A report from PricewaterhouseCoopers titled: “PwC’s annual Global Digital Trust Insights Survey” has shown that one in four companies (27 percent) globally has suffered a data breach that cost them $1- 20 million or more in the past three years,
Despite cyber-attacks continuing to cost businesses millions of dollars, fewer than 40 percent of executives surveyed say they have fully mitigated cybersecurity risk exposure in a number of critical areas.
Gbolabo Awelewa, CTO and country manager, Infoprive Group, said, “Executives need to know they can’t fully mitigate cybersecurity risks. They can only put controls to minimize the impact of cybersecurity risks on their business, and this is a continuous effort, cybersecurity has to be part of their strategic objectives year-on-year (YoY).”
According to him, these critical areas are developing and operationalisation of a robust cybersecurity program which is preceded by the critical task of employing a Chief Information Security Officer who is solely responsible for driving security operations to protect the business.
Establishing the practice of frequently carrying out cybersecurity risk assessments. He said, “This will consistently help organizations uncover potential gaps in your organization’s security controls. A risk assessment can offer insight into the assets that need to be protected and the security controls currently in place. Conducting a cybersecurity risk assessment can also help the organization’s Security operations team identify areas of vulnerability that could be potentially exploited and prioritise which vulnerabilities should be remediated first.”
Similarly, Moh-Kabir, a cybersecurity enthusiast, said one key area organisation needs to focus on is investing heavily in their security infrastructure and personnel.
Moh-Kabir added that the organisation should also focus on investing in training and employee awareness. He said “Cybersecurity awareness and training is the most underrated area and the most cost-effective. Over the years human errors have been a major source of cyber-attacks.”
Also, Ayobami Okeleye, Information and Cybersecurity Analyst said defense in-depth approach should be used to protect organisation assets, this multi-layered approach in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails another step up immediately to thwart an attack.
“Regular backup for important information should be adopted. Sometimes data breaches can result in data loss, when this happens and no backup, it could result in operational disruptions that could cost the organisation a lot of lost revenue.” he said.
The report further disclosed that nine in ten expressed concern about their organisation’s ability to withstand a cyber attack that disrupts their supply chain, with 56 percent extremely or very concerned.
However, Moh-Kabir explained that one of the easiest means being used is social engineering attacks, which can be curtailed by proper employee orientation.
“Cyber-attacks are so dangerous that they can bring your business to a halt. leading to obstacles in business productivity. Therefore it is important to invest in proper technology infrastructure to safeguard from cyber attacks,” he said.
Read also: Businesses, governments cautioned on alarming rise in cybersecurity breaches
In addition, Awelewa noted that according to Security Intelligence the following techniques can be put in place to reduce cyber attacks. Keeping developers and System Administrators updated on cyberattack risks, making sure open-source development tools are visible and secure.
Others include adopting zero-trust security that treats all code/critical infrastructure as unsafe, and build encryption into all applications. (Also, Data at rest), and work with vendors and partners to plug third-party risks. (3rd Party Risk Management), he said.
On the other hand, Okeleye stated that, in order to withstand these attacks, organisations need to recognise the supply chain threat landscape. No organisation should think they cannot fall prey to cyber attack. Therefore organisation leaders need to understand the cyber threats posed by different parts of the supply chain including technology, software and life cycle of their products and vendors.
“Create a Multifaceted supply chain security strategy, cyber-attacks can take many forms such as hijacking software updates, Man-in-the-middle, distributed denial of services and injecting malicious code into legitimate software. Supply chain leaders need to be better coordinated with IT security and risk management leaders to understand the approaches they will use,” he said.
Okeleye said the first thing cyber-attackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts because privileged accounts can access sensitive resources.
While there is a clear preference for mandatory disclosure of cyber incidents, fewer than half (42 percent) of executives surveyed are fully confident their organisation can provide required information about a material/significant incident within the specified reporting period, the report said.
Also disclosing that there is a hesitance to share too much information – 70 percent said greater public information sharing and transparency poses a risk and could lead to a loss of competitive advantage.
