According to Cybersecurity Ventures, the global cybercrime damages will cost $6 trillion by 2021 and there has been an increase of 67% in cybercrime in last five years. In the US, a hacker attacks every 39 seconds and ransomware attacks have growth rate of 3.5x. After a breach, the average share price falls 8% and FBI has reported a 300% increase in Cyberattacks after COVID-19.
Organisations of all sizes and types in every industry have experienced Cyberattacks. This includes ridesharing Uber, shipping giant Maersk, credit rating agency Equifax, internet giant Yahoo, Marriott hotel and financial institutions such as CaptialOne. The major threats include phishing attacks, cloud vulnerabilities, ransomware and IoT-based attack and cybercriminals focuses on distortion, disruption and deterioration of IT infrastructure. From the above cases, it is evident that the failure to protect systems, people and processes results in loss of competitive information, confidential data, loss of public trust as well as reputational loss.
Cybersecurity encompasses processes, technologies and practices to protect people, systems, applications, devices, networks and data from attack and unauthorised access. With dependence on information systems to collect, to store and to analyse data for various business functions, the success of organisation depends on the health of its IT capabilities. In an organisation, the role of a good cybersecurity is crucial to protect its IT resources and operations keep running without disruption. To ensure integrity, availability and confidentiality, it is vital that information systems and information are protected from authorised access and intrusion from third parties.
In recent times, cyberattacks have gotten more sophisticated and attackers employ new methods powered by artificial intelligence and social engineering to circumvent single layers of security such as antivirus and firewalls. The different types of cybersecurity threats in an organisation are malware (viruses, spyware and Trojan horses to damage or gain access to systems), social engineering (human interaction to trick users to break security procedures), ransomware (Denial of service attack), Man in the Middle (Messages encrypted before received by recipient) and phishing scams (fraudulent emails to steal sensitive data) as shown in the diagram below.
An effective cybersecurity policy and strategy enable organisations to coordinate security efforts throughout IT infrastructure. The combination of traditional cybersecurity technologies such antivirus, firewall and IPS as shown in the diagram below along with emerging techniques such as behaviour analytics, two-factor authentication, virtual dispersive networks and blockchain would allow to secure network, application and data.
A lack of focus on cybersecurity can damage and incur loss in numerous ways such as;
- Economic cost: This includes loss of Intellectual Property (IP) and confidential information, disruption to operations and loss of revenues and increased cost of capital to repair IT infrastructure.
- Reputation damage: This includes loss of customer trust and confidence, loss of existing and potential future customers and negative publicity in the media.
- Regulatory costs: This includes litigation fee and regulator fines as a result of cybercrimes.
However, sound cybersecurity delivers a number of benefits for an organisation such as protection of data and networks as well as protection against malware, phishing and malware attacks, effective impact cyberscurity training and vigilance and prevention of unauthorised access. The additional benefits include:
- Increased productivity: Effective security arrangement tackles the threats and maximising the business potential.
- Protection of customers and business: Cybersecurity protects the customers’ data and prevent data breach. Moreover, the cybersecurity solutions ensure that business processes and employees are not at risk from cyberthreats.
- Increase stakeholders trust and confidence: For customers, increased security ensures that personal information is secured and they can confidently conduct business with the organisation. For investors, cybersecurity assures the continuity of operations and business is less likely to incur loss in the event of cyber-attacks.
A starting point for cybersecurity implementation in an organisation is cybersecurity risk assessment. The National Institute of Standards and Technology (NIST) provides useful frameworks for organisation to conduct risk assessment in real-time. A cybersecurity risk assessment includes identification, evaluation and prioritisation of risks of an organisation. This enables the decision-makers to identify and implement cyber security measures. The range of questions include
- What are the most important IT resources and nature of cyber risks are associated to the IT infrastructure?
- What are internal and external vulnerabilities and the risk tolerance capacity of the organisation?
- What are the data breach risks and how can a data breach affect business operations?
The cybersecurity is a long-term investment and skipping out on cybersecurity presents major risks and costs for an enterprise. Cybersecurity increases business value through protection of assets, increased trust and confidence of stakeholders as well as productivity in an organisation. However, the lack of investment in cybersecurity means businesses and business units are vulnerable to internal and external cyber threats that could result in significant economic and reputation risks.