Cybersecurity failure has made it the fourth most significant risk globally, according to the report by the World Economic Forum. The threat from cyberspace thus ranks right behind global infection and extreme weather conditions. Given such a prominent position, it is not surprising that even politicians step in and look for ways to curb organized cybercrime. The US president threatens ransom penalties for ransomware attacks to turn the lucrative industry off its revenue. But do you need intervention at the government level or regulations to ensure that businesses can run safely?
The risk of falling victim to a ransomware attack is pervasive. According to the study “Ransomware in Focus” ,70 percent of the CISOs surveyed assume that ransomware extortionists will target them in the next 12 months. Given these alarmingly high numbers, the question arises as to what consequences CISOs draw from the threat situation. Do these figures already provide the IT security officers with sufficient leverage to reassess their security infrastructure and, based on this, to initiate the necessary investments?
A digital redesign of their IT infrastructure has not yet been synchronized with IT security upgrades in many companies. Even if cloudification is being pushed ahead with vigor and applications in multi-cloud environments are being relocated to AWS, Google, and Co., updating the security infrastructure is often a secondary issue. It is not only the budget that is missing, but often the resources or the necessary prioritization. A dangerous omission because the redesign of the application landscape and the shift to hybrid workplace models should go hand in hand with the modernization of security not only for performance reasons but also for security reasons. However, companies are still far too seldom aware of the attack surfaces they disclose on the Internet through the restructuring.
Are Cybersecurity Regulations Hot?
On the one hand, the threat posed by ransomware is increasing; on the other hand, companies do not take appropriate measures often enough to strengthen their security postulate. So it is not surprising when the call for regulations becomes loud. As the highly regulated financial sector shows, there is a very high-security standard in banking. Understandably, because here, not only the reputation but also the deposit security is at stake. Nevertheless, it is precisely the requirements imposed by the authorities that can slow down innovation. Before modern technology can find its way into highly regulated industries, the first step must be to evaluate the regulations and, if necessary, adapt them—a time-consuming process instead of the fast-paced world of cybercrime.
Another option for ensuring a higher security standard could be an external rating. An external organization responsible for the risk assessment of the existing security infrastructure in the company can set various processes in motion. External pressure can be the impetus for companies to do their homework and grapple with assessing their security infrastructure. After all, which company would like to step in front of the stakeholders and present a bad rating in terms of security? Such a mechanism can do two things: companies deal with the issue and prevent a bad rating by making appropriate security investments. Because neither do you want to be responsible for the result of a lousy performance yourself, which one would have to explain to the CEO and the associated effects on the share price? Nor does one want to have to present a deficient security infrastructure in public, which might draw the attention of attackers to pray for targeted attacks quickly. It is justified to fear that loopholes will arise if processes of the IT security architecture are disclosed.
On the other hand, there are some scenarios where it would be desirable to get just this insight. Today, security can make a decisive contribution to the business success of a company. Still, it can also, for example, in the case of mergers and acquisitions, influence insight into the purchase or sale decision. Because nobody wants to take over a company whose IT network may already have malware slumbering,
Even if such an external rating procedure could motivate the self-regulation of IT security, this approach is not entirely unproblematic. A suitable catalog of criteria for evaluating the IT security infrastructure must be drawn up. It will also remain a point of controversy in regulations whether the companies concerned then only strive for compliance with minimum requirements or maximum possible security. And what does the sheer presence of security technology say? Are the tools also used, managed, and maintained correctly to draw the most significant possible conclusions about the actual security? A problematic undertaking to cover such requirements with a selective rating. Even if there are already security ratings today,
Cyber Security Is A Top Priority
For one thing, a discussion about a rating or the call for regulatory requirements for safety is good. It shakes decision-makers to adopt appropriate measures in the fight against cybercrime. And cybersecurity is no longer just a matter of the IT department. Just like digitization, the executive floor must take care of the security of the corporate infrastructure. It is precisely there that you have to deal with the financial risk of a ransomware attack and the associated loss of reputation. Extortion sums in the millions hurt, and rebuilding the infrastructure after an attack paralyzes all IT systems is just as costly. If the intruders steal even sensitive customer data before the systems are encrypted, data protection officers are called in to check the omissions and make demands.
Decision-makers are much better served if these sums of money are invested before an attack to keep cybersecurity updated. Even with the digitization efforts, it should be clear that perimeter security for multi-cloud environments and mobile employees is nowhere near. Measures are required to give the IT department back control over all data streams that need to be checked for malware and thus prevent the leakage of sensitive information and unauthorized access. A company’s attack surface can be reduced if the entire IT infrastructure is made invisible to outsiders. A zero-trust concept helps to create access rights rule-based. If the whole network is no longer opened to access an application,
Conclusion
Instead of external control mechanisms for higher cybersecurity, those responsible should understand that they have the possibilities of modern security mechanisms. It is just a matter of seizing these opportunities. Because the call for external help is always loud when a problem cannot be dealt with on its own, companies shouldn’t wait for outside pressure to guess themselves but should take their risk assessment into their own hands.
Also Read- LastPass Study: The Psychology Of Passwords