The cyber landscape continues to evolve
The expanding, escalating and unpredictable cyber threat landscape has illustrated the urgent need to evolve our approach to cybersecurity. Victim targeting is becoming more and more sophisticated, and malware is getting better at avoiding detection protocols. As technology proliferates, so too it seems does the dark side of tech.
The pandemic fuelled an unprecedented leap in digital adoption at every level. The migration of communications and data to the virtual world accelerated exponentially. Furthermore, Statcan found that 70% of tech workers are now working from home/outside of ‘the office’, and 80% of security and business leaders find that remote work has increased the risk of a cyber security breach. As the physical and digital worlds grow ever more connected, collaborative and complex, cybersecurity has become a business imperative. A series of high-profile attacks has brought cybersecurity to the forefront of the world’s attention in recent years, and the trend is not expected to abate in 2022/2023. Russia’s invasion of Ukraine is the latest example of the growing importance of cybersecurity and its intrinsic relationship with geopolitics. Organisations have responded by dramatically increasing their cybersecurity investments — yet breaches and threats continue to climb.
Fortinet, a global leader of cyber security solutions, states that there has been a 600% increase in phishing over the past couple of years, and ransomware attacks occur every 11 seconds. This exposes the reality that current IT systems are vulnerable. In addition to existing vulnerabilities, there is the threat of a zero-day attack, an attack by a method previously unknown. 2021 broke records for zero-day attacks, with 66 zero days, more than double those in 2020. Fortinet also found that the cost of ransomware attacks alone is about $6 trillion annually, and the cost of cybercrime attacks is on the rise at about 15% per year.
We’re seeing similar statistics from across the cyber security sector: in 2021, Cybersecurity Ventures found that the global cost of ransomware alone is expected to rise to $265billion by 2031, and IBM claimed that the average cost of data breach in 2021 was $4.24m. Data breaches are also $1.07m more costly when remote work is involved in the breach. In addition, Sophos found that the cost to remediate a ransomware attack more than doubled from 2020 to 2021.
Threat conditions will only worsen for businesses globally, as digitalization, connectivity, data privacy laws and geopolitical tensions expand. Naturally, investment in responding to threats posed is on the rise as a result. Evidence shows that investment in cyber security is worth it: for example, for organisations with mature Zero Trust deployments, the cost of a data breach is on average $1.76m less.
Of course, businesses want to avoid the financial costs associated with threats, but there is also the cost of reputational losses to consider, such as loss of trust among consumers, reduced brand affiliations, lapses in partnerships, and losing customers to the competition. These impacts are hard to quantify, but they are just as real and warrant just as much attention for the protection of the brand.
The rise of Israel as a hub-location for the cyber security industry
Israel is currently the powerhouse in cybersecurity, thanks to record funding in 2021 and major government backing. The growth of the industry in financial and regularity of incident terms – has positioned Israel as one of the largest centres of cybersecurity innovation in the world. Increased vulnerabilities during the pandemic helped boost funding for Israeli cybersecurity start-ups to a historic high of $8.8 billion in 2021. Roughly a third of the unicorns in cybersecurity around the world were based in Israel in 2021. Israel – it seems – is increasingly a source site for procurement and supply chain teams to engage with in this context.
The need to build organisational resilience that extends to business ecosystems
A profound change in how cybersecurity is viewed, planned and executed has never been greater. CEO’s should not leave this change solely to IT or compliance teams instead there should be one cohesive team, strategy and plan of action to create safe, trusted environments for customers, employees and vendors.
Whilst companies across sectors have been shoring up their cybersecurity defences with technologies such as firewalls, endpoint protection, and Network Detection and Response, one area remains overlooked: securing the supply chain. Today’s supply chain is now less of a linear chain which moves parts from manufacturing to market: instead it is more of a web that extends and branches in many different directions. With digital services such as cloud providers in the mix, we’re now talking about a multi-faceted ecosystem to run your core business. In fact, research from the Ponemon Institute found that the average organisation has given 471 third parties access to sensitive information. What’s more, each third party has its own complex web of suppliers. So while you may have invested greatly in cybersecurity controls and are confident about your company’s own security safeguards, you need to evaluate your confidence in your vendors, especially those who have systems that are interlinked to client hosted systems and those that can access your network or data.
The role procurement plays in the complex world of cybersecurity
According to Accenture research, cybersecurity now accounts for 15% of all IT spend (up from 10% in 2020) and it looks set for continued growth. There are numerous ways that procurement teams can play an important role to respond to the growth in cybersecurity:
– Be part of the cross functional team responsible for safeguarding the business against cyber attacks
– Have a process in place to understand and segment the potential risks and current defences throughout the end to end supply chain
– Ensure the risks identified across the business are managed effectively from supplier onboarding through to contracting and continuous monitoring
– Build a comprehensive guide on how to respond to and manage a major incident
– Work with the business to identify 3rd parties that would need to be engaged in the case of an incident from legal to ransomware negotiators, PR to service partners able to manage and respond to PII events
– Review barred trade / sanctions lists and determine if any modifications are required
– Refine approach to onboarding diverse suppliers and ensure onboarding is appropriate and scaled
– Learn about Zero Trust principles and how they can be adopted into 3rd party contracts