‘Clear and Present Danger’: Why Cybersecurity Risk Management Needs to Keep Evolving

March 2, 2021
| |
2 min read

The phrase ‘future-proof’ is seductive. We want to believe technology prepares us for the future. But with threat actors and developers in an arms race to breach and protect, cybersecurity risk — and cybersecurity risk management — are always changing. As a recent report by World Economic Forum shows, businesses and other entities should know how to keep up with and measure cybersecurity risk. Both are important and ongoing aspects of keeping your digital assets secure.

The Threat of ‘Cybersecurity Failure’

In early January, the World Economic Forum (WEF) released its Global Risks Report 2021. In this report, built from a survey, 650 members of WEF’s leadership groups offered their perspective on global risks. Their responses helped illustrate some of the major sources of risk confronting the world going into the new decade.

One of those was ‘cybersecurity failure.’ In other words, defensive measures always lag behind threat actors and breaches. Members of the WEF see this failure as one of the highest likelihood risks of the next decade. More than one-third (39%) said they regarded it as a ‘clear and present danger,’ meaning it will likely take effect over the next two years. About half (49%) expect it will also be an issue in the next three to five years.

Today’s Threats to Cybersecurity Risk Management

The reality is the world doesn’t need to wait for this failure. It’s already here, and one need not look far for proof.

Worldwide information security and cybersecurity risk management spending will grow 2.4% to reach $123.8 billion by the end of the year, Gartner predicted in June 2020. They projected one-third of that spending would go to security measures designed to support organizations’ cloud adoption efforts. The next highest investments are in technologies designed to secure organizations’ applications and data as many transitioned to a remote work model.

All of that spending didn’t prevent cybersecurity breaches, though. The FBI received 4,000 cyberattack-related complaints over the course of 2020, wrote the Associated Press. It also didn’t prevent a notable supply chain attack that hit U.S. federal departments, security firms and tech giants. Three in 10 victims weren’t even running the compromised software before they fell victim to the attackers. Attackers abused software flaws, guessed online passwords and took advantage of configuration issues in a popular cloud-based platform.

This shows how entities are linked together. Malicious actors used their diverse attack techniques to turn one compromise into tens of thousands. They understand what this means, which is why a Microsoft executive told ZDNet that there won’t just be more incidents like the supply chain attack going forward but that they will be “the norm.”

Dependence and Cybersecurity Risk Management

Entities aren’t completely powerless against cybersecurity breaches. On the contrary, one can use cybersecurity risk assessments on an ongoing basis to scan your networks for potential weak points. Use the findings to direct investments. Focus on strengthening your position with respect to vulnerability management, network monitoring and threat intelligence. The threats might change, but these and other defense basics will remain.

Recent attacks and the WEF’s report underscore the need for greater teamwork and mutual accountability among all parties when it comes to digital defense. Vendors and researchers can’t protect everyone on their own. They need to work together if they hope to manage the global risk of cybersecurity failure over the next five years and the years that follow.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more