As the scale and diversity of threats increase, resilience is paramount. As the new Forum Global Cybersecurity Outlook 2024 reveals, few organizations are sufficiently robust enough to call themselves cyber-resilient confidently. Furthermore, as the risks and technology that create and combat cyber threats increase, a yawning gap is growing between the well-resourced and skilled large organizations and their small and medium-sized enterprise counterparts.
Fortunately, there are several ways that businesses can improve their cyber resilience, and if addressed systemically, these will result in a far more robust cyber ecosystem.
Complex trajectory
The state of the sector’s health paints a mixed picture, with long-standing threats, such as malware, continuing to develop alongside new and increasingly diverse risks, illuminated by the report. In the past five years, the number of malware families and their variants that have infiltrated at least 10% of global organizations has doubled. Coupled with the growing inequity in cyber resilience, driven by the high cost of the necessary tools and talent and the early adoption of cutting-edge technology by the sector’s largest organizations, this presents unprecedented challenges.
These are complex problems that require sector-wide attention. Unfortunately, at the same time, other risks are either appearing or morphing. Emerging technology is an example, particularly the growing use and development of generative artificial intelligence (AI). This advancement is increasing the complexity of attacks and adversarial capabilities to do things that defenders are already combatting, like phishing.
We enter 2024 with a difficult risk outlook, which geopolitical tensions threaten to exacerbate. Our research reveals that 70% of cyber leaders cite geopolitical concerns as at least moderately influencing their organization’s cybersecurity strategy. It is a year in which 45 countries are set to hold general elections – including India, the United Kingdom and the United States – which, taken together, account for 50% of the world’s gross domestic product. That will heighten the risk profile, with generative AI exacerbating existing problems with disinformation, misinformation and social media platform manipulation.
A talent dearth
But it’s not just the new risks that concern cyber experts. Our research revealed the problems they face in securing older systems and legacy technology, which, for 44% of respondents to our survey, was the greatest obstacle to attaining cyber resilience.
A long-running problem for the sector has – and continues to be – a skills and talent shortage, and instead of the gap narrowing, our report suggests that it’s widening at an alarming rate. Almost 80% of those surveyed revealed that their organizations lack cyber teams with sufficient skills to achieve their cybersecurity objectives.
These challenges fundamentally undermine the entire cyber ecosystem, reflecting the sector’s interconnected nature. But there is hope. The critical shift that needs to occur is an improvement in cyber resilience and our research has shown five tangible measures businesses can take to improve it.
Resilience is developed step by step. There are a lot of composite parts and no quick fixes to ensure a robust line of defence. The first step is to prioritize cyber risk. That may seem obvious but given the spectrum of threats businesses face, cyber risk can slip down the agenda. It is, however, paramount that organizations regularly assess and prioritize cyber risk. Our research uncovered a positive trend in this respect – the increasingly common practice of incorporating cyber resilience into organizational risk management.
Culture of resilience
There are a lot of experienced cyber experts in the field and the best advice we discovered during our research was that even in the face of emerging technological risks, there is a need to maintain focus on tried and tested cyber resilience practices. In doing so, those in the field find that threats can be detected and mitigated early.
As a companion to this is step two – develop cyber governance. Undoubtedly, wisdom is accrued, and many organizations have prudent cyber resilience practices that are reaping dividends. Best practices need to be shared and institutional knowledge developed. In this respect, cyber resilience and CEO trust are symbiotic. Our survey found that 93% consider their organizations to be leaders in the field and trust their CEOs to speak externally about their cyber risk. This finding underscores the importance of support for cyber strategy and plans at the C-suite level.
The third step is the need to cultivate a culture of resilience. Regular training and awareness raising are paramount to improving organizational culture, as is buy-in. Everyone in an organization must understand the risks stemming from our interconnected digital economy. In-house, companies should seek equitable access to the right priorities, talent, technology, security tools and organizational culture. Externally, businesses must work with partners to robustly assess and address supply chain risk.
This brings us to our fourth element – encouraging systemic resilience and collaboration. Indicators for cyber resilience include the quality and quantity of collaborations. This element not only refers to the extent to which organizations understand their supply chain cyber risk but also the clarity and effectiveness of regulations and the accessibility and maturity of levers, such as cyber ratings or cyber insurance. Positive outcomes in all these areas create resilience, the opposite of fragility.
Cybersecurity by design
Finally, organizations must ensure that design supports cyber resilience. Typically, a mix of convenience, the opportunity to use new technology to accelerate a business’s prospects and the very human trait of fearing that being left behind tempts organizations to introduce new technology faster and with less security than is prudent. One way to tackle this is to shift the economic incentive structure for innovators.
Increasingly, governments are calling on technology manufacturers and service providers to create products that have security built in from the outset and can be kept secure for their lifecycle. Such security-by-design is feeding through into programmes and regulations like the European Union’s proposed Cyber Resilience Act, with further activity expected in this area.
All signs are that 2024 will be another challenging year, but progress can be made by shifting practices and pursuing cooperation and best practice sharing. Notably, the challenges are systemic, which points to the need to secure the commitment and engagement of every stakeholder. The upside to this is that as the momentum to address the sector’s challenges and risks collectively develops, an increasingly resilient cybersecurity ecosystem benefits everyone.
