By Astrid Gobardhan, Group Data Protection Officer at VFS Global, the world’s largest outsourcing and technology services specialist
Against a backdrop of biting inflation and uncertainty across global markets, many organizations are now revising down their annual commitments towards internal work, such as IT, with some forecasters predicting as much as a 20 per-cent fall in spending across this area over the next year.
Yet, interestingly and against the grain of anticipated budget cuts, a new survey, published by the Enterprise Strategy Group (ESG) suggests that almost two-thirds (65 per-cent) of senior leaders – including IT decision-makers – intend to increase their cybersecurity spend over the coming year, given the evolving threat and frequency of online attacks. In terms of a ballpark figure, the technological research firm, Gartner, anticipates spending on risk management and data security to touch a new high of $188billion (€174 billion) in 2023.
But what is driving this, and what can businesses do to improve their resilience when it comes to external attacks?
In the main, this spending shift towards risk management can be attributed to the effects of the COVID-19 pandemic and growing regulatory pressures. With the average cost of a data breach in the USA now standing at an eye-watering $9.44million, comparatively light spending on cybersecurity and education within a workforce can go a long way towards safeguarding critical infrastructure and an organization’s future viability. There’s also the reality that, today, businesses are processing more data than ever before, and increasingly storing this information between local and cloud-based servers. These tools, together with the roll-out of Zero Trust Network Access – which provide remote-workers with secure entry to an organization’s applications, data, and services – mean that organizations are spreading their risks, and, in turn, having to commit more and more to this particular area, each year, from their IT spend.
In my role, as the Group Data Protection Officer at the world’s largest outsourcing and technology services specialist, I know, first-hand, how important it is to establish and maintain security provisions around an organization. Cyber-security is an “always on” priority, given the risks involved, and it’s crucial that business leaders see any investment as an insurance policy against an attack.
The challenges facing each business will vary, depending on their size and scope, but it is important to stress that no organization is immune to cyber threats. Here are several points that IT and business leader should consider, and potentially work into their risk strategies, over the coming year:
Educate employees about cybersecurity. Employees are the first line of defense against cyber-attacks. It, therefore, makes sense to have cybersecurity as a fixture of their work from day one. This should set out not only the risks entailed in their role but wider information and organizational processes, which they can turn to for guidance. By creating a climate where risk is analyzed, and openly discussed, organizations will be well-placed to prevent and respond to an attack.
Perform software updates and use complex passwords. Some of the most common ways attackers gain access to systems are by exploiting vulnerabilities in software and by gaining password credentials from brute force attacks and “third party” leaks. By ensuring that all system software is up to date, organizations can reduce the risk of local and external attacks. Passwords, used across organizations, should also be updated at regular intervals and comprise a mix of upper and lowercase letters, numbers, and symbols. There are password managers available, such as Dashlane or LastPass, which guard against hacking, and allow employees to generate individual, hard-to-crack, and storable passwords.
Use multi-factor authentication. Multi-factor authentication adds an extra layer of security to accounts and systems by requiring users to provide multiple forms of identification, such as a password and a code from a mobile device. This is a common practice now across many operations, and is an effective, and largely trouble-free, way for organizations to both reduce their risk, and, in the event of a breach, trace its origin.
Be aware of social engineering attacks. This work involves manipulating employees into breaking normal security procedures and best practices. Such attacks can sometimes be hard to spot, particularly if they take the form of a line-manager or IT professional emailing to confirm login credentials or other organizational information. It is therefore important for employees, across an organization, to be aware of certain ‘red flags’, and to encourage them to be risk-averse in how they respond to these “out of the blue” demands. As a general rule, recipients should double-check with the sender, via a separate means of communication, such as text message or phone call, to check the veracity of a request.
Conduct “live fire” exercises. Even if an organization uses a third-party for its IT department, it is well worth performing periodic security tests, as part of a “live fire” simulation. Such exercises can provide a useful data bank on where an organization can improve, and also allow for refresher training, across identified weak points, with certain staff.
Perhaps the most fundamental point to consider, though, is that the digital landscape is constantly evolving. This means organizations will need to stay on top of, or at the very least introduce some barrier of protection against, emerging threats and quickly and effectively share new information with their teams to stave off an external attack.
By introducing a number of the abovementioned suggestions to their operations, and adopting a prevention-first philosophy, organizations can take important and potentially critical steps towards reducing their exposure to risk.
About the Author
Astrid Gobardhan is the Group Data Protection Officer at VFS Global, the world’s largest outsourcing and technology services specialist, serving 67 sovereign governments worldwide. VFS Global has processed over 251 million applications since its inception in 2001.