What Cybersecurity Risk Must SMEs Address Now?
STORY INLINE POST
As a small to medium-sized business owner, what is your immediate reaction when cybersecurity comes up? Sadly, most will make it a technical and not a business issue.
Recent research provides information that might change that thinking: In the 2021 PwC Global CEO Survey, nearly half (47 percent) of small and medium-sized business respondents ranked cyberattacks as the top threat to their organization's growth. In the 2022 report, CEOs ranked cyber risk as the top threat to growth.
Threat actors will significantly affect organizations in 2023 compared to 2022: 65 percent of executives consider cybercriminals the most significant threat to their organization in the coming year, followed by hacktivists and insiders.
Most CIOs and CISOs see three significant cyber risks for 2023:
1. Business email compromises (BEC)
2. Ransomware
3. Attacks against the cloud
Eighty-one percent of CIOs, CISOs, and CTOs are not confident that the company has taken steps to protect against four major cloud threats:
1. Credential management
2. Resource authorization or public versus private storage configuration
3. Cloud security configuration errors or incorrect configurations
4. Mismanagement of APIs
Thirty-eight percent expect more serious attacks via the cloud in 2023. Most of these breaches would be related to a misconfiguration.
Attackers exploit a misconfiguration in a company's cloud-hosted internet-facing application and steal user data to sell on the black market. A cloud data breach is not a technical risk as it is a business risk, with costly notifications to data owners, a possible class-action lawsuit against the company, and damage to the enterprise's reputation.
Why Could This Happen?
These attacks would mainly be due to a lack of or deficient cybersecurity strategy, one specific to the cloud, with no in-depth defense , coding errors, inadequate testing of written and library code, or improperly encrypted data.
But are small and medium-sized companies right to worry? And if so, what should they do about it?
The reality is that the cyber threats that small and medium-sized businesses face are no different than those that any other type of business receives.
Cybercriminals are opportunistic and will seek to attack wherever they see vulnerabilities.
The most important aspect that small and medium businesses need to address is the involvement of the C-Suite.
In the latest PwC study, Digital Trust Insights 2023, we took a deep dive into the specific actions the different C-levels need to address:
Actions for the CEO and the board of directors:
• Talk about executive commitment to cybersecurity
• Use influence to inspire change
• Eliminate organizational barriers for the integration and coordination of executives in the cybersecurity strategy
Actions for the CIO or CTO:
• Secure applications in the back-end and front-end
• Build an IoT strategy
• Work with the OT team to secure the operation’s technology
• Develop with the CISO a cloud security technique by default
Actions for the CFO:
• As companies modernize and simplify IT, finance people need to ask two questions: o How can you get the most cyber risk reduction per incremental dollar invested? o What investments will reduce the most in less time?
• Companies that know the monetary costs of risk are more likely to secure by design — and save.
Actions for the COO:
• Plan with the CISO and CIO how to advance and secure OT aligned with IT
• Work on a third-party risk methodology with the CISO and the CRO
Actions for the Risk Management team:
• Build an "all hazards" approach to identifying sources of disruption
• Create a resilience program that integrates the core competencies of:
o Crisis management
o Business continuity
o Disaster recovery
o Incident response to respond across the enterprise in a cohesive and consistent manner
The cyber risks are not only a CISO or CIO problem, they are a company wide concern.
There is an urgent need for C-suite collaboration to preserve trust, confidence and willingness to make business decisions.
A catastrophic cyberattack is a severe threat to 2023 resilience plans. Such an attack would surely put C-suite alliances to the test.
Two-thirds of executives consider cybercrime their most significant threat in the coming year. Cybercriminals, increasingly using off-the-shelf tools, can perpetrate and orchestrate various attacks.
Here is a checklist for reviewing cybersecurity and technology risk: Strategy:
Risk alignment
• Key question: Is there an understanding of how much risk the company is willing to accept?
• Behavior change: Risk measurements for decision-making.
Effective operation
• Key question: Do managers have visibility on the risks in data management?
• Behavior change: Cyber risk needs attention at the executive level.
Decision-making
• Key question: Are there data risk priorities or alignments within the business strategy?
• Behavior change: Leadership needs to understand what is essential.
Reports and insights
• Key question: Does senior management have access to meaningful and actionable information?
• Behavior change: Risk reporting must go beyond the tactical.
Adaptability
• Key question: Can our processes, decisions, and actions adapt quickly to new information?
• Behavior change: Resilience means knowing how to respond.
Without these questions being discussed by the board of directors, companies will only invest in silo solutions that fail to provide a holistic vision of the risk and create a false sense of security, trust, and confidence.
2023 will be the year that companies either take cybersecurity risk seriously or the risk will take the companies out of business.
Juan Carlos Carrillo
CIPT, CDPSE, CCSK, CIAM
Director Cybersecurity & Privacy