What Is Cybersecurity?

Cybersecurity is a business problem that has been presented as such in boardrooms for years, and yet accountability still lies primarily with IT leaders. 

In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk. Still, a 2021 survey showed that the CIO, the chief information security officer (CISO) or their equivalent were held accountable for cybersecurity at 85% of organizations.

Organizations have become far more vulnerable to cyberthreats because digital information and technology are now so heavily integrated into day-to-day work. But the attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated. 

Cyber-risk incidents can have operational, financial, reputational and strategic consequences for an organization, all of which come at significant costs. This has made existing measures less effective, and it means that most organizations need to up their cybersecurity game. 

The Russian invasion of Ukraine is marked by both military and destructive malware attacks. As the invasion expands, the threat of attacks to critical infrastructure — and the potential for fatal outages — grows. No business is immune. 

Many organizations already face a range of lurking security failures, but now, it’s especially important to rely on threat intelligence tailored for your organization and to watch for guidance from your government contacts around how to prepare for attacks you may not be ready to handle. 

As the C-suite strategizes its response to the Russian invasion of Ukraine, prioritize cybersecurity planning. Focus on what you can control. Make sure your incident response plans are current. Increase awareness and vigilance to detect and prevent potential increased threats, but be mindful of the added stress and pressure your organization is feeling. A human error due to these forces may have a greater impact on your organization than an actual cyber attack.

Critical infrastructure sectors include energy production and transmission, water and wastewater, healthcare, and food and agriculture. In many countries, critical infrastructure is state-owned, while in others, like the U.S., private industry owns and operates a much larger portion of it.

Not only are each of these sectors critical to the appropriate functioning of modern societies, but they are also interdependent, and a cyberattack on one can have a direct impact on others. Attackers are increasingly choosing to deploy attacks on cyber-physical systems (CPS).

The risks were very real even before Russia invaded Ukraine. Attacks on organizations in critical infrastructure sectors rose from less than 10 in 2013 to almost 400 in 2020, a 3,900% increase. It’s not surprising, then, that governments worldwide are mandating more security controls for mission-critical CPS. 

The Russian invasion of Ukraine increases the threat of cyberattacks for all organizations. You need to develop a holistic, coordinated CPS security strategy while also incorporating into governance emerging security directives for critical infrastructure. The U.S. “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” for example, is prioritizing the electricity and natural gas pipeline sectors, followed by the water/wastewater and chemical sectors.

The crux of the problem is that traditional network-centric, point-solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors and secures industrial operations (machines), continues to converge with the technology backbone that processes organization’s information technology (IT). 

Conduct a complete inventory of OT/Internet of Things (IoT) security solutions in use within your organization. Also perform an evaluation of standalone or multifunction platform-based security options to further accelerate CPS security stack convergence.

The most common and notable types of cybersecurity attacks include:

• Phishing and social-engineering-based attacks.
  Attackers trick legitimate users with proper access credentials into taking action that opens the door for unauthorized users, allowing them to transfer information and data out (data exfiltration).
• Internet-facing service risks (including cloud services).
  These threats relate to the failure of enterprises, partners and vendors to adequately secure cloud services or other internet-facing services (for example, configuration management failure) from known threats.
• Password-related account compromises.
  Unauthorized users deploy software or other hacking techniques to identify common and reused passwords they can exploit to gain access to confidential systems, data or assets.
• Misuse of information.
  Authorized users inadvertently or deliberately disseminate or otherwise misuse information or data to which they have legitimate access.
• Network-related and man-in-the-middle attacks.
  Attackers may be able to eavesdrop on unsecured network traffic or redirect or interrupt traffic as a result of failure to encrypt messages within and outside an organization’s firewall.
• Supply chain attacks.
  Partners, vendors or other third-party assets or systems (or code) become compromised, creating a vector to attack or exfiltrate information from enterprise systems.
• Denial-of-service attacks (DoS).
  Attackers overwhelm enterprise systems and cause a temporary shutdown or slowdown. Distributed DoS (DDoS) attacks also flood systems, but by using a network of devices. (Also see “What is a DDos attack?”)
• Ransomware.
  This malicious software infects an organization’s systems and restricts access to encrypted data or systems until a ransom is paid to the perpetrator. Some attackers threaten to release data if the ransom isn’t paid.

Cyber attackers deploy DDoS attacks by using a network of devices to overwhelm enterprise systems. While this form of cyber attack is capable of shutting down service, most attacks are actually designed to cause disruption rather than interrupt service completely.

Thousands of DDoS attacks are now reported each day, and most are mitigated as a normal course of business with no special attention warranted. But cyber attackers are capable of increasing the scope of the attack — and DDoS attacks continue to rise in complexity, volume and frequency. This presents a growing threat to the network security of even the smallest enterprises.

DDos attacks also increasingly target applications directly. Successful and cost-effective defense against this type of threat therefore requires a multilayered approach:

• Internal: defenses inside your network behind the firewall.
• Edge: on-premises solutions (physical devices on or in front of the enterprise firewalls and edge routers)
• External/cloud provider: outside the enterprise, such as internet service providers (ISPs)
• People and process: include incident response and the mitigation playbook along with the skill sets needed to stop an attack

DDoS mitigation requires skills distinct from those required to defend against other types of cyberattacks, so most organizations will need to augment their capabilities with third-party solutions.

