Story image

Cybersecurity measures aren’t enough to stem the wave of breaches

21 Jan 2019

Article by Tenable A/NZ country manager Bede Hackney.

2018 was a milestone year for data security and privacy. The rollout of legislative frameworks, such as the Notifiable Data Breach Scheme and the General Data Protection Regulation, brought to light the endless wave of cyber attacks confronting businesses every day. 

A recent report by the Ponemon Institute on behalf of Tenable found that 60% of organisations represented in the study say they have suffered two or more business-disrupting cyber events in the last 24 months alone. More than 2,400 IT and IT security practitioners in the US, UK, Germany, Australia, Mexico and Japan were surveyed. In tandem with this, the Office of the Australian Information Commissioner revealed over 245 breaches were reported from July to September, signaling current security approaches are failing to keep pace with the surge of attacks.

The unfortunate reality is that the majority of Australian businesses aren’t able to quantify the business cost of this cyber risk, relying on outdated metrics which leave them exposed.

It’s high time to shore up measurement

With cyber security increasingly being elevated to the C-level, it is imperative that your plan is presented and endorsed by the C-suite and the board. However, less than half of Australian respondents (48%) measure and, therefore, understand what cyber risks are costing their organisations, leaving the C-suite and board confused about how to navigate risk and remediation strategies.

Traditional KPIs for evaluating business risks are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer any insight as to how businesses prioritise risk. This is hindering the ability of CISO to make informed decisions about the allocation of resources, leaving businesses vulnerable.

While most organisations are aware of the more important KPIs used to measure the business impact of a cyber attack, there is a clear gap in use and importance of non-security measures such as loss of revenue and productivity, as well as impact on share price. While conventional wisdom suggests a decline in stock price would be a major consideration in quantifying the risk of a cyber attack, it worryingly isn’t a prevalent factor for most businesses. 

Ride the wave through actionable insights

In the face of a rapidly evolving attack surface, new approaches to measuring cyber risk are needed to allow businesses to accurately quantify the consequences of cyber attacks. To fully understand your organisation's level of cyber exposure, a holistic approach is required to understand the entirety of your attack surface. This includes identifying the business operations and assets most vulnerable to cyber attacks, including OT and IoT assets.

Once you’ve got a grasp of the area you’re trying to defend against and where the danger lies, detailed threat intelligence is needed to prioritise remediation efforts. As the endless wave of threats continues, security teams don’t have the resources to guess which vulnerabilities need to be remediated first. 

Tenable’s recent Vulnerability Intelligence Report revealed an enterprise uncovers 870 vulnerabilities per day across 960 assets, on average. And of those, more than 100 vulnerabilities are rated as critical. There is a clear onus on CISOs to implement security strategies which allow them to understand and prioritise vulnerabilities based on their potential impact on business operations. 

Master the tides 

Cybercrime is relentless, undiminished and unlikely to stop. To keep pace, CISOs must adopt new approaches to accurately manage, measure and reduce cyber risk. Implementing a robust vulnerability management program will empower security executives to confidently visualise, analyse and measure the business cost of cyber risk. Doing so will close their cyber exposure gap and ensure they’re in the best position to stem the rising tide of data breaches. 

Why an IT resilient strategy needs to be in the modern CIO’s toolkit
"Having an IT resilience strategy in place allows an organisation to smoothly adjust to change."
Tollring partners with Novum Networks for call analytics
Novum Networks has added the full complement of Tollring’siCall Suite cloud analytics to its product portfolio.
Intel announces “most powerful mobile processors ever”
Improvements in performance, responsiveness and Wi-Fi connectivity will be rolling out for gamers and creators alike.
Software AG launches new cloud-based IT portfolio management tool
“Alfabet FastLane’s out-of-the-box approach absolutely addresses the needs of smaller IT teams."
Slack's 2019 feature roadmap unveiled
Including shared channels across organisations, workflow automation, greater email and calendar integration, and streamlined search.
Data#3 wins learning and development award two years running
Chief Learning Officer magazine’s LearningElite programme honours the best organisations for learning and development.
Avaya partners with Standard Chartered to deliver CX transformation
"Avaya is proud to be supporting this venerable financial institution as it continues to evolve and transform to meet the needs of its clients.”
Hootsuite leads the social engagement charge - Forrester report
“Hootsuite leads the pack with its seller focus and scale,” writes Forrester principal analyst Mary Shea.