It’s not if. It’s when.
Cybersecurity is usually about stopping intruders. But what happens if they get into your systems? “The question for companies is not if, but when, they're going to have an incident,” said Grant Thornton Risk Advisory Services Principal Andres Castañeda.
“Things are evolving too fast. There are too many threats, now aided by AI,” Castañeda said. “You really need to think about cyber resilience, because if you're not prepared to react, and you don't know what to do, it's much more costly.”
Grant Thornton Risk Advisory Services Manager E.J. Jimenez explained, “One of the biggest mistakes that organizations make is thinking