Here, cybersecurity expert Algirde Pipikaite of the World Economic Forum teams up with S&P Global’s Marc Barrachin and Scott Crawford to outline the top five biggest cybersecurity challenges for the year ahead.
Looking at the year ahead, it is critical to continue elevating cybersecurity as a strategic business issue and develop more partnerships between industries, business leaders, regulators and policymakers. Just like any other strategic societal challenge, cybersecurity cannot be addressed in silos.
Here is a list of five main cybersecurity challenges that global leaders should consider and tackle in 2021.
1. More complex cybersecurity challenges
Digitalisation increasingly impacts all aspects of our lives and industries. We are seeing the rapid adoption of machine learning and artificial intelligence tools, as well as an increasing dependency on software, hardware and cloud infrastructure.
The complexity of digitalisation means that governments are fighting different battles — from ‘fake news’ intended to influence elections to cyber-attacks on critical infrastructure.
These include the recent wave of ransomware attacks on healthcare systems to the pervasive impact of a compromised provider of widely adopted network management systems.
Vital processes, such as the delivery of the vaccines in the months to come, may also be at risk. Facing these heightened risks, decision-makers and leaders need to acknowledge that cybersecurity is a national security priority.
The blurring line between digital and physical domains indicates that nations and organisations will only be secure if they incorporate cybersecurity features, principles and frameworks are a necessity for all organisations, especially those with high-value assets.
In today’s battles, governments have to adapt to fight against attackers that are silent, distributed, varied and technically savvy.
The public and private sectors alike are engaged in this battle – and the private sector will need what only the public sphere can bring to the fight, including policy-making, market-shaping incentive models and training on a large scale.
2. Fragmented and complex regulations
Cyber adversaries do not stop at countries’ borders, nor do they comply with different jurisdictions.
Organisations, meanwhile, must navigate both a growing number and increasingly complex system of regulations and rules, such as the General Data Protection Regulation, the California Consumer Privacy Act, the Cybersecurity Law of the People’s Republic of China and many others worldwide.
Privacy and data protection regulations are necessary, but can also create fragmented, and sometimes conflicting, priorities and costs for companies that can weaken defence mechanisms.
Within organisations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations.
Policymakers, thus, need to weigh their decisions with this impact in mind. Individual regulations may have similar intent, but multiple policies add complexity for businesses that need to comply with all regulations, and this complexity introduces its challenges to cybersecurity and data protection, not always improving them.
Policies must be creative in increasing protection while decreasing regulatory complexity. Cooperation among different policymakers is critical.
3. Dependence on other parties
Organisations operate in an ecosystem that is likely more extensive and less certain than many may recognise.
Connected devices are expected to reach 27 billion by 2021 globally, driven by trends such as the rise of 5G, the internet of things and smart systems.
In addition, the boom in remote work that began with the pandemic is expected to continue for many. The concentration of a few technology providers globally provides many entry points for cyber criminals throughout the digital supply chain.
The ecosystem is only as strong as its weakest link. The recent attacks against FireEye and SolarWinds highlight the sensitivity of supply chain issues and dependence on providers of IT functionality and services.
Organisations must consider what the breadth of this exposure really means and must take steps to assess the real extent of their entire attack surface and resilience to threats.
An inclusive and cross-collaborative process involving teams across different business units is vital to make sure there is an acceptable level of visibility and understanding of digital assets.
4. Lack of cybersecurity expertise
Ransomware is the fastest-growing cybercrime and the Covid-19 pandemic has exacerbated this threat.
Preventative measures for ransomware or any other cyber-attack should include preparation: presume you will get hit, back up IT resources and data, make sure there is continuity of operations in disruptions to computer systems, and drill and train the organisation in realistic cyber response plans.
Businesses that actively adopt cybersecurity and more importantly improve their cybersecurity infrastructure are more likely to be successful.
These businesses have come to see cybersecurity as an enabler to everyday operations. The significance of cybersecurity will likely only increase in the future in order to take advantage of the speed, scale, flexibility, and resilience that digitalisation promises.
Security by design and by default are becoming integral to success.
Organisational priorities should include a proactive plan for each business to build and maintain its own cybersecurity workforce.
With security expertise becoming so difficult to source and retain, organisations should consider cultivating this talent organically. Organisations must also recognise that mobility is implicit in the modern technology workforce.
It will be important to plan for the expected tenure of experienced professionals and recognise the long-term benefits that will accrue from a reputation for cultivating this expertise, transmitted from veterans to newcomers entering the field.
5. Difficulty tracking cyber criminals
Being a cybercriminal offers big rewards and few risks since, until recently, the likelihood of detection and prosecution of a cybercriminal was estimated to be as low as 0.05% in the US.
This percentage is even lower in many other countries. Even when not obscuring criminal activity through techniques such as dark web tactics, it can be very challenging to prove that a specific actor committed certain acts.
Cybercrime is a growing business model, as the increasing sophistication of tools on the darknet makes malicious services more affordable and easily accessible for anyone that is willing to hire a cybercriminal.
Policymakers can help by working with cybercrime experts to establish internationally accepted criteria for attribution, evidence, and cooperation in pursuing cyber criminals and bringing them to justice.
We have learned a lot over the last 18 months, and 2021 will be no different. We need to continue to adapt and take cyber risks seriously by planning, preparing and educating.
Since it is a universal issue, open communications between corporations, policymakers, and regulators are a critical key to success.
Until security features become integral to technology – seamless, transparent, and naturally usable by people – we will need to rely on business leadership to pay serious attention to cybersecurity.