A Comprehensive Approach to Cyber Resilience
As data becomes more critical in supporting business units and functions — and as cyberthreats grow — the responsibility for keeping that data safe must expand beyond IT.
Topics
It’s hard to imagine a more challenging year than 2020 for data security. The pandemic meant that millions of employees worldwide were suddenly working from home. More severe cyberthreats — some from highly sophisticated state actors — threatened company databases. And at a regional level, natural disasters disrupted operations and supply chains.
To gauge how organizations responded to this perfect storm of cyberthreats, we interviewed 57 technology leaders during the second half of 2020, including CIOs, chief information security officers, chief data officers (CDOs), and other business leaders in public- and private-sector organizations. The key insight from that research is that cyber resilience — the ability to withstand unanticipated disruption — is no longer exclusively the responsibility of IT functions. Rather, as data becomes more pervasive across company operations and functions in improving business performance, organizations need a comprehensive approach to cyber resilience. Specifically, they need a clear plan for how to manage all aspects of data and cross-functional responsibilities for keeping that data safe.
Disruptions Continue to Grow
Most organizations were unprepared for the pandemic and the resulting shift from physical offices to working from home. Companies allowed business and function leaders to make piecemeal, ad hoc arrangements to suit the needs of their teams. As a result, IT and security teams often did not know which devices were being used by employees, the applications that were on those devices, whether they had appropriate security patches, the security of Wi-Fi connections, or the prevalence of other connected devices, such as gaming consoles and smart home devices.
The resulting free-for-all — implemented for the sake of continuing business operations — led to an exponential increase in cyber risk. Cyberattacks rose 400% in 2020 compared with previous years, primarily due to nefarious players exploiting ill-secured virtual work environments and IT infrastructures that had been adapted on the fly.1 On average, these attacks cost businesses hundreds of thousands of dollars to address (but often far more) and are a factor in many small and medium-sized enterprises going out of business.2 Even with U.S. company losses due to cyberattacks nearing a reported $1 trillion by late 2020, a survey of nearly 1,000 organizations found that only 44% had cyber preparedness and incident response plans in place.
References (6)
1. Insight on cyberattacks during the COVID-19 pandemic were derived from Federal Bureau of Investigation, “Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments,” Alert No. I-040120-PSA, April 1, 2020, www.ic3.gov; and M. Miller, “FBI Sees Spike in Cyber Crime Reports During Coronavirus Pandemic,” The Hill, April 16, 2020, https://thehill.com.
2. S. Steinberg, “Cyberattacks Now Cost Companies $200,000 on Average, Putting Many Out of Business,” CNBC.com, Oct. 13, 2019, www.cnbc.com.
