Mitigating cyber threat risk - CEOs in the hot seat

Being a member of the C-suite carries a huge amount of responsibility, and in the past few years executives have had to manage significant increases in accountability for operations in their businesses, in particular data security. CEOs, CTOs, and CISOs no longer enjoy corporate structural buffers to shield them from mishaps. Today, regulators have imposed new legislation that requires them to fall on their swords if a business calamity materially impacts their clients or markets.

Compliance around data protection is currently holding centre stage in boardrooms, as breaches in security systems are becoming alarmingly commonplace, and it’s not just the little guys that fall prey to an attack.

According to new research from the Bank of England, cyberattacks are the biggest risk to the UK financial system. The bank’s H2 systemic risk survey revealed that 74% of respondents believed a cyberattack to be the highest risk to the financial sector in both the short and long term. Surprisingly, they were optimistic about the systems in place to protect themselves.

The annual survey also reported that the number of respondents who believe their company is at high risk of attack, increased from 31% in the first half of the year to 62% in the second half, and 83% stated that they believe that cyber risk in the financial sector has increased in the past year. Ransomware attacks are of particular concern, according to a report from Trend Micro, in the first half of 2021 alone, ransomware attacks in the banking industry increased by a whopping 1318%, which was disproportionate to other industries. Is the banking sector a little overconfident? or are the CISOs telling the CEOs they are all ok? not realising under the new DORA (digital operational Resilience Act) regulation that they are now directly liable – just like a MLRO.

There are several reasons why large established companies are vulnerable. Firstly, many older companies have IT systems that are completely out of date. According to Patrick Dixon, CEO of Global Change LTD, a large number of companies have complex and clunky IT systems that don’t talk to each other and not one person in these companies understands the entire ecosystem. It is not only costly but also risky to replace this outmoded and disparate software. The stakes are high and if the change-out fails, it’s inevitable that there will be casualties across the board.

Another reason we are seeing an alarming rise in cyberthreats, is that in tandem with ageing general IT infrastructures, cybersecurity software is outdated and not updated to the latest versions, which creates incompatibility issues. Going into battle against hackers with this technology is like racing a F1 car against a Ford Focus, there will be a clear loser.

The cyberthreat is all-encompassing and indiscriminate.

From March 2021 to February 2022 there were 153 million Malware attacks.

2022 was the worst year on record for ransomware attacks; a recent report revealed that attacks are up 80% year-on-year and that the cybercriminals responsible for these attacks are avoiding prosecution by taking advantage of ransomware as a service.

86.2% of surveyed organisations were affected by a successful cyberattack (CyberEdge Group 2021 Cyberthreat Defence Report)

In 2022, the average cost of a data breach for large corporations globally hit $4.35 million. (Statista)

It’s estimated that businesses will lose approximately $10.5 trillion due to cybercrime in 2025, an eye watering $19,977,168 per minute (Cybercrime Magazine)

Over the next 5 years, global cybercrime costs are predicted to grow by 23% per year, reaching $23.84 trillion annually by 2027. (Statista)

By 2024, online payment fraud will cost the e-commerce industry $25 billion in losses annually. (Legal Jobs)

45.5% of respondents in a recent survey said that their organisation endured between 1 and 5 successful cyberattacks during the past year. (Statista)

85% of cyberattacks are motivated by financial gain and the second leading motivator is state espionage. (Verizon)

Public companies lose an estimated 8.6% of their value after a cyber breach. (Comparitech)

So why is this happening?

There are billions of devices that are potential single points of security failure because traditional cybersecurity architecture organises all networked devices to operate in a silo under centralised control, and are therefore by default vulnerable. For example, car keys, mobiles, laptops, point of sale devices, servers – any internet connected device are all potential back doors into vulnerable networks. In the past, enterprise and institutional security was ring-fenced, but with servers moving to the cloud, remote workers, and a proliferation of IoT devices creating a huge mesh of interconnectivity, means that the borders are no longer identifiable let alone defensible. These weaknesses have prevailed in web2 and are now being carried over to web3. If we don’t change the way cybersecurity is implemented we could face a $10 Trillion cyber damage headache in 2025.

Legacy is not always noble

Industries have been slow to acknowledge the lack of efficacy of current cybersecurity solutions, the combination of legacy technology, the lack of knowledge or appetite for alternatives, and nervous IT gatekeepers reluctant to risk their reputations, makes for a soup of indecision that may seriously impact their bottom lines. According to the 2022 cost of a data breach report by IBM and the Ponemon Institute, the average cost of a data breach has reached a record high of US$4.35 million. Given that a professional hacker can breach a system in less than 12 hours using software that they can buy off the dark web for a few hundred dollars, it is remiss to adopt a head in the sand approach to cybersecurity.

Is there a solution?

There is definitely a new way to look at cybersecurity, and it’s called decentralised cybersecurity mesh. Gartner in a recent report identified cybersecurity mesh as a leading trend for 2023, however they stop short of looking at a decentralised mesh that can remove the centralised mesh’s points of failure. The Naoris Protocol is leading the charge with technology that transforms centrally managed computer networks with traditionally untrusted devices and services such as mobiles, servers, laptops, and software programs, in fact any IoT enabled device, into a decentralised cyber-secure mesh using blockchain and swarm AI, allowing all nodes (devices, network infrastructure) to validate each other’s status by deploying a software agent onto any centrally managed device. Devices operating under Naoris Protocol’s dPoSec (decentralised proof of security) along with the software agent, are converted into a decentralised cyber-validator army of watchdogs that ensure the whole infrastructure is safe, removing points of failure we see today. This enables it to constantly report the cyber trust status of each connected device across the network.

It monitors the systems metadata and OS levels of devices, programmes and network connected infrastructure and not the activity of the user. When a hacker interferes with a trusted device’s known operating baseline, there is an instant alert in milliseconds and the device can potentially be locked out of the network preventing the full infrastructure from being compromised. This ensures that enterprises operate safely, bringing decentralised trust and security enforcement to traditional centralised spaces. Detection of risks (threats) and governance lapses in complex environments or networks should be detected in seconds, not months, which is currently the case. According to IBM, the average breach lifecycle takes 287 days, with organisations taking 212 days to initially detect a breach and 75 days to secure it.

We still have a way to go before we see the end of cyber attacks, but headway is being made. This is not a one horse race, everyone has the responsibility to secure their data and devices and a little education and awareness goes a long way to preventing attacks. A prevention mindset is key if we are to win the war against cybercrime, and we can all play a part.

This article has been written by Monica Oravcova, Co-Founder and Chief Operating Officer, Naoris Protocol