New research with 750 leaders of large organizations reveals three steps to be better prepared for a cyberattack.
The threat of cybersecurity weighs heavily on enterprises now more than ever. Technology researchers Gartner say new ransomware models alone are the biggest emerging risk organizations face today — bigger than the pandemic and supply chain disruption.
But new research from Kaspersky in association with Longitude, a Financial Times company, shows enterprises are not prepared. Less than one in 10 are very well prepared to deal with cyberattacks by professional cybercriminals (9 percent,) lone hackers (7 percent) and nation states (6 percent.)
The research surveyed 750 leaders at enterprises around the world about their approach to cybersecurity. Respondents, representing companies from many regions and industries of at least 1,000 employees, were those who knew their organization’s cybersecurity strategy.
Enterprises unprepared for cyberattacks
“Most people are completely unprepared,” says Shawnee Delaney, CEO of US-based insider threat specialist Vaillance Group. “Every day, something changes: There’s a newer, better virus, a new technique, a new modus operandi. It’s impossible to keep up with everything, and that’s frightening for everyone.” Delaney is more prepared than most, with her company’s security credentials and her background at the Defense Intelligence Agency conducting clandestine intelligence operations around the world.
According to Kaspersky’s research, the main reason companies are not prepared is reliance on legacy technology vulnerable to today’s threats. They also lack financial resources to recruit or consult skilled security professionals.
The risk is real, and companies are not prepared. What can they do? Kaspersky’s research shows three things they can change for better security outcomes.
Step 1: Make cybersecurity teams more diverse
Diversity and inclusion is high on the business agenda, thanks partly to movements like #MeToo and Black Lives Matter. There’s also a strong business case for it. Research by management consultancy McKinsey & Company shows companies in the top quartile for gender diversity on executive teams were 25 percent more likely to have above-average profitability than those in the bottom quartile.
Businesses expect cybersecurity to benefit from diversity too. In Kaspersky’s research, most enterprises (62 percent) believe creating a more diverse and inclusive cybersecurity team will be important in the next two years.
They’re right to focus on this because there’s a long way to go. Figures from the UK National Cyber Security Centre show 85 percent of professionals working in cybersecurity are white and 66 percent are male.
Kaspersky’s research finds cybersecurity teams benefit from being more diverse and inclusive. A fifth (20 percent) of respondents strongly believe they’re actively improving diversity and inclusion in their cybersecurity teams. The data shows this small group, which Kaspersky calls the Diversity Leaders, is much better prepared to deal with a range of cybersecurity attacks.
Kaspersky’s Diversity Leaders have also been quicker to learn from the pandemic. They are more likely than others to be planning for a major crisis through real-world cyberincident training (68 percent of Diversity Leaders versus 54 percent of the rest.)
There are more than three million unfilled positions in cybersecurity globally, according to cybersecurity professional organization (ISC)².
Darren Argyle, group chief information security risk officer at international bank Standard Chartered, believes improving diversity on teams can help fill vacant spots.
Diversity is a strategic imperative for the whole bank. We know that not only is this the right thing to do, but tapping into various diverse groups of people will give us a more rounded way of thinking about how we can manage cyber risk.
Darren Argyle, group chief information security risk officer, Standard Chartered
In 2021 Standard Chartered launched its Cyber Acceleration Programme (CAP.) About 50 women have participated so far. A ‘skill-up and scale-up’ program, CAP provides junior and mid-level women with self-paced modules on cybersecurity and leadership. On top of the learning modules, groups of up to ten women are assigned to senior cybersecurity leaders and undergo a 12-week mentoring program.
“We’re creating a leadership framework that women can engage with,” says Argyle. “They work with role models in the bank, who are predominantly women, on areas they might want to develop.”
Step 2: Closely integrate the C-suite with cybersecurity teams
C-suite (senior management) leaders have broad and high-level remits, while cybersecurity professionals focus on the details of cyberthreats. They are not obvious partners. But Kaspersky’s research shows that when enterprises build strong links between the two, they experience better security outcomes.
A quarter (26 percent) of respondents believe strong integration between the C-suite and cybersecurity teams will be very important in the next two years. The data shows this small group, which Kaspersky calls the Integration Leaders, is better prepared to deal with cyberattacks.
UK IT giant Softcat closely aligns its C-suite and cybersecurity teams. Responsibility for risk — including cybersecurity — ultimately rests with its CEO, Graeme Watt. “I am the key stakeholder for security within the board. I have a Chief Information Officer (CIO) who reports directly to me, and the information security team sits under them,” he says. “I am the person the board looks to on cyber risks, but I don’t do all the reporting myself. I bring the CIO into the board meeting when we’re talking about cybersecurity risk.”
