From the water we drink, to the roads we drive on, to the information we consume, technology is woven into the fabric of society. Nearly every aspect of our lives depends on technology. However, the convergence of digital threats with physical risks has increasingly become evident. A single cyberattack or technological disruption can bankrupt a business or put human lives at risk.
This raises the question: Do organizations prioritize digital risks? The answer is negative. Research shows that only three percent of businesses have developed true resilience against cyber threats. Here are primary reasons for this disparity:
1.Overreliance on Technology, Inadequate Emphasis on Resilience
Many organizations incorporate technology to propel business growth, disregarding the potential consequences of system failures. Consider the case of smart motorways in the UK, originally engineered to be safe and worry-free. We know today they are not. Was the government operating under the assumption (or misconception) that technology would be flawless and solve all problems? Recall the global CrowdStrike incident. Did financial institutions, hotels, airports, and hospitals write contingency plans dealing with a complete shutdown of their operations?
2.Lack of Commitment from the Top
No doubt, businesses worry about cybersecurity and protecting information. However, they struggle with the equitable allocation of resources — whether to invest in product features, new markets, or improving the customer experience. When organizations look to trim costs, security is too often the target. That’s because security does not easily lend itself to convenient ROI metrics.
3.Lack of Transparency in Third-party and Supply Chain Relationships
In the past year, more than half of organizations (54%) suffered a software supply chain attack, with the average attack going undetected for about 235 days. An organization’s ecosystem is no longer confined to four walls but extends through multiple layers and hierarchies. The challenge lies in really understanding the most effective strategies for managing risk across multiple levels.
4.Neglecting the Human Factor
Many organizations view cybersecurity as a technological issue that can only be addressed by technological means, overlooking the important role of people. This approach has inherent risks because people are often the primary cause of cybersecurity breaches. On the flip side, it is the versatility and creativity of people and their adaptability in detecting anomalies and identifying social engineering schemes that will ultimately help the organization resolve and recover from cybersecurity attacks.
How Can Organizations Foster Resilience and Improve Governance?
Organizations must evolve and advance, but they should also bear in mind that nothing is foolproof. Cyber criminals are well-trained and well-funded enterprises, with access to sophisticated state-of-the art tools. Below are some best practices to foster resilience and cybersecurity governance:
1.Retain Basic Skills: While it’s beneficial to train employees to rely on technology, it is also important to equip staff with basic skills for emergency situations where devices and laptops fail or are no longer accessible.
2.Hold People and Organizations Accountable: Governments, legislators, board of directors and other stakeholders need to shift from a passive “it happens” attitude towards holding entities accountable for their decisions. Did they assess the risk appropriately? Did they plan for a contingency by preparing an alternative course of action? Do they anticipate unexpected events such as a cyberattack?
3.Rely on People for Finding Solutions: In major data breaches, it was often human intervention, not technology, which helped companies recover. Organizations cannot afford to exclude users from the solution design, or sideline people in favor of technological fixes.
4.Improve Governance within the Supply Chain: Prioritize and triage vendors based on their exposure to digital risks. Implement a process for ongoing assurance and have a reporting and monitoring process in place to track changes in supplier risks. Embed supplier risk assessments in the entire supply chain lifecycle.
5.Customize Risk Mitigation Strategies: There’s no universal one-size-fits-all or a blueprint for risk mitigation. Assess your organization’s unique risk posture, its business direction, its security readiness and its willingness to invest in cybersecurity controls. Approach risk mitigation in a streamlined manner. Utilize standard cybersecurity frameworks such as ISF SOGP, NIST SP 800-53B or ISO/IEC 27002:2022 to guide risk mitigation efforts.
Technological risks are not insignificant, and no quick fixes are readily available. From a business leadership standpoint, a thorough risk management and governance strategy must be adopted for benefit. Organizations need not go at this alone but can rest assured of partnering with experts in cybersecurity and compliance. Whether or not organizations seriously address identified risks is a business investment decision.