Cybersecurity: When Failure Isn’t an Option
The impact of COVID-19 on the cyber security industry has been severe, and the list of effects so far is by no means exhaustive. With businesses moving to hybrid and remote models of working, the Cloud is growing. However, with the Cloud growing, cyber security threats are following suit. The WEF has listed cyber security failure as a critical threat in the next 0-5 years. So what exactly is happening, what are organizations doing to combat this, and what does this mean for the industry?
It’s no secret that cyber security threats increased in 2021. In the Malwarebytes 2022 Threat Review, any dips were seen in malware and email threat detections (for both Windows and Mac) during 2020 were rebounded and surpassed in 2021. It’s a phenomenon that’s been dubbed the ‘COVID bounce’. In addition, a NetScout report announced that there were 9.7m DDoS attacks in 2021. The statistics are clear: the threat is current, and the move to cloud-based technology solutions has played its part. A Gartner 2022 report lists ‘attack surface expansion’ as one of the key cyber security trends to watch out for in 2022. Put simply, with so many more digital assets and platforms, including cloud applications, businesses have expanded the possible avenues and become much more vulnerable to cyber-attacks as a consequence.
Jeremy Fleming, Director of GCHQ, claims that recent global events, including COVID-19 and the Russian attack on Ukraine, have exposed how vulnerable we are, and identified gaps in national cyber security strategies. The Cybersecurity and Infrastructure Security Agency (CISA) made up of the US, UK, Australia, Canada and New Zealand, has issued stark warnings about the threat to businesses and national critical infrastructure from nation-state actors. President Biden has even announced an 11 percent increase for cyber security in the US FY23 budget and his Software Bill of Materials aims to bolster the use of zero trust in the US software supply chain. These all show how cybersecurity has moved not just up the agenda but onto the itineraries of national leaders, and that technology is a vital part of our everyday lives, jobs, businesses, and the economy. To be able to harness digital acceleration safely, we need to invest in cyber security.
To put this into perspective even further, the Cloud Security Alliance (CSA) has launched the Countdown to Y2Q calendar. They’ve declared April 14th 2030 to be the day when a quantum computer will be able to break present-day cyber security infrastructure, otherwise known as the countdown to quantum destruction. It sounds dramatic, but the reason the CSA has created the calendar is to serve as a stark reminder to organizations that the threat is real. If we don’t invest in cyber security now, we risk becoming victims of our own design.
Organizations can take action, however, and some have already. Some of the giants of cloud technology have acquired cyber security businesses in the last 12 months, suggesting they intend to significantly expand into this area. Microsoft acquired CloudKnox Security (Cloud Infrastructure Entitlement Management technology) and RiskIQ (cyber threat intelligence and external attack surface management) in 2021, to join Microsoft Azure. Amazon Web Services (AWS) acquired Wickr, an encrypted communication technology service. Google have also just finished the acquisition of Mandiant (threat intelligence), for implementation into their Google Cloud service. These are all huge investments, both in monetary terms and in terms of sentiment, into the cyber security industry. They are setting an example for other organizations that dealing with current and imminent threats should be a priority.
In the March 2022 Moody’s report on global cyber security, there was annual growth in investment but gaps in preparedness. They also found that there were a high number of organisations, mostly public sector, that don’t have cyber security as a budget line item within their IT/Tech budget. Organisations with cyber security as a budget line item had typically made, and sustained, larger investments in cyber security. The report also found that cyber security had a higher budget and allocation of resources when the reporting structure within an organisation allowed for closeness between cyber security managers and the executive suite. If businesses want to invest in and prioritise cyber security, they should identify it as a standalone item within their IT budgets, and create more direct lines of communication between their cyber security managers and the upper tiers of their organisation.
Cyber security professionals are already in demand, with an annual shortfall of 14,000 staff in the UK alone, according to the latest report from the Department for Culture, Media and Sport (DCMS). The upward trend in prioritisation and investment in cyber security worldwide is encouraging. However, public and private organisations may find themselves with all the tools and no one to wield them. Some programmes are already in place to encourage people to start a career in cyber security, such as the CyberFirst programme in the UK and the UK Cyber Security Council is devising career pathways in a framework that should help professionals to develop their careers. Organisations are being encouraged to create better work environments and clear career pathways to retain security staff and support them into senior positions, but will this be enough?
Going forward, it’s clear there has to be an emphasis on people, process and technology and that we need to invest in all three in order to create effective cybersecurity. For cybersecurity, despite the current economic uncertainties, is not something any of us can afford to compromise on.