By Rafi Brenner, Vice President, Information Security, Fortinet
Cybercrime tactics such as phishing and social engineering, commonly used to infect critical systems with malware or ransomware, have reached epidemic levels. And there are no signs of it slowing down. According to Statista, the global cost of cybercrime is expected to increase by nearly 70% over the next five years, growing to $13.82 trillion by 2028.
Cyber incidents can damage corporate operations, brand reputation, trust and financial conditions. They can cripple revenue-generating and service-delivery processes and materialize into legal and regulatory fines, adversely impacting a company's financial performance and valuations. And in cases in which critical infrastructures are involved, those risks can also affect the environment and even put human lives at risk. As a result, the World Economic Forum’s latest report on global risks ranks cyber as the most significant sustainability risk to businesses, along with climate change, reaffirming why cyberthreats and cybersecurity governance have become top issues for regulators and corporate boards alike.
Growing Cyber Risk Has Led to Increased Oversight
The widespread concerns about cyber risks and cybersecurity have led to heightened attention from regulators. Data privacy and breach notification laws were enacted in the United States in 2002. Even stricter regulations have been implemented in other regions, such as the General Data Protection Regulation (GDPR) enacted by the European Union in 2016 and enforced since 2018 and the California Consumer Privacy Act (CCPA) of 2018. In addition, the U.S. Securities and Exchange Commission (SEC) recently adopted cybersecurity disclosure requirements, making it clear that cybersecurity is not just an IT issue. Instead, it is an integral component of a company’s broader enterprise-wide risk management structure. These rules require public companies to report material cybersecurity incidents and disclose their cybersecurity risk management strategy and governance, effectively shifting cybersecurity governance responsibilities from the CIO's and CISO's offices to the board of directors.
As regulators tighten compliance requirements, effective cyber-risk and cybersecurity governance programs must be implemented at the board level and include active engagement from the board and key corporate executives, such as the CIO, CEO, CFO, CSO and CISO. To achieve this, boards must show their expertise and oversight in ensuring appropriate leadership and strategies are in place to adequately manage cyber risks inside the organization. Senior leadership must be involved in cyber-risk governance to ensure that the companywide governance plan aligns with overall corporate objectives.
Addressing Cyber Risk Starts at the Top
Regardless of the organization’s structure, those at the top have a duty to understand and monitor the critical cyberthreats that could impact the organization. They need to oversee the strategies, policies and procedures required to adequately mitigate risks and ensure that there is a response plan to contain the impact of a compromise. They also need to ensure that they have systems to detect, investigate and eradicate an intrusion and to comply with contractual, legal and regulatory requirements. Once senior leadership is on board, a cyber-risk governance plan requires continuous assessments of the organization’s business operations. These cyber-risk assessments can help identify cybersecurity business risks and the organization’s cybersecurity gaps and vulnerabilities before they become a crisis.
A robust information security program should be anchored on a recognized security standard or framework, such as ISO and NIST. It also needs to be aligned with security and privacy regulatory requirements the organization is subject to and that are recognized by external stakeholders, such as PCI-DSS, HIPAA, NERC, CJIS, NIS2, GDPR, PIPEDA or CCPA. Pursuing information security certifications is essential to protecting data and providing assurances to customers and investors about the maturity of the organization's readiness to defend itself against evolving cyberthreats.
The endorsement of policies and procedures by management and setting a “tone from the top” are essential to fostering the adoption of new tools and behaviors critical to protecting the organization's key assets. Taking the time to define and educate on cybersecurity policies and objectives helps ensure that the entire organization understands the purpose of the security controls and that they are used correctly and consistently. Such policies are not static documents but require regular updates to reflect the evolving security posture of the business and the ever-changing cyberthreat landscape.
Building a Cybersecurity Culture at All Levels
Cybersecurity is a team sport. Any person in the organization can be a target or fall victim to a compromise through a phishing or social engineering campaign, accidentally misconfiguring or not patching a vulnerable system, or inadvertently developing code that a threat actor could exploit. Research from Fortinet’s 2023 Security Awareness and Training Global Research Brief revealed that 81% of organizations faced malware, phishing and password attacks last year that were targeted at individual users. It also showed that more than 90% of leaders believe that increased employee cybersecurity awareness would help reduce the occurrence of cyberattacks. Periodic training and ongoing awareness about the most common cyberthreats and techniques used by adversaries are essential to building a “human firewall” and preventing an initial breach.
Leading organizations implement robust cybersecurity awareness training, require software developers to be proficient in secure code development practices, and periodically exercise their members’ readiness to detect cyberthreats through simulated phishing campaigns, tabletop exercises to test incident response and implementing robust threat-hunting practices.
Developing a cybersecurity culture can take time, but active participation at all levels of the organization helps to ensure that all employees understand their significant role in the organization's defense against cyberthreats. Effective training helps users become proactive in risk mitigation and remediation. A mature cybersecurity culture creates a more cyber-resilient organization and helps keep you out of the headlines.
Cybersecurity Strengthens Business Resiliency
For too long, cybersecurity has been treated as a mere technology issue. It’s not. Cybersecurity must be seen as an enterprise risk-management imperative. Given the potential impact of cyber risks on business resiliency and increased regulatory requirements on the public and private sectors, it is now vital for organizations to demonstrate they have clear oversight, processes and procedures to prevent, detect and respond to cyberthreats.