Remember Captain Kirk talking about “Space, the final frontier”? — to explore strange new worlds and boldly go where no man has gone before. As we dawn upon new vistas of technological advancement, the power of the cyberspace seems limitless. Its sovereignty, however, is under constant threat. Different technologies are being introduced every day, often outpacing the ability to properly assess associated risks.
Cyberspace reckons the emergence of war in the fifth domain
In recent times, a fifth domain, cyberspace, has emerged in addition to the four traditional war domains — land, sea, air and space. Compared to earlier times when the scope of war strategies was restricted by borders, cyberspace wars transcend borders into the virtual world — and the consequences are just as devastating and real. In fact, it could be catastrophic — malicious software bringing down military e-mail systems; security breach in oil refineries and pipelines leading to explosions; cyber-attacks on power grid servers resulting in widespread black-outs. The World Economic Forum predicts a 10% chance of a major infrastructure breakdown in the near future, which may cause damage to the global economy amounting to US$250 billion.
Cybersecurity is becoming board level concern
Organizations have become easy targets of different forms of attack, since they have been increasingly relying on digitized information and sharing vast amounts of data across the globe. As a result, every company’s day-to-day operations, data and intellectual property are at a serious risk. In a corporate context, a cyber-attack can not only damage the brand and reputation of the company, it can also result in loss of competitive advantage, create legal/regulatory non-compliance and cause significant financial damage.
Various recent events vindicate the adverse outcomes of cyber-attacks and security breaches. In November 2014, a large media company reported a major cyberattack in which social-security numbers of 47,000 of its current and former employees were leaked; sensitive financial information such as salaries was published and copies of several yet-to-be-released films were distributed online. Some well-known financial and e-commerce companies have also suffered major data breaches. Earlier in 2013, a hoax post brought a major financial index down by 1% within 7 minutes, destroying billions of dollars in value.
The evolving threat landscape calls for a strategy overhaul
As the level of persistence and sophistication of cyber threats increase, it is becoming difficult to predict the nature of threats that will emerge in the next 5 or 10 years. The only sure way to counter the threat is to align the organization’s cyber security strategy with its business strategy.
With 17 editions published so far, EY’s Global Information Security Survey (GISS)  is one of the longest running and highly valued surveys of its kind. EY’s GISS outlines “The Activate-Adapt-Anticipate” approach to streamline the cyber security journey for organizations across the globe. Some of the key findings of the survey are highlighted below:
- Cybersecurity strategy should be led from the top – Currently, cybersecurity strategy and execution is primarily seen as an IT responsibility. The survey indicates that nearly 80% of CIOs have the Information Security function reporting directly to them, compared with just 14% reporting directly to the CEO. Organizations need to involve senior leadership in cybersecurity. Lack of executive buy-in opens the doors to mistakes and cyber criminals.
- The first step is to build a solid foundation of cybersecurity – Organizations are making progress on building the foundations of cybersecurity — and this progress is important — however, most respondents report having only a “moderate” level of maturity in their foundations. Across almost every cybersecurity process, between 35% and 45% of respondents rated themselves “still a lot to improve.”
- Mix of preventive and detective technologies is a must to combat cyber-attacks – According to the survey, 57% of respondents think that employees are the most likely source of an attack; 53% point to criminal syndicates; 46% point to Hacktivists; and 35% think external contractors working onsite are the most likely source of an attack. Designing a well-defined and automated Identity and Access management (IAM) program can help organizations prevent and detect cyber-attacks.
- Lack of cybersecurity skills is an important roadblock – While the need for specialists deepens, lack of specialists is a constant and growing issue. Also there is a need to build skills in non-technical disciplines to integrate cybersecurity into the core business. According to the survey, 53% of organizations state that lack of skilled resources is one of the main obstacles that challenge their information security.
- Potential cost of a cyber-attack can be fatal – Many organizations view the costs of cybersecurity as considerable. They underestimate the potential cost of a cyber-attack. Nearly 65% of respondents cited budget constraints as their number one obstacle to delivering value. Organizations must understand they are under daily attack, the attackers show no signs of giving up, and they are getting smarter and more targeted. The next breach could be fatal.
Winning the cyberwar can be an exciting journey
Cyberspace is a challenging technological sphere ready for war and each organization will need to attack to defend itself better. To do this means shedding the “victim” mindset of operating in a perpetual state of uncertainty (and anxiety) about unknown cyber threats. Today’s attackers have significant funding, are patient and sophisticated and target vulnerabilities in people, process as well as technology. To be able to conquer the cyberwar, companies need to build awareness and advanced capabilities, develop a compelling strategy and install cybersecurity components throughout the business. Therefore, anticipating cyber-attacks is the only way to be ahead of cyber criminals.
Talking of war do we remember the latest James Bond movie? Breach of MI6 servers; electronic trails and taunting messages via computers formed the crux of the movie. It is perhaps established that in general security is considered boring; films are not made on security but on cyber-threats, attacks, and frauds which normally excite us. Stay tuned for the next edition of this series where I discuss the inextricable link between action movies and cyber security.
 World Economic Forum
 EY Global Information Security Survey 2014