Femi Osinubi, Risk Assurance Services Leader, PwC Nigeria said: “Data breaches are a pervasive threat in today’s digital world. As cyber threats continue to increase in frequency and sophistication, a holistic approach to cybersecurity has become a top priority for C-suites and boards. Companies are strengthening their cyber defences and regulators are applying pressure to improve cyber resilience and build public trust.”
“It’s clear from our survey that a higher level of public-private collaboration is needed to address the increasingly complex cyber threat landscape – companies are calling for increased information sharing and transparency as well as a consistent format for mandatory disclosure of cyber incidents,” he said.
According to the survey, the majority of executives said their organisations have continued to increase their cyber budgets – 69 percent said the budget increased in 2022, while 65 percent plan to spend more on cyber in 2023. Increasing budgets reflect the fact that cybersecurity tops the agenda for resilience planning.
Concern with cyber extends to the top of organisations. Most CEOs surveyed are planning to ramp up action to address cybersecurity in the coming year – 52 percent said they will drive major initiatives to improve their organisation’s cyber posture.
Commenting on the initiative for organisation to improve cyber posture. Awelewa said, determining your maximum risk tolerance and assessing key risks and impacts, he said “perfect security is an impossibility and organisations do not have unlimited resources. A sound risk management approach begins with a cybersecurity posture assessment of how much risk you are willing to assume and the key risks that jeopardize your business.”
“Vulnerability Assessment and Penetration Testing can help provide a clearer window into how adversaries are likely to target an organisation and the consequences should that targeting prove effective. Though Pen Tests can be said to be expensive and typically staged quarterly or even yearly. In a world where infrastructure changes come fast and furious (and new vulnerabilities crop up constantly), this lack of cyber posture visibility is a big problem.” he said.
He added that a strong security posture begins with the realisation that human error cannot be eliminated or permanently overcome. It must be managed, accommodated, and neutralized as best as possible through awareness, understanding, and behaviour-reinforcement training.
Rising cybersecurity poses threat to organisation’s growth – PwC
By Chinwe Michael
A report from PricewaterhouseCoopers titled: “PwC’s annual Global Digital Trust Insights Survey” has shown that one in four companies (27 percent) globally has suffered a data breach that cost them $1- 20 million or more in the past three years,
Despite cyber-attacks continuing to cost businesses millions of dollars, fewer than 40 percent of executives surveyed say they have fully mitigated cybersecurity risk exposure in a number of critical areas.
Gbolabo Awelewa, CTO and country manager, Infoprive Group, said, “Executives need to know they can’t fully mitigate cybersecurity risks. They can only put controls to minimize the impact of cybersecurity risks on their business, and this is a continuous effort, cybersecurity has to be part of their strategic objectives year-on-year (YoY).”
According to him, these critical areas are developing and operationalisation of a robust cybersecurity program which is preceded by the critical task of employing a Chief Information Security Officer who is solely responsible for driving security operations to protect the business.
Establishing the practice of frequently carrying out cybersecurity risk assessments. He said, “This will consistently help organizations uncover potential gaps in your organization’s security controls. A risk assessment can offer insight into the assets that need to be protected and the security controls currently in place. Conducting a cybersecurity risk assessment can also help the organization’s Security operations team identify areas of vulnerability that could be potentially exploited and prioritise which vulnerabilities should be remediated first.”
Similarly, Moh-Kabir, a cybersecurity enthusiast, said one key area organisation needs to focus on is investing heavily in their security infrastructure and personnel.
Moh-Kabir added that the organisation should also focus on investing in training and employee awareness. He said “Cybersecurity awareness and training is the most underrated area and the most cost-effective. Over the years human errors have been a major source of cyber-attacks.”
Also, Ayobami Okeleye, Information and Cybersecurity Analyst said defense in-depth approach should be used to protect organisation assets, this multi-layered approach in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails another step up immediately to thwart an attack.
