The Deloitte 2023 Global Future of Cyber Survey identifies enhancing risk management as important to the success of the organisation globally (51%) and in Asia Pacific (44%).
The study noted that high-performing, cyber-mature organisations are fully implementing actions that are important for cyber hygiene, including an operational and strategic plan, an action plan to continuously improve the organisation’s information security, and a cyber risk program to monitor and track the security posture of partners and suppliers.
Scott Sayce, global head of cyber at Allianz Global Corporate & Specialty and group head of the Cyber Centre of Competence, says AGCS' risk assessment experience shows that a number of companies still need to improve areas of cyber hygiene such as frequency of IT security training, cyber incident response plans and cyber security governance."
Drawing from its annual risk barometer 2023 report, Allianz is adamant that organisations with good cyber maturity are better equipped to deal with incidents. "It is not typical to see companies with strong cyber maturity and security mechanisms suffer a high frequency of ‘successful’ attacks. Even where they are attacked, losses are usually less severe.”
Most pressing cybersecurity risks today
Reflecting on the 2023 State of the Phish Report, Yvette Lejins, resident CISO for Asia Pacific and Japan (APJ) at Proofpoint, says risks contribute to cybersecurity debt because of financial losses through data breaches, business disruption, and regulatory penalties.
"Additionally, they increase the complexity of managing security infrastructure, leading to costly investments in incident response, remediation, and compliance efforts," she added.
Overconfidence and complacency remain key concerns. In ExtraHop’s 2023 Cyber Confidence Index, less than a third of the 77% of respondents that identified cyber incidents stemming from outdated cybersecurity practices had any immediate plans to course correct.
"Despite the growing sophistication and boldness of attackers, we’re seeing a lack of urgency among organisations to improve their cyber hygiene," admitted Chris Thomas, senior security advisor for APJ at ExtraHop.
IDC forecasts that global spending on security solutions and services will reach US$219 billion in 2023 and climb to US$300 billion in 2026. Almost coincidentally, breaches and cyberattacks against public, private and individuals seem to continue unabated.
The IBM Security-Ponemon Institute Cost of a Data Breach Report 2023 estimates that the global average cost of a data breach at US$4.45 million in 2023.
There is some good news. We have as yet to see the same scale of exposed data in 2023 as had happened between 2013-2016 when over 3 billion user accounts were stolen following a breach at Yahoo.
With CFOs and business leaders potentially asking for greater clarity on where budgets are being apportioned, topics like technical debt and cyber debt are gaining visibility. Leijins warns that cybersecurity debt poses significant financial and reputational risks for organisations, and can result in financial losses, data breaches, and regulatory fines.
"Proactive investment in robust cybersecurity measures is crucial. Alignment between CISOs and Boards is vital to avoid problems arising from parallel agendas and missed priorities," she added.
"Neglecting technology debt and focusing solely on future-driven initiatives can also lead to detrimental outcomes, so managing cybersecurity debt is essential to safeguard finances and a company’s reputation."Yvette Leijins
For his part, ExtraHop's Thomas suggests that cybersecurity debt can be managed over the long term by enabling efficient audits and ensuring programs run on current configurations. He believes this is achievable, but businesses must look at how they can continuously monitor their networks.
He cites the rising use of network detection and response (NDR) to mitigate the inherent risks of continuous digital transformation by extending visibility and enhancing the functions of other tools through integrated security.
"Cybersecurity debt can be managed over the long term by enabling efficient audits and ensuring programmes run on current configurations. This is achievable, but businesses must look at how they can continuously monitor their networks," Thomas explains.
Asked how businesses can balance the need for cybersecurity investments with other operational and financial priorities, Leijins suggests adopting modern compliance solutions.
She opines that the exponential growth of data necessitates a compliant, cost-effective, and long-term approach to secure sensitive information. She posits that regulatory requirements demand adherence to avoid hefty fines and reputational damage while investing in intelligent compliance solutions brings advantages like resource optimisation, cost reduction, streamlined processes, and improved customer service.
"By consolidating this data, businesses can enhance search capabilities, eliminate duplicate records, and provide better customer experiences. Compliance should no longer be seen as a mere checkbox but as a strategic tool to protect against risks, gain a competitive edge, and ensure brand integrity, Leijins concludes.
Preparing against future risks
The rising popularity of generative AI, spurred by a growing library of ChatGPT use cases, is raising alarm bells in some sectors of the cybersecurity community. A Malwarebytes survey reveals 81% of surveyed respondents expressing concern about possible security and safety risks associated with the use of ChatGPT.
Thomas says attackers can use this (ChatGPT) technology to trick users or develop more elusive variants of malware. He also cites the risk of proprietary data and sensitive information falling into the wrong hands because they are shared with generative AI tools.
He suggests the use of platforms that are equipped to audit employee use – or potential misuse — come in handy.
"Integrating machine learning into cybersecurity can help organisations stay ahead of these risks, as the algorithms enable swift detection and empower smarter responses through context-driven insights."Chris Thomas
Risks, however, are not limited to emerging technologies. Citing data from Proofpoint’s 2023 Human Factor report, Leijins says cloud threats have become pervasive, with 94% of cloud tenants targeted monthly by precision or brute-force attacks, comparable to email and mobile vectors.
She cites an alarming rise of MFA bypass techniques, widespread use of telephone-oriented attack delivery (TOAD), use of social engineering tactics to deceive victims over the phone, evolving tactics among cybercriminals, and an increase in the number of conversational attacks.
"Businesses must stay vigilant, adopt robust security measures, and provide ongoing security awareness training to protect against these evolving risks," concludes Leijins.