The state of cybersecurity and how enterprises can strengthen their strategy for 2023

Pierre Samson, Chief Revenue Officer (CRO), Hackuity
Pierre Samson, Chief Revenue Officer (CRO), Hackuity

Over the past few years, cyberattacks on businesses, from large corporations to small and medium-sized enterprises, have become a priority for the entire C-suite. By 2025, global cybercrime is projected to cost the world economy about US$10.5 trillion, up from US$3 trillion in 2015. Global cybercrime is predicted to carry a US$8-trillion price tag in 2023, according to the US-based market research company Cybersecurity Ventures. Phishing scams, ransomware, malware, data breaches, and social engineering are some of the most common types of cybersecurity threats that have increased at an alarming rate. Beyond the raw financial loss, these security threats have a devastating effect on a company’s corporate image and growth.

 

Findings from PwC’s latest Global Digital Trust Insights report show that two-thirds of executives consider cybercrime their most significant threat in the coming year, and 38% expect more serious attacks via the cloud in 2023. Cybercriminals are increasingly using off-the-shelf tools and can orchestrate a variety of attacks, noted the report, which surveyed 3,522 business, technology, and security executives across multiple countries.

 

It is vital for businesses both large and small to ensure that they take the right preventive steps and invest in security measures to tackle cyber threats head-on.

 

Spend your dollars wisely

 

Faced with more sophisticated attacks than ever, management can no longer ignore cyber threats. And that’s why we expect cybersecurity budgets to stay resilient despite the slowdown in the global economy. Digitalisation does not stop. In fact, it increases during periods of slowdown and crisis. The Covid-19 pandemic has been the main catalyst for the drastic digital transformation of businesses globally. The pandemic forced businesses across sectors to accelerate their digital transformation initiatives to cut down the cost of operations and work remotely. In the meantime, awareness of cybercrime as a critical business risk has improved substantially, which helps ensure a steady investment in cyber defence.

 

Companies that have been underinvesting for years are suddenly trying to catch up by spending more on cybersecurity initiatives. But you won’t be able to correct years-long cyber underinvestment in the short term. This is a journey that takes time and resources over several years to improve your company’s cybersecurity posture and reduce risk.

 

Building a strong cyber defence

 

Start with the basics. Uncover the critical risks specific to your business and your technical assets. You cannot protect what you do not know.

 

Have clear accountability, and identify the stakeholders in charge of cybersecurity: from top to bottom of the organisation – including the board. Cybersecurity is a team sport, and employees can be your first line of defence or your weakest link based on investments in training.

 

Implement a step-by-step approach. Cybersecurity is not static. Adopt the 80:20 rule: Start with the 20 percent of actions that will cover 80 percent of your risks. Secure your quick wins and basic protections, and then go to the next level.

 

Ramp up your systems. Start by having detection tools and practices in place to protect the network and endpoints. Smaller enterprises that don’t have the bandwidth and funds to invest in technology should go with managed service partners that can cover an extensive range of security services. They will provide the required technologies embedded into their service offerings.

 

Dealing with organised cybercrime

 

Like any industry, cybercrime has become more organised and professional. The proliferation of attacks won’t end anytime soon. And it's never been easier to purchase criminal services and tools on the dark web with zero technical knowledge.

 

One must understand that those bad actors also have a ROI (return on investment) mindset targeting the best value for money, i.e. size of the haul versus complexity to execute an attack. For instance, phishing can get you credit cards or credentials from end customers with little real value. However, stealing and monetising US$100 million worth of IP from a multinational company requires a full squad and long-term play that will only pay off if there’s a big pot of gold at the end of that rainbow. These APTs (advanced persistent threats) are sophisticated, sustained cyberattacks in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period.

 

The best way to defend is to not be an easy victim. Unfortunately, what we observe is that 80 percent of breaches are still coming from a lack of basic cybersecurity hygiene that could have been prevented with steady investments, top-down willingness, and awareness of the risks. Investing in people, processes, and the right technologies can make or break businesses. If you can't simultaneously identify and prioritise the critical vulnerabilities specific to your attack surface and automate your remediation workflow, what's the point?