Why cybersecurity for 2024 and beyond?
Having a cybersecurity strategy in place for your business has become more imperative now than ever. According to data from IBM, the average cost of a data breach in the United States is $9.4 million, with the average time to identify a cyberattack being 277 days. Customer data, employee data, intellectual property, and much more are greatly at stake and must be protected from attacks. In fact, it is estimated that 25 percent of cyberattacks are from ransomware, 24 percent of attacks render an organization’s systems inoperable, and 51 percent of attacks are directed at business partners and software supply chains.
Expected Cyber Threats in 2024
There are 10 anticipated cyber threats that we need to prepare for the most in 2024:
- Phishing
- Ransomware
- Data Breach Extortion
- Cloud Vulnerabilities
- Business Email Compromise
- Internet of Things (IoT)
- Artificial Intelligence (AI)
- Exposure Through Supply Chain
- QR Code Phishing
- Cyber Warfare
Cyberattacks can be motivated by a range of reasons, including criminal, political, personal or social motivations. Cybercriminals primarily target a business’s ability to make money.
Building a Strategy
The journey to developing a cybersecurity strategy looks like the following:
Understand Business Obligations
To begin building a thorough cybersecurity strategy, organizations must begin by first understanding their business’s most important assets that require protection as well as what their specific threats and risks may be. Great questions to ask include:
- What are the most important assets of the business, e.g., intellectual property, customer data, employee data, key services, etc.?
- Where are these assets held, e.g., in the cloud, on premium servers, laptops, SaaS system, etc.?
- What is the financial impact of a service disruption?
- What is the environment your company operates within?
- Are you subject to any regulations?
- What would an attacker gain from attacking your company?
- What is the company’s tolerance to risk?
- What could impact our reputation?
Determine How Much You Would Spend
Your organization’s leadership should determine what they would realistically budget for a cybersecurity strategy, including development, training and implementation. Much of this will be determined on how you value your critical assets as well as the defined level of potential risk exposure.
Choose a Security Framework
Choose a security framework developed by experts to serve as the foundation of your cybersecurity strategy that will enable you to remain compliant while also remaining secure (acknowledging that compliance does not always equal security). Some examples of security frameworks include NIST and CIS. Choosing a security framework will also help you assess the maturity of your cybersecurity strategy over time against such a reputable framework.
Build a Roadmap
In order to build a roadmap, the following should be accomplished:
- Establish risk tolerances.
- Determine the impact of risk.
- Prioritize the biggest risks to your business objectives.
- Create a defined plan that addresses the aforementioned items.
- Set management targets to evaluate the plan’s maturity and effectiveness.
Assess Risk Tolerance Level
Using the following criteria, you can determine if the risk tolerance level at your organization is high, moderate or low.
- High Risk Tolerance
- Most likely your organization does not operate within finance, healthcare, technology, research or education industries.
- You have no compliance requirements.
- You do not have sensitive data.
- Clients do not expect you to have strong security controls.
- Innovation and revenue generation come before security, so more risk is accepted.
- Your organization does not have remote locations.
- Moderate Risk Tolerance
- Most likely your organization operates within the government, research and education industries.
- You have some compliance requirements (e.g., HIPAA, PCI, GDPR).
- You have some sensitive data and are required to retain records.
- Clients will eventually need strong security controls for their activities.
- Due to sensitive data, information security is more visible to senior leadership.
- Your organization has some remote locations.
- Low Risk Tolerance
- Most likely your organization operates within finance, healthcare, energy/utilities and technology industries.
- You have multiple compliance requirements and house sensitive data, such as medical records.
- Customers require and expect your organization to maintain strong security controls.
- Information security is highly visible to senior leadership.
- Your organization has multiple remote locations.
Determine Potential Business Impact
Collectively determine what the functional, informational and recoverability impacts would be due to a cyber disruption or breach. Consider these questions:
- Is there a hard-dollar impact from downtime? This refers to when a business disruption directly impacts revenue or profits. For example, when online ordering shuts down, it affects sales and, therefore, revenue.
- Is regulatory compliance a factor? Depending on the circumstances, vulnerabilities can be a violation of regulatory compliance that could cause significant fines.
- Are any critical services dependent upon this asset? Functional dependencies are sometimes not obvious and assets that appear insignificant can have huge impacts on critical services.
- Is there a health or safety risk? Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure uninterrupted critical health services. An exploited vulnerability that impacts these operations can have life-and-death consequences.
Implement, Monitor and Maintain
Once your cybersecurity strategy is in place, continue to implement based on your policies and procedures while also monitoring and maintaining effectiveness.
- Monitor progress and manage common challenges.
- Update the cybersecurity strategy based on business changes.
- Reassess at least annually.
- Verify security and compliance are in place and operating effectively.