A range of IT and information system control areas form the technical line of defense against cyberattacks. These include:

• Network and perimeter security.
  A network perimeter demarcates the boundary between an organization’s intranet and the external or public-facing internet. Vulnerabilities create the risk that attackers can use the internet to attack resources connected to it.
• Endpoint security.
  Endpoints are network-connected devices, such as laptops, mobile phones and servers. Endpoint security protects these assets and, by extension, data, information or assets connected to these assets from malicious actors or campaigns.
• Application security.
  It protects data or code within applications, both cloud-based and traditional, before and after applications are deployed.
• Data security.
  It comprises the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include encryption, which ensures sensitive data is erased, and creating data backups.
• Identity and access management (IAM).
  IAM enables the right individuals to access the right resources at the right times for the right reasons.
• Zero trust architecture.
  It removes implicit trust (“This user is inside my security perimeter”) and replaces it with adaptive, explicit trust (“This user is authenticated with multifactor authentication from a corporate laptop with a functioning security suite”).

Technology controls aren’t the only line of defense against cyberattacks. Leading organizations critically examine their cyber-risk culture and relevant functions’ maturity to expand their cyber defense. This includes building employee awareness and secure behaviors.

Simply put, cybersecurity fails because of a lack of adequate controls. No organization is 100% secure, and organizations cannot control threats or bad actors. Organizations only control priorities and investments in security readiness. 

To decide where, when and how to invest in IT controls and cyber defense, benchmark your security capabilities — for people, process and technology — and identify gaps to fill and priorities to target.

Notably, the human element features heavily in cybersecurity risks. Cybercriminals have become experts at social engineering, and they use increasingly sophisticated techniques to trick employees into clicking on malicious links. Making sure employees have the information and know-how to better defend against these attacks is critical.

The environment itself is evolving in several key ways:

• Growing network, infrastructure and architectural complexity create a greater number and variety of connections that can be targets of cyberattacks.
• Increasing sophistication of threats and poor threat sensing make it hard to keep track of the growing number of information security controls, requirements and threats.
• Third-party vulnerabilities will persist as organizations continue to struggle to establish minimum but robust controls for third parties — especially as most vendors, in particular cloud vendors, are themselves relying on third parties (which become your fourth parties and so on).
• Cybersecurity debt has grown to unprecedented levels as new digital initiatives, frequently based in the public cloud, are deployed before the security issues are addressed.
• Cyber-physical systems are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). Connecting the digital and physical worlds (as in smart buildings) presents a unique and growing area of vulnerability.

Cybersecurity is interconnected with many other forms of enterprise risk, and the threats and technologies are evolving quickly. Given this, multiple stakeholders must work together to ensure the right level of security and guard against blind spots. But despite the growing view that cybersecurity is a business risk, accountability for cybersecurity still falls mostly on the shoulders of IT leaders. 

A 2021 Gartner survey found that the CIO, CISO or their equivalent were held accountable for cybersecurity at 85% of organizations. Non-IT senior managers held accountability in only 10% of organizations surveyed, and only 12% of boards have a dedicated board-level cybersecurity committee.

To ensure adequate security, CIOs should work with their boards to ensure that responsibility, accountability and governance are shared by all stakeholders who make business decisions that affect enterprise security.

Most cybersecurity metrics used today are trailing indicators of factors the organization does not control (e.g., “How many times were we attacked last week?”). Instead, focus on metrics related to specific outcomes that prove your cybersecurity program is credible and defensible.

Gartner expects that by 2024, 80% of the magnitude of fines regulators impose after a cybersecurity breach will result from failures to prove the duty of due care was met, as opposed to the impact of the breach.

Gartner advocates the “CARE” model of outcome-driven metrics (ODMs):

The amount you spend on cybersecurity does not reflect your level of protection, nor does what others spend inform your level of protection compared to theirs.

Most monetary representations of risk and security readiness (i.e., “Is that a $5 million risk or a $50 million risk?”) are neither credible nor defensible, and, even when they are credible, they do not support daily decision making related to priorities and investments in security.

Use outcome-driven metrics to enable more effective governance over cybersecurity priorities and investments. ODMs don’t measure, report or influence investments by threat type; it is outside your control to align spending to address ransomware, attacks or hacking. Rather, align investments to the controls that address those threats. 

For example, an organization cannot control whether it suffers a ransomware attack, but it can align investments to three critical controls: back up and restore, business continuity and phishing training. The ODMs of these three controls reflect how well the organization is protected against ransomware and what that level of protection costs — a business-based analysis that tells a compelling story for the board and other senior leaders.

Note that a control can be any combination of people, process and technology that you own, manage and deploy to create a level of protection for the organization. Take a cost optimization approach to evaluate the cost (investment), value (benefit) and the level of risk managed for each control. Generally, better protection (less risk) will be more expensive.