In light of Cybersecurity Awareness Month, in October 2022, HLB, the international network of accounting and advisory firms, did some international research and surveyed 753 IT professionals about the challenges they face in today’s cyber-risk landscape. Below we present the key results and conclusions, and take a look at how organisations can move their cyber security strategy forward.
An invisible threat
Organisations are facing a complex risk environment, from recruitment issues to supply chain disruptions; in addition the far less visible, ongoing threat is cyber-attacks.
Cyber-attacks are becoming increasingly sophisticated, making it challenging to protect an organisation’s assets and infrastructure. For this reason, cyber security has become paramount for every single organisation in today’s digital world.
However, hidden weakness such as human error remain a constant threat to business. The technology leaders surveyed by HLB almost unanimously agree that human behaviour is the most significant barrier to better cybersecurity.
Organisations experienced the same or higher numbers of cyber-attacks during the past year, with only 7% of respondents to HLB’s 2022 cybersecurity survey seeing cyber-attacks decrease over the past twelve months. These threats had sweeping consequences, affecting operations across the board.
It is time to shed light on cybersecurity, and increasing visibility into your risks is an essential first step. Understanding the main challenges and how to resolve them helps your organisation move from a reactive approach to a proactive strategy.
Top cybersecurity concerns
Organisations are increasingly aware of the danger of cyber-attacks and are actively working to mitigate them, but several challenges halt progress.
- Cybersecurity skills shortage
In 2021, 2.7 million cybersecurity positions remained unfilled worldwide, according to ISC22. 85% of the HLB survey respondents are concerned or very concerned that a lack of talent is a cybersecurity risk. This talent crisis is partially due to rapid technological advancements and the need for a lot of training, as well as a high demand for people with data security backgrounds. As positions go unfilled, cybersecurity staff find themselves experiencing burnout and heaving workloads, potentially leading to increased staff turnover.
To mitigate this issue, organisations should start with an investment in their current and future workforce, focusing on recruitment, retention and training.
It is also essential to align your human resources and cybersecurity goals, as almost one in three IT workers believe their organisation overlooks promising candidates because they do not understand the skills needed to work in cybersecurity.
- Lack of employee training
79% of HLB survey respondents feel concerned or very concerned about a lack of training affecting their cybersecurity. In fact, the human factor is almost always involved when a data breach occurs, meaning that without an ongoing training programme, organisations face severe issues.
Moreover, one in three HLB survey respondents said they try to educate staff but face non-compliance.
To solve this issue, it is key for organisations to enforce mandatory training with real-life simulations. By developing security-focused mindsets from day one of employment, teams will understand that cybersecurity is everyone’s concern. Outsourcing training alleviates pressure on the organisation and ensures programmes have the latest information and resources.
One-third of organisations run more than 50% of their workloads in the cloud, and whilst the cloud is vital to today’s workforce, its complex nature puts companies at risk, with over 80% of HLB respondents concerned about cloud vulnerabilities affecting their cyber
security.
Developing and maintaining a robust cloud security posture is key to mitigating its dangers. One of the best ways to protect your cloud environment is by working with a cloud migration and cybersecurity professional. Risk management experts assess threats and make recommendations to ensure a seamless transition.
- Lack of cybersecurity awareness from staff
Verizon’s 2022 Data Breach Investigations Report found that four in five data breaches involved human-related error. Your employee’s choices and risk awareness affect your organisation’s security, and 77% of HLB survey respondents are concerned that a lack of awareness negatively impacts cybersecurity.
To increase awareness, companies must embrace vigilance as a shared responsibility that goes from the CEO to the entry-level worker and aim to develop a culture with security at its core. A correct approach should boost awareness without disrupting workflows and productivity.
Moreover, for this approach to truly work, leaders must keep an ongoing flow of communication with all staff, sharing the latest cyber intelligence and explaining the impacts on the company and individuals.
- Increased threats from adopting new technologies
Emerging technologies, such as big data, artificial intelligence (AI), cloud infrastructure and the internet of things (IoT) fuel growth opportunities across industries. However, their application also provides more opportunities for cyber-attacks, with cyber-criminals being able to weaponise these technologies originally intended to improve operations and protect organisational networks.
These emerging threats can cause significant harm, and 78% of HLB survey respondents express concern about the impact of new technologies on cybersecurity.
Whilst a completely risk-averse mindset to new technologies can hinder growth, organisations must take the time to complete a risk assessment when it comes to the adoption of these new technologies, in order to make evidence-based decisions which will allow them identify key weaknesses and threats, safeguard critical assets and prepare for attacks.
Achieving cybersecurity maturity
In today’s digital world, an effective cybersecurity programme is an organisation’s strongest defence. However, cybersecurity maturity still varies significantly among companies. The majority of HLB survey respondents feel somewhat prepared to respond to a severe cyber-attack, but nearly 20% report being somewhat unprepared and 6% not ready at all.
Businesses with a low cybersecurity maturity level are likely to have undersized teams with skill gaps, unpredictable processes and poor systems; whereas, those with medium maturity have improved systems but lack consistent measurement and monitoring.
In contrast, those with higher cybersecurity maturity usually have formalised policies in place, uniformly measure and monitor risks and meet regularly with cyber professionals to evaluate the security technology and processes.
You can develop a pathway to cybersecurity maturity by following the framework of the National Institute of Standards and Technology (NIST), which provides guidelines and best practices to help organise and improve your cybersecurity program:
1. Identify
Start by listing all software, data and equipment used, followed by developing and sharing a company cybersecurity policy. Have discussions with various departments, outline the steps you currently take to protect against an attack and clarify employee roles and responsibilities. This procedure gives you a high-level view of how employees, systems and processes interact.
2. Protect
The focus here is on minimising the impact of an attack. Start by reviewing the list of assets you identified in the first part of the framework and prioritise them, in order to help you focus your cybersecurity efforts on the most important assets first.
3. Detect
Companies must implement various controls to catch and analyse anomalies and events, including continuous security monitoring and detection. Here, it is key to establish a baseline, perform vulnerability scans and set alert thresholds.
4. Respond
Almost half of HLB respondents reported an increase in cyber-attacks, which resulted in business disruptions and loss of data and intellectual property. However, more than half of small and mid-sized companies do not have an incident response strategy. You should develop a response plan which outlines the immediate steps to contain the attack and keep your business operational, details your investigation and elimination methods, and identifies how to alert those involved. It is essential to regularly test your response plan regularly by running practice drills.
Invisible threats to cybersecurity are all around us, waiting for a human error or unpatched weakness. Being prepared is key to withstand these sophisticated attacks, and a robust security posture safeguards your organisation.
For international business enquiries, please contact Scott Lawrence on scott.lawrence@hazlewoods.co.uk or 01242 680000.