Every year, since 2004, the month of October is globally recognized Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. This year’s theme provided by Cybersecurity and Infrastructure Agency (CISA) is Secure Our World, which recognizes the urgent need to build cyber resilience in the growing interconnected risk landscape that enterprises operate in today. Whether it is keeping IT vendor risk in check with intelligent issue management or proactively improving cloud security with continuous control monitoring, enterprises need to build connected risk management strategies to become more resilient.
The cyber risk landscape is showing no signs of de-escalating, and as a result, cyber risk management is growing increasingly complex and challenging. On an average, the world faces 2200 cyberattacks a day, or an attack every 39 seconds. The average cost of a data breach is USD 4.5 million. 44 percent of businesses have suffered a third-party data breach in the last year and 82 percent of data breaches took place in the cloud.
We explore some of the biggest cyber risks facing organizations in 2024 and how these trends will shape cyber resilience strategies in the year to come.
A large number of data breaches over the last couple of years were caused by vulnerabilities in their third-party vendor ecosystems. For example, earlier this year, American Express warned cardholders about a cyber-attack at one of their merchant processors that may have compromised their data. And more than 28000 customers were impacted by a data breach at Fidelity Investments as a result of an cyber-attack on their services provider Infosys McCamish Systems. In an increasingly interconnected world, third party vulnerabilities are a serious challenge for organizations. A breach somewhere in the ecosystem can expose vast volumes of sensitive data from across organizations. The problem is that even with due diligence, and contractually mandated obligations, it is difficult to completely prevent third party breaches.
Organizations today operate within a highly complex risk landscape, and they must address new risks like third party risks or interconnected systems risks. Older cyber risk management approaches are no longer effective, and strategies are changing rapidly to keep pace with this evolving risk landscape. Here are some of the trends shaping cyber risk management in 2024:
The Changing Role of the CISO
In the past, cyber risk was considered to be a purely technological issue. Today, organizations understand that cyber risk is inextricably linked with business and operational risk, with escalating cost of data breaches, and impact to reputation. Cyber risk is now a CXO concern and a top priority for board discussions. This shift in priorities and understanding of the impact of cyber risks has led to a shift in the role of the CISO. The role is no longer purely operational or technical but has evolved to include business risk management. The CISO who now has a seat in the boardroom is expected to align cyber security strategies with business goals. They are expected to integrate cyber risk management and security practices across the entire enterprise as well as its external third-party ecosystem.
CISOs are approaching cyber risk management the same way as financial risks management with quarterly engagements with CXOs including the CFO and CEO. This demonstrates the increasing relevance of cybersecurity in controlling operational costs, aligning security initiatives with sales, marketing, and overall profit protection. It also helps to integrate cybersecurity efforts with broader business objectives and strategies.
AI: Risk, Reward, and Governance
Artificial Intelligence (AI) is changing the way cyber security strategies are crafted and implemented. On the one hand, AI poses a significant risk, as bad actors have equal access to the technology and can use it to mount highly sophisticated attacks. The fact that AI models leverage vast volumes of data compounds the cyber security challenge, as a single breach can expose vast volumes and range of confidential information.
On the other hand, AI is a tool that when used correctly can greatly augment cybersecurity management. It can automate routine and manual tasks, help prioritize threats and vulnerabilities accurately and improve threat detection capabilities. In fact, 70 percent of organizations surveyed by the Ponemon Institute say that AI is highly effective in detecting previously undetected threats. This will enable cybersecurity teams to focus on higher value projects that can drive business outcomes.
53 percent of organizations are in the early stage of adoption of AI within their cyber risk management and security strategies. As the use of AI increases further, organizations must focus on training their teams to leverage the technology effectively and securely. Cross functional teams that focus on governance can help drive the responsible and secure use of AI in cyber risk management.
Increasing Regulations – SEC Rules, DORA, EU AI Act
Regulators worldwide are trying to keep pace with the evolving cyber risk landscape by passing new laws and frameworks for improving cyber risk management and security. Data privacy and security is a key focus area and most regulations aim to ensure comprehensive data protection strategies, covering not only internal operations but also third-party interactions. Many regulations like SEC's cybersecurity rules for public companies and the Digital Operational Resilience Act (DORA) in Europe require organizations to report incidents and risks more transparently. This is necessitating a shift from decentralized data security measures to a more structured framework, with some organizations even appointing Chief Privacy Officers to ensure compliance.
The emergence of AI and IoT have also significantly impacted cyber risk management and data security, as these technologies deal with vast volumes of potentially sensitive data. There are complex privacy and legal issues to be addressed that requires close collaboration with legal teams to ensure third party risks are managed effectively.
Focus on Resilience
Cyber attacks are showing no signs of slowing down, and cyber risk management strategies are expanding to incorporate resilience and recovery. This is especially significant in critical sectors like healthcare where interconnected systems face catastrophic disruptions in the case of breaches within the third-party ecosystem. No organization is immune from cyberattacks and the focus must be on continuous monitoring, proactive recovery planning, operational resilience, and recovery strategies.
Third party risks must be monitored, their preparedness and recovery plan in the event of breaches must be evaluated, and basic cyber hygiene must be enforced. Resilience, must be embedded into daily operations. Only then can critical functional areas quickly recover and get back to business as usual in case of disruption.
Consolidation of Resources
Redundant platforms and systems can hinder operational efficiency and organizations are now moving to consolidate resources to improve cyber risk management. For example, consolidating platforms for managed detection and response (MDR) services can provide a unified view of the environment and reduce the need for different teams to access different systems.
Organizations are also consolidating data for advanced analytics and AI. This helps to reduce storage costs, eliminates unnecessary data retention, which can also in turn reduce the possibility of sensitive data breaches. For example, a company may have stored volumes of visitor records. This may include sensitive data like driver’s licenses, which in the wrong hands can lead to significant problems. The company does not require to store this data for its own operations and can easily delete it to free up storage and make data analytics processes more efficient.
The modern evolving role of the CISO also encompasses resource consolidation as they are not just responsible for cyber security but also operational efficiency which in turn is linked with business outcomes.
A rapidly evolving cyber risk landscape has driven some changes in the way cyber risks are managed and security postures maintained. Emerging cyber risk management trends call for greater focus on resilience, third party risk management and linking business outcomes with cyber risk management and security. Organizations cannot ensure effective cyber risk management or cyber security without a robust technology platform that can automate key processes.
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers enterprises to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
With MetricStream CyberGRC, you can:
Request a demo now.