, report or influence investments by threat type; it is outside your control to align spending to address ransomware, attacks or hacking. Rather, align investments to the controls that address those threats. 

For example, an organisation cannot control whether it suffers a ransomware attack, but it can align investments to three critical controls: back up and restore, business continuity and phishing training. The ODMs of these three controls reflect how well the organisation is protected against ransomware and what that level of protection costs — a business-based analysis that tells a compelling story for the board and other senior leaders.

Note that a control can be any combination of people, process and technology that you own, manage and deploy to create a level of protection for the organisation. Take a cost optimisation approach to evaluate the cost (investment), value (benefit) and the level of risk managed for each control. Generally, better protection (less risk) will be more expensive.