With risks coming thick and fast, cybersecurity is an ongoing and persistent headache for businesses. The CEOs I’ve spoken to are losing sleep over a variety of threats, from nation-state attacks on their systems and data to cunningly crafted phishing campaigns aimed at tricking employees. And like many recurring nightmares, these threats have an uncanny ability to resurface in increasingly terrifying forms.
For example, ransomware continues its quick pace of evolution, with the recent rise of lucrative ransomware-as-a-service (RaaS) business models lowering barriers of entry for attackers and hitting organisations where it hurts most: the bottom line. In the last year alone, the share of breaches caused by ransomware grew 41%, with the average cost of a destructive attack increasing by over £335,000. Alongside financial and reputational harm, businesses now face mounting legal and regulatory repercussions as authorities take an increasingly dim view of ransom payments.
Security providers can charge exorbitant fees for quick-fix solutions that promise enhanced cyber resilience but ultimately fail to deliver
Perhaps unsurprisingly, many organisations feel compelled to spend their worries away. But ploughing money into the latest cybersecurity solutions without careful consideration – or simply writing a cheque and hoping for the best – is not the answer. Just ask critical national infrastructure (CNI) operators, including aviation, water, and communications companies. Despite increased budgets, recent Bridewell research has found that almost two-thirds admit to lacking sufficient visibility across their IT environments and still struggle to understand how and why an attack has occurred. What’s more, 28% of CNI organisations only discover cyber breaches when details appear on the dark web, revealing significant gaps in threat intelligence and detection capabilities.
While investment in cybersecurity is necessary, simply throwing money at the problem will not pave the way out of a crisis. Now, your challenge at the top table is to drag collective heads out of the sand and invest more wisely and strategically, taking a proactive approach to tackle evolving security threats.
Your company has a cybersecurity problem
Acknowledging the problem is the first step towards finding a solution. As organisations digitally transform at scale and adopt remote working practices, new attack surfaces have emerged for criminals to exploit, with increased connectivity providing more entry points for potential breaches. The complexity of technology – combined with the complexities of securing it – presents another significant challenge, requiring us all to stay up-to-date, relevant, and impactful as we navigate this dynamic landscape.
Meanwhile, current economic pressures have triggered a surge in insider cyber threats, driven by factors such as malicious intent, negligence, or the promise of lucrative payoffs for vulnerable employees in return for access to critical data. In fact, our research found that over a third (35%) of CNI organisations anticipate a further rise in cybercrime as a direct result of the cost-of-living crisis. Money alone cannot resolve these deep-seated security issues – they require thoughtful and comprehensive solutions.
With no business immune, security must no longer be an afterthought. The potential impacts of a breach on reputation, business operations, and even human lives make it imperative for your organisation to really think about its cybersecurity strategy – from top to bottom.
What is resilience, anyway?
Businesses often make vague claims about their cyber resilience. Likewise, security providers can charge exorbitant fees for quick-fix solutions that promise enhanced cyber resilience but ultimately fail to deliver end-to-end security. Without clarity or understanding of their investments, organisations fall into a false sense of security, hiding behind expensive yet ineffective solutions that leave critical vulnerabilities unaddressed.
Is your company genuinely confident in its resilience? To say yes, it’s essential to have a clear understanding of the specific cyber threats out there, and where they’re coming from. You must continually assess cyber risks and take active measures to identify and mitigate any vulnerabilities, rather than waiting for a breach to occur. A key part of this involves integrating diverse technologies and tools to achieve complete visibility across all assets, enabling prompt and efficient detection and response to threats. Moreover, don’t underestimate the importance of basic security measures, including strong access controls and zero trust principles.
Whether you’re a large enterprise or a startup, more concrete and proactive security operations are crucial, encompassing the preparation and rehearsal of scenarios, regular testing of incident response plans, and integrating a robust intelligence-led approach into every aspect of business operations.
How to embed cybersecurity throughout your organisation
Integrating cybersecurity into all areas of the business stands as both the biggest challenge and the biggest need. Shared responsibility, accountability, and decision-making is vital in strengthening resilience.
Merely discussing cybersecurity at the top table is not enough. It must be addressed in an impactful, personable manner that involves all stakeholders. In my experience of presenting to boards in very large organisations, there is clearly a growing recognition of the cybersecurity challenge. But it’s now essential to move beyond acknowledgement and focus on actionable steps, continuously staying up-to-date and pertinent to align security with business objectives.
Many feel compelled to spend their worries away. But simply writing a cheque and hoping for the best is not the answer
I also strongly believe that individuals across the business should recognise their specific roles and responsibilities in security. Making it relevant is the key, whether through having leaders incorporate security checkpoints in project management or raising awareness within teams. Tailored advice and effective embedding are no mean feats – but they are crucial for responding to the mounting threats facing businesses today.
Cyber investment amounts to much more than a figure on a cheque. It also involves ensuring a more diverse and inclusive workforce with a range of transferable skills. This is not just a matter of fairness – greater diversity is a strategic imperative for building robust cyber defences, providing access to a rich array of knowledge, perspectives, and experiences. During my time at BP, one of my proudest accomplishments was achieving a milestone of 55% female representation in the global leadership team for cybersecurity. Now, at Bridewell, we are carrying the torch further by supporting other organisations as they improve their inclusion from the ground up.
With cybersecurity presenting a multitude of threats for organisations, now is the time for your business to mature its approach and prioritise proper strategy and insight – rather than just throwing money at the problem. Acting on the problem at hand now will help you be better placed to withstand cyber threats and strengthen resilience over the long term.
Emma Leith is director of consulting at cybersecurity consultancy Bridewell
With risks coming thick and fast, cybersecurity is an ongoing and persistent headache for businesses. The CEOs I’ve spoken to are losing sleep over a variety of threats, from nation-state attacks on their systems and data to cunningly crafted phishing campaigns aimed at tricking employees. And like many recurring nightmares, these threats have an uncanny ability to resurface in increasingly terrifying forms.
For example, ransomware continues its quick pace of evolution, with the recent rise of lucrative ransomware-as-a-service (RaaS) business models lowering barriers of entry for attackers and hitting organisations where it hurts most: the bottom line. In the last year alone, the share of breaches caused by ransomware grew 41%, with the average cost of a destructive attack increasing by over £335,000. Alongside financial and reputational harm, businesses now face mounting legal and regulatory repercussions as authorities take an increasingly dim view of ransom payments.
Security providers can charge exorbitant fees for quick-fix solutions that promise enhanced cyber resilience but ultimately fail to deliver
