Cyber threats have been real and present for a long time – but the evidence suggests that there has been a renewed spike in attacks in recent times which make a robust cyber security position more critical than ever.
In this year’s Nash Squared/Harvey Nash Digital Leadership Report (DLR), conducted amongst over 2,000 technology leaders around the world, 29% of respondents say their organisation has been subject to a major attack in the previous two years, a significant increase from 23% in 2023. This jump bucks a broadly downward trend seen over the last five years. Not since 2019 has the figure been this high.
It’s a timely reminder that a strong, multi-layered cyber security approach is essential for all businesses. Quite simply, those organisations not investing in cyber security do so at their peril. The reality is that, both financially and reputationally, they are almost sure to pay the price one day.
Proliferating threats
The technology leaders we surveyed are in little doubt about the main threat – with 84% pointing to organised cyber-crime groups as public enemy number one. However, there has also been a jump in those citing foreign powers as a cyber danger, standing at 50% whereas in 2022 this was only 40%. Given the fraught and tense geopolitical climate in which we live, this is perhaps unsurprising. Meanwhile, the perceived insider threat has also grown, with 42% naming this as a concern compared to 34% in 2023.
In short, there are growing cyber threats from multiple bad actors. The added challenge is that attack methods are becoming ever more sophisticated and varied, from ransomware and data theft to phishing attacks that increasingly utilise highly convincing AI-powered deepfake technology. This reinforces the need for zero trust and highlights the absolute importance that everyone in a business should exercise due caution, following clearly communicated security protocols. Strong identity and access management processes are critically important, along with 24/7 threat detection and robust – and regularly tested – incident response procedures.
Cyber skills challenge
Robust cyber defences depend on having a highly skilled cyber security team, but another clear concern is that finding cyber talent has become increasingly difficult. In this year’s DLR, cyber emerges as the third highest area of skills shortages. A third of technology leaders (33%) say they are struggling with a cyber skills shortage which is a significant rise from our last study when the figure was 27%. Only AI (51%) and Big Data (38%) come in higher. This challenge certainly rings true in terms of what we see in the market – businesses across sectors are struggling to find scarce cyber talent whether that’s at an operational level (cyber engineers), a more strategic level (cyber architects and analysts), or a leadership level (CISOs).
Success factors – three key areas
There are no quick fixes here, in what is an ongoing and ever-present battle to keep an organisation’s perimeters secure. But I believe there are three principles that can significantly aid businesses in the security endeavour.
1. Upskilling and training
Firstly, while it may be hard to find external cyber talent on the open market, there is much that can be done internally to upskill and cross-skill the existing team. This could be through a programme of internal or external training, or a combination of both. Building your institutional knowledge and capabilities in-house can have a powerful effect. By investing in your team, it can also increase motivation and loyalty – no small spin-off benefit. But organisations shouldn’t confine their focus to the cyber and/or technology teams – there should be a programme of awareness and education for all staff across the enterprise, which should be regularly refreshed and repeated. Security is everyone’s responsibility. Often, it is heading off those small incidents of poor practice or carelessness that prevents a much larger incident from taking place.
2. Managed services
Secondly, dependent on the size of the organisation, it may be worthwhile exploring what managed services are available. Contracting with a managed service provider (MSP) to conduct your monitoring and threat detection or your security testing, for example, may be an investment worth making. An MSP may also be able to implement new security features and defences that you lack the internal know-how or experience to do in-house.
3. Alternative resourcing models
Seeking a business partner that deeply understands both the talent market and your business while also being clear about which areas you want to strengthen can open up routes to accessing a wider talent pool. Such partners can also help you find passive talent (people not actively looking but who may be interested in moving roles if the conditions are right). More broadly, they can advise you on alternative resourcing models – such as considering employing fractional, part-time or contractor talent to bolster your team. It is not uncommon now, for example, for large organisations to employ multiple CISOs, some on a fractional basis. This helps with knowledge and intelligence sharing and creates wider perspectives on both threats and solutions.
Cyber security is a daily battle against an array of sophisticated threats. Leveraging every possible tool in the armoury is becoming essential to stay ahead and keep the business safe, secure and efficient in its functioning