“Regular backup for important information should be adopted. Sometimes data breaches can result in data loss, when this happens and no backup, it could result in operational disruptions that could cost the organisation a lot of lost revenue.” he said.
The report further disclosed that nine in ten expressed concern about their organisation’s ability to withstand a cyber attack that disrupts their supply chain, with 56 percent extremely or very concerned.
However, Moh-Kabir explained that one of the easiest means being used is social engineering attacks, which can be curtailed by proper employee orientation.
“Cyber-attacks are so dangerous that they can bring your business to a halt. leading to obstacles in business productivity. Therefore it is important to invest in proper technology infrastructure to safeguard from cyber attacks,” he said.
In addition, Awelewa noted that according to Security Intelligence the following techniques can be put in place to reduce cyber attacks. Keeping developers and System Administrators updated on cyberattack risks, making sure open-source development tools are visible and secure.
Others include adopting zero-trust security that treats all code/critical infrastructure as unsafe, and build encryption into all applications. (Also, Data at rest), and work with vendors and partners to plug third-party risks. (3rd Party Risk Management), he said.
On the other hand, Okeleye stated that, in order to withstand these attacks, organisations need to recognise the supply chain threat landscape. No organisation should think they cannot fall prey to cyber attack. Therefore organisation leaders need to understand the cyber threats posed by different parts of the supply chain including technology, software and life cycle of their products and vendors.
“Create a Multifaceted supply chain security strategy, cyber-attacks can take many forms such as hijacking software updates, Man-in-the-middle, distributed denial of services and injecting malicious code into legitimate software. Supply chain leaders need to be better coordinated with IT security and risk management leaders to understand the approaches they will use,” he said.
Okeleye said the first thing cyber-attackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts because privileged accounts can access sensitive resources.
While there is a clear preference for mandatory disclosure of cyber incidents, fewer than half (42 percent) of executives surveyed are fully confident their organisation can provide required information about a material/significant incident within the specified reporting period, the report said.
Also disclosing that there is a hesitance to share too much information – 70 percent said greater public information sharing and transparency poses a risk and could lead to a loss of competitive advantage.
Femi Osinubi, Risk Assurance Services Leader, PwC Nigeria said: “Data breaches are a pervasive threat in today’s digital world. As cyber threats continue to increase in frequency and sophistication, a holistic approach to cybersecurity has become a top priority for C-suites and boards. Companies are strengthening their cyber defences and regulators are applying pressure to improve cyber resilience and build public trust.”
“It’s clear from our survey that a higher level of public-private collaboration is needed to address the increasingly complex cyber threat landscape – companies are calling for increased information sharing and transparency as well as a consistent format for mandatory disclosure of cyber incidents,” he said.
According to the survey, the majority of executives said their organisations have continued to increase their cyber budgets – 69 percent said the budget increased in 2022, while 65 percent plan to spend more on cyber in 2023. Increasing budgets reflect the fact that cybersecurity tops the agenda for resilience planning.
Concern with cyber extends to the top of organisations. Most CEOs surveyed are planning to ramp up action to address cybersecurity in the coming year – 52 percent said they will drive major initiatives to improve their organisation’s cyber posture.
Commenting on the initiative for organisation to improve cyber posture. Awelewa said, determining your maximum risk tolerance and assessing key risks and impacts, he said “perfect security is an impossibility and organisations do not have unlimited resources. A sound risk management approach begins with a cybersecurity posture assessment of how much risk you are willing to assume and the key risks that jeopardize your business.”
“Vulnerability Assessment and Penetration Testing can help provide a clearer window into how adversaries are likely to target an organisation and the consequences should that targeting prove effective. Though Pen Tests can be said to be expensive and typically staged quarterly or even yearly. In a world where infrastructure changes come fast and furious (and new vulnerabilities crop up constantly), this lack of cyber posture visibility is a big problem.” he said.
He added that a strong security posture begins with the realisation that human error cannot be eliminated or permanently overcome. It must be managed, accommodated, and neutralized as best as possible through awareness, understanding, and behaviour-reinforcement training.
