A Comprehensive Approach to Cyber Resilience
As data becomes more critical in supporting business units and functions — and as cyberthreats grow — the responsibility for keeping that data safe must expand beyond IT.
Topics
It’s hard to imagine a more challenging year than 2020 for data security. The pandemic meant that millions of employees worldwide were suddenly working from home. More severe cyberthreats — some from highly sophisticated state actors — threatened company databases. And at a regional level, natural disasters disrupted operations and supply chains.
To gauge how organizations responded to this perfect storm of cyberthreats, we interviewed 57 technology leaders during the second half of 2020, including CIOs, chief information security officers, chief data officers (CDOs), and other business leaders in public- and private-sector organizations. The key insight from that research is that cyber resilience — the ability to withstand unanticipated disruption — is no longer exclusively the responsibility of IT functions. Rather, as data becomes more pervasive across company operations and functions in improving business performance, organizations need a comprehensive approach to cyber resilience. Specifically, they need a clear plan for how to manage all aspects of data and cross-functional responsibilities for keeping that data safe.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
Disruptions Continue to Grow
Most organizations were unprepared for the pandemic and the resulting shift from physical offices to working from home. Companies allowed business and function leaders to make piecemeal, ad hoc arrangements to suit the needs of their teams. As a result, IT and security teams often did not know which devices were being used by employees, the applications that were on those devices, whether they had appropriate security patches, the security of Wi-Fi connections, or the prevalence of other connected devices, such as gaming consoles and smart home devices.
The resulting free-for-all — implemented for the sake of continuing business operations — led to an exponential increase in cyber risk. Cyberattacks rose 400% in 2020 compared with previous years, primarily due to nefarious players exploiting ill-secured virtual work environments and IT infrastructures that had been adapted on the fly.1 On average, these attacks cost businesses hundreds of thousands of dollars to address (but often far more) and are a factor in many small and medium-sized enterprises going out of business.2 Even with U.S. company losses due to cyberattacks nearing a reported $1 trillion by late 2020, a survey of nearly 1,000 organizations found that only 44% had cyber preparedness and incident response plans in place.
References
1. Insight on cyberattacks during the COVID-19 pandemic were derived from Federal Bureau of Investigation, “Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments,” Alert No. I-040120-PSA, April 1, 2020, www.ic3.gov; and M. Miller, “FBI Sees Spike in Cyber Crime Reports During Coronavirus Pandemic,” The Hill, April 16, 2020, https://thehill.com.
2. S. Steinberg, “Cyberattacks Now Cost Companies $200,000 on Average, Putting Many Out of Business,” CNBC.com, Oct. 13, 2019, www.cnbc.com.
3. Z.M. Smith, E. Lostri, and J. Lewis, “The Hidden Cost of Cybercrime,” PDF file (McAfee and the Center for Strategic and International Studies, December 2020), www.mcafee.com.
4. “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA),” Cybersecurity & Infrastructure Security Agency, Jan. 5, 2021, www.cisa.gov; S. Wilson, “CISA Updates Guidance on SolarWinds Compromise,” FedScoop, Jan. 7, 2021, www.fedscoop.com; and N. Bomey and K. Johnson, “What You Need to Know About the FireEye Hack: Cybersecurity Attack Against US Government.” USA Today, Dec. 14, 2020, www.usatoday.com.
5. VAULTIS (visible, accessible, understandable, linked, trustworthy, interoperable, and secure) is the data strategy mantra and name of the U.S. Air Force Chief Data Office’s data management platform. Information provided by U.S. Air Force chief data officer Eileen Vidrine, interview with authors, Jan. 12, 2021. For additional details, see L.C. Williams, “USAF Primed to Launch New Phase of Data Strategy,” Federal Computer Week, Nov. 30, 2020, https://fcw.com.
6. J. Modini, T. Lynar, E. Sitnikova, et al., “Applications of Epidemiology to Cybersecurity” (paper presented at the European Conference on Cyber Warfare and Security, Chester, U.K., June 25-26, 2020); and “What Is Network Segmentation?” Cisco, accessed Feb. 24, 2021, www.cisco.com.