In 2021, every company is a tech company. Whatever your industry, every one of your departments and teams is fundamentally tech-enabled. They rely on collaboration tools for operations, social media tools for branding, messaging apps for customer experience, etc.
When every company is a tech company, every company is vulnerable to cyberattacks. The European Network and Information Security Agency (ENISA) reports detecting about 230,000 new malware infections daily. This upsurge in cybercrime is partly related to malicious innovations by bad actors, which have made attacks easier, cheaper, and faster to perform.
However, the upsurge is also related to the fact that almost any company is a target. They all leverage a similar technology stack that is vulnerable to any cyber attacker. And for every company, their cybersecurity defense is intimately tied to their financial health.
In Q4 of this year, companies need to be fully up to speed with the cyberthreat landscape, the 2021 regulatory agenda, and developments in cybersecurity liability, disclosure, and enforcement. Here are the highlights of what companies need to know.
Bad Actors Love Third-Party Apps
Cyberattacks are on the rise because of the increasing adoption of cloud-based communication applications.
Take the pressure of the pandemic. With companies forced to go remote, third-party apps like Slack, Teams, and Zoom became lifesavers. However, these platforms also became targets for bad actors.
Complicating these matters when home internet connections are not as secure and protected as office systems and threat actors saw this as a massive opportunity. In Q3, third-party office apps made up almost 71% of the most commonly exploited applications.
Collaboration tools aside, we have witnessed a major uptick in cloud-based attacks on major companies. Distributed denial-of-service (DDoS) attacks have wreaked havoc on Amazon Web Services and the New Zealand stock exchange. A supply chain attack on SolarWinds left its 300,000 customers, including the US government, exposed to trojanized updates distributed through their app monitoring platform, Orion.
Malware attacks have also increased ransomware particularly. The US Securities and Exchange Commission (SEC) has already issued multiple warnings about increasingly advanced ransomware attacks. According to the Data Breach Investigations Report (DBIR) 2021, ransomware has seen a 10% increase this year. Attacks like the EA Games breach and the recent malware campaign by the Lazarus group are proof of the ransomware danger. Worse still, ransomware attackers have taken an interest in the industrial sector, as evidenced by the JBS Foods attack back in June.
All of these attacks were conducted via none other than… you guessed it, cloud-based applications. Third-party apps exist outside the traditional security perimeter. This is the new battleground for companies looking to protect themselves.
How Boards Can Take the Initiative
Against this cybersecurity backdrop, organizations need to do everything they can to defend themselves. This includes boards and the C-suite, who need to roll their sleeves up.
Managing supply-chain risk from third-party service providers should be a key concern for these stakeholders, and this should be considered an essential part of corporate risk management.
For leadership, understanding their cyber risk relative to financial exposure is a proven way to inform risk management decisions around investments and strategic execution. Step one? Conduct a 360-degree review of the enterprise and obtain answers to the following principal questions:
- Corporate Values: What risk will we not accept?
- Strategy: What are the risks we need to take?
- Stakeholders: What risks are stakeholders willing to bear, and to what level?
- Capacity: What resources are required to manage those risks?
- Financial: Are we adequately understand the effectiveness of our risk management and harmonize our spending on risk controls?
- Measurement: Can we measure and produce reports to ensure proper monitoring, trending, and communication?
- Management: Are we effectively managing our risk relative to the company risk profile?
Companies should be deploying a cyber risk decisioning capability that delivers business insights to the c-suite and boardroom using the power of financial insights. It is imperative to remove the complexity of cyber risk decisions in the c-suite and boardroom by translating technological cybersecurity into financial metrics to enable better cyber risk management decisions. There should be an alignment of cyber risk with enterprise-wide risk management reporting and strategy and prioritize a set of risk remediation and transfer actions.
The Government’s Cyber Agenda
Here’s some good news: As companies do everything they can to protect their companies from digital and financial risk, they are well-supported by the current administration. Under the leadership of recently-elected President Biden, the US government has promised to make cybersecurity a top priority for every level of the government.
Moreover, leadership changes in the US Senate have been forecasted to usher in a new set of bills to address cybersecurity governance and incident reporting. Meanwhile, changes in leadership among financial services regulators and within the Consumer Financial Protection Bureau will coincide with new regulations and revitalization efforts around consumer privacy protection.
For example, the Department of Defense (DoD) has decided to call off the $10-billion contract that Amazon and Microsoft have fought a legal battle over. The Joint Enterprise Defense Infrastructure (JEDI) deal was supposed to “modernize the Pentagon’s IT operations for services rendered over as many as ten years.” However, in a press release, the Pentagon has said that the JEDI contract no longer meets their needs “due to evolving requirements, increased cloud conversancy, and industry advances.” This signals an increasingly higher bar for the government’s cybersecurity needs.
Of course, the Pentagon still needs enterprise-scale cloud capability. They recently announced a new multi-vendor contract to this end, which Microsoft and Amazon are both likely to get. We should expect that this new contract will be in line with the administration’s focus on cybersecurity and data protection. A variety of measures will likely be stipulated in the contract to ensure accountability and governance regarding cyber-related concerns, lest we risk a repeat of the SolarWinds data breach.
What Every (Tech) Company Needs
To stress: The financial health of a business is directly related to how well they defend themselves against cyberattacks. And with data breach costs rising to $4.24 million (the highest ever recorded for the past 17 years), every organization needs to level up its cyber defense measures. Moreover, the World Economic Forum projects the global cost of cybercrime to reach $6 Trillion by the end of 2021.
Today, every company is a tech company, and they are tech-enabled and entirely reliant on their tech stacks. Organizations need solutions that leverage the power of AI and machine learning to provide enhanced visibility and rapid threat detection-and-response capabilities, all while enabling total privacy and scalability.