The company faces scrutiny of its cyber risk status from many sources. As a public company, it is subject to external audit. It has its own internal audits. As an IT company that offers security products and services, its reputation among customers depends on its own security standards.
Watt works closely with its cybersecurity team to ensure standards are met, but elsewhere in the Softcat C-suite other leaders also have responsibility for cybersecurity.
Our managing director has the customer view of security, so he applies what he’s seeing, hearing and thinking to our own company. For example, we offer security assessments for our customers, and we’ve turned those same services around on ourselves. It’s a very healthy approach.
Graeme Watt, CEO, Softcat
Indian manufacturer Shriram Pistons and Rings takes a similar approach and keeps its security expertise close to the C-suite. ‘Shop floor’ digitization is a priority for the company, and it plans to use the internet of things (IoT) extensively across its facilities.
Its chief digital officer Prashant Khairnar, hired to drive digitization from ‘shop floor to top floor,’ explains that the leadership team takes security seriously. “When we do risk assessments, cybersecurity is always the top concern,” he says. “Of course, I am not a cybersecurity expert, but the person who handles this area is, and he reports directly to me. I take a more strategic view, and he focuses on day-to-day security and the technical issues.”
Cybercrime is increasing rapidly. Data from technology market analysts Canalys shows 30 billion data records were stolen globally in 2020 – more than the previous 15 years combined.
Evgeniya Naumova, executive vice president of corporate business at Kaspersky, says the rise in cybercrime has made the C-suite wake up to the threat. “I think the importance of information security was highlighted to the C-suite and top management during the Covid-19 pandemic,” she says, suggesting the increased security risks of remote working captured leaders’ attention. “There was a switch — a really obvious switch — in their minds. They understood that it’s not just something to observe from afar — it needs to be top of their minds.”
Step 3: Invest in high-quality cybersecurity training
It’s no secret that a skilled cybersecurity team is essential to fighting cybercrime. But with four million unfilled vacancies in cybersecurity globally, there is a major skills shortage. A third (34 percent) of companies in Kaspersky’s research believe the shortage will get worse in the next two years.
Skills and training programs help fill this gap. But to stay relevant, these schemes must be kept up to date. The Kaspersky research identifies a very small group of companies, eight percent, that strongly believe their cybersecurity training programs can keep pace with the evolving threat landscape. The data shows this group, which Kaspersky calls the Skills Leaders, has better security outcomes.
Continuously updating skills and training programs eventually helps to make security part of the company’s culture. This is essential, according to Vaillance’s Delaney. And she thinks continuous training on basic cybersecurity principles is a good place to start.
It’s about learning what to spot, so muscle memory teaches you how to make the right and informed choices. This is especially important with people working from home.
Shawnee Delaney, CEO, Vaillance Group
She continues, “Employees need to keep their software up to date, understand what the VPN is and how to use it and not use public Wi-Fi, for example. These are general cyber hygiene best practices critical to maintaining security.”
Kaspersky’s Skills Leaders are more likely to innovate around their training. Two-thirds of Skills Leaders (67 percent) believe it will be very important to carry out immersive cybersecurity training in the next two years, compared with just 49 percent of the rest. The Skills Leaders are also more likely to embed cybersecurity awareness into their recruitment and onboarding process.
Another innovative way to fill the skills gap in cybersecurity teams is to recruit from competitors, according to Standard Chartered’s Argyle. But to do this, companies must adapt how they work. “If you look at the skills we want to try to attract into organizations around cybersecurity and technology, a lot of those skills don’t necessarily sit in another bank,” he says. “They sit in fintechs, technology organizations and cloud companies. So we need to be able to offer the same working environment as a large technology company like Google, Amazon or a fintech. And that’s a very different way of working.”
Kaspersky’s Naumova says security is every employee’s responsibility. “We offer educational courses on how to change the behavior of everyone in the company,” she says. “It’s not just something the information security team should care about. It’s the responsibility of everyone.”
She adds that companies must take a top-to-bottom approach to security, so everyone learns. “Some companies have an information security director or similar on their board,” she says. “They promote them there because they understand they can lose business in a single day if security isn’t done properly.”
The three steps create a virtuous cybersecurity circle
Kaspersky’s research shows enterprises are better prepared against cyberattacks if they increase diversity in cybersecurity teams, improve collaboration between the C-suite and cybersecurity teams, and invest in quality skills programs.
But developing these in isolation is not the answer. The research shows each factor complements one another. For example, Kaspersky’s Skills Leaders are more likely to create diverse and inclusive cybersecurity teams and integrate their C-suites and cybersecurity teams more closely. It’s a virtuous circle that increases cybersecurity preparedness.
The threat landscape is evolving quickly, and cybercriminals are becoming increasingly sophisticated. Businesses have no choice but to match sophistication with extreme preparedness.