As cyberattacks on companies become increasingly prevalent in the past several years, more hackers are also targeting supply chains as a means of entry, creating a ripple effect within business ecosystems. As Boston-headquartered third-party cyber risk intelligence firm Black Kite describes it, “cyberattacks can now impact hundreds of companies without discrimination.”
The situation is prompting organizations to take a more comprehensive approach to improving cyber defenses – and the key, according to industry experts, is finding the “sweet spot” that balances cybersecurity with the overall business needs. These experts add that most companies that succeed in doing this are those that recognize that cybersecurity is a business concern and not just a technological issue.
“Look at any cybersecurity incident and you’ll find a failure of decision making, not a failure of technology,” wrote Paul Proctor, vice-president and distinguished analyst at global management consultancy Gartner, in a blog post on the firm’s website.
“The real purpose of a security program is not to prevent the organization from being hacked, because that’s an impossible goal. The purpose of the security program is to balance the need to protect with the need to run the business. The right amount of security is one that’s defensible to our key stakeholders like our citizens, customers, shareholders, and regulators.”
To find out why cybersecurity is a critical issue that business leaders – and not just IT professionals – must face head-on, Insurance Business referred to various industry specialists for their views on the matter. Here are the top reasons why cybersecurity should be treated as an overall business concern, according to experts.
Some forms of cyberattacks have evolved in a way that they have “created their own business ecosystem,” increasing the severity of impact on businesses, according to Black Kite. The firm cited ransomware, which has resulted in the proliferation of ransomware-as-a-service (RaaS), as an example.
“As it raises the stake for its victims, RaaS has lowered the bar of entry into the ransomware business in a multifaceted approach,” the company explained on its website. “[Advanced persistent threat] (APT) groups have also begun to follow the extortion model, enabling a massive increase in frequency and sophistication.
“These cyberattacks not only affect the availability of business systems but also result in the release of sensitive data, which has serious ramifications on the business, customers, and partners.”
Business leaders have the unenviable task of meeting “a broad spectrum of business needs that sometimes conflict” and technology often plays a crucial role in achieving these goals, according to New Jersey-based IT and network solutions provider Emazzanti Technologies.
The firm cited the need for businesses to balance productivity and revenue goals with regulatory compliance and protection of digital assets as among the biggest challenges executives face, with the pandemic-fueled shift to remote work adding complicating matters even more.
“Implementing the best solutions requires business leaders and tech personnel to work closely together,” the company wrote on its website. “For instance, not all data requires the same approach to security. Personal health information (PHI) requires much tighter security controls than marketing data, for example.
“Business leaders with an overall view of the organization and business processes are better positioned to establish security priorities. They can also more easily identify what data carries greater potential for harm if breached and where that data resides.”
Regulatory compliance is another cybersecurity issue that Emazzanti described as “frequently [straddling] the line between business and technology.”
“Securing sensitive data in accordance with regulations certainly requires technology solutions,” the firm noted. “But it also requires an understanding of business processes and a whole picture view. Business leaders [who] do not stay on top of privacy regulations set themselves up for trouble. If a third-party audit uncovers compliance issues, auditors will hold business leaders accountable, not the IT consultants.”
Targeting supply chains has become a common denominator in cyberattacks, according to Black Kite. It also warned businesses of an increase in these types of attacks in the future as cybercrime becomes industrialized and easier to copy for cyber actors.
“While supply chain security requires IT resources for auditing and monitoring, it has never been limited to an IT department issue,” the firm explained. “In fact, IT departments oftentimes find it difficult to pull the complete list of suppliers, let alone manage the risks and continuously monitor these suppliers by themselves.”
Emazzanti added that as every department often manages supplier relationships, business leaders must factor those relationships into their risk management strategies.
“Supply chain relationships affect regulatory compliance and logistics,” the company noted. “Business leaders find themselves in a better position than an isolated IT department to develop a complete picture of vendors and the risks they introduce.”
Business leaders should treat cybersecurity as an investment, rather than just part of their operating costs as doing so will help them navigate a future with a “dangerous cyber landscape,” according to Emazzanti.
“Effective security programs can prove expensive,” the firm wrote. “However, with effective planning, implementing the right tools and processes in the right ways delivers a critical return on investment.”
Black Kite added that a mature cybersecurity program often boils down to selecting the right set of security controls and investments with the board’s approval.
“It is important to balance the security budget and the reduced risk, so the efforts will yield higher returns, or ‘return on security investments,’” the company noted. “That’s why these initiatives should be led by people with a business mindset, not just a control or technology mindset.”
Businesses that design cybersecurity strategies from a “primarily technology-driven” approach often commit the mistake of missing critical human elements, cautioned Emazzanti.
“Sometimes… well-meaning security teams implement solutions that make it difficult for people to access the information they need to do their jobs,” the firm explained. “When that happens, employees find ways to bypass security measures, introducing risk.”
Emazzanti reminded business leaders of the importance of good communication when creating a security mindset throughout the organization, which requires coordination with business and technical elements.
“Leadership must educate employees about risks and security policies, and also understand employee needs,” it added.