It seems that hardly a week goes by now without news of another cybersecurity incident affecting institutions all over the world. In May, in one of the largest data breaches ever reported, it was revealed that more than 500 million accounts of leading global ticket seller Ticketmaster had been compromised, while telecommunications giant AT&T and computer manufacturer Dell were hit with breaches that affected 72 million and 49 million data records respectively.
APAC Organizations and Cybersecurity Risks
While much of the media focus globally has highlighted incidents in North America and Europe, the APAC region is not immune to such threats. A recent PwC report on cybersecurity in APAC, published in May 2024, found that five out of every six (84%) of APAC business and tech executives had increased cybersecurity budgets amid the rising threat.
That finding is understandable when you consider the underlying data: PwC found that security breaches were more damaging in APAC, with organizations’ worst data breaches costing slightly more to rectify compared to organizations across the rest of the globe, and 1 in 20 organizations forced to invest more USD $20 million to repair the damage.
In addition, the risks of a cyber attack are no longer restricted to just the danger of compromised data and the costs required to fix the vulnerability. For more than 2 in 5 organizations in APAC, their top concerns arising from potential data breaches include damage to brand and revenue losses. All of this means that cybersecurity has become much more than just a technology or data issue. It now runs straight to the commercial and operational heart of all businesses with any significant digital footprint — and there’s hardly any ambitious business in 2024 without a significant digital footprint.
Practical Outcomes of Cybersecurity Risk Factors
So what are some of the noticeable on-the-ground outcomes of such trends for organizations?
For one thing, reporting on cybersecurity risks is no longer just a matter for the CTO, CIO or CISO or, for that matter, the broader executive team. Ninety-five percent of organizations now report on cyber risk to board level, underlining the fundamental nature of cybersecurity strategy, investment and preparation.
Looking at the day-to-day, the standard way of reducing the risk of cybersecurity problems in the past has been to invest in “pen tests” (or “penetration testing”), as well as setting up policies and processes to monitor possible breaches and respond when a system is exploited.
However, it’s now an unwritten law of the Internet that availability creates vulnerability. The unavoidable implication of building user-friendly Internet-available resources such as self-serve customer interfaces or remote-working capabilities is that systems get exposed to the Internet. All the evidence of recent years has suggested that if something is easy to use, the unfortunate reality is that it will be easy to exploit. This vulnerability of data to the cloud, added to the general complexity of IT systems, which often include a range of codebases and APIs, means that manual testing is in danger of becoming as much of a problem as a solution.
Better Than Manual
The old American polymath Benjamin Franklin might have lived and died long before connected computers, but his old truism still applies: by failing to prepare you are preparing to fail. Increasingly, manual testing is one way of failing to adequately prepare.
No matter how thorough the process or how expert the team implementing, manual testing is, by its very nature, prone to human error. Given the rapidly rising case-load of cyber incidents worldwide, combined with the strong likelihood that we’re witnessing just the tip of the iceberg of potential vulnerabilities, there must be a better way.
Research carried out as part of work on the Automated Security Validation (or SecVal) system found that solutions such as pen testing and other manual, human-led approaches are at best only a partial solution, covering fewer than one in five IT assets. There’s a military adage that goes, “two is one and one is none”, and all IT and cybersecurity leaders will appreciate that every partial solution is a problem in waiting.
In addition, these manual processes are typically stale, with institutions often carrying out cybersecurity tests no more than once a year, while pen testing and other such measures often become both maddeningly and expensively inaccurate, with 40% of scanner alarms providing false positives, a situation that can foster deep frustration with technology executives and security operatives alike and also have the hidden and serious cost of eroding trust among senior leaders and colleagues across the rest of the business.
One key challenge facing cybersecurity professionals is identifying and responding to real areas of concern that could carry significant or even mission-critical risks. To do that, the next frontier for specialist data security teams is likely to be automated security validation, which when set up will work in the background monitoring entire systems to identify threats and vulnerabilities at the moment they come about, in effect closing the gap between vulnerability and real threat to near zero.
The promise from automated systems such as SecVal is that IT leaders and teams can spend much more time proactively understanding and supporting core business needs, and much less time wading through the weeds and implementing patches to low-grade risks where the cost-benefit ratio might be marginal or even non-existent.
With such systems in place, the benefits to business are likely to mean greater threat intelligence and more secure data, plus all the business intangibles that watertight security can offer which can add up to the golden triangle of brand reputation, greater revenues and bottom-line profitability.
Also Read: How Automated Access Control Systems Improve Facility Management
