When it comes to the various aspects of cybersecurity that are of crucial importance to all organisations, these can ultimately be boiled down to five Cs — namely: change, compliance, cost, continuity and coverage. We speak to experts in the field who outline the significance of each.
Change
Just like in life, nothing in information technology (IT) stays the same. IT changes all the time, says David McNamara, chief executive of CommSec. “Different applications are developed and different businesses have different requirements, which also change over time, nothing ever stays still,” he says. “In terms of cybersecurity and change you have to have solutions, controls and governance in place in terms of the risks that your business faces, and you have to be able to have a resilient cyber infrastructure to be able to adapt to those changes.
Cyber threats are more than capable of adapting to these changes. “Every day, new applications are built, containers are set up, and malicious actors craft new skills and use artificial intelligence-based tools to attack these environments,” says Vaibhav Malik, partner with Deloitte. “Therefore, even if it were possible to assess the organisation’s security posture with absolute certainty, the results would quickly become obsolete due to the organisation’s highly dynamic operating environment and risk profile, which are constantly changing.”
Compliance
“Compliance is a big part of security, with GDPR, Central Bank requirements, and Dora [Digital Operational Resilience Act] coming down the track,” says McNamara, who explains that businesses must be able to prove they have adequate controls in place to ensure cybersecurity under these obligations.
Yet compliance requirements can be detrimental to organisations if they are relied on as the primary source of security measures without critical evaluation and consideration of the organisation’s context, says Malik. “While security frameworks, best practices, standards, and the like are unquestionably valuable, their value is derived from the security team utilising them as instruments to improve their work, not as to-do lists. What counts is how security steps are put into place for ‘defence in depth’, and if they come from thoroughly understanding the threat profile and cyber metrics.”
Cost
Investing in cybersecurity protection may not be cheap, but protection from a hugely financially and reputationally damaging data breach is priceless, McNamara says.
“Depending on your business and the type of data you are trying to protect whether it is financial data, whether it is health data, even if it is PII [personally identifiable information] belonging to clients, cost is all relative,” he says. “When it comes to your brand and your reputation, what is the cost you would put on that if you suffered a cyber attack?”
The key, McNamara says, is to invest wisely, using a recognised framework like ISO 27001. “By complying with this, you can reduce that potential cost of suffering an attack.”
Continuity
Business continuity planning is a major element of recovering from a cyber attack or any sort of crisis in the business. A cyber attack can be hugely disruptive but proper continuity plans will minimise any downtime, says McNamara. “With a ransomware attack, the controls you have put in place in terms of continuity will allow your business to still function. It means having back-ups that are encrypted with multifactor authentication so that you can recover quickly and test the continuity plans you have put in place.”
“Compliance should be layered on top of security that functions independently to protect the organisation, its assets, and continuity,” adds Malik.
Coverage
Businesses are increasingly heavily exposed to cyber attackers, says McNamara. “The IT estate has gone from ‘bring your own device’ to a centralised and distributed network — there is hybrid working, and a whole plethora of IT applications, controls and functions and hardware that you have to maintain,” he says. “You are talking about protecting anything that connects to the internet, any and every application you are using for your business, particularly when they are holding sensitive data.”
Malik agrees, saying that proper investment in broad cybersecurity protection is always necessary. “When businesses sacrifice their security in favour of compliance or only implement what is required by a particular framework or regulation, they not only fail to establish a strong security posture but also make it simpler for attackers,” he explains. “Without context-based coverage and prioritisation, companies can waste a lot of time and suffer higher costs by looking for security holes that are unlikely to cause a security breach.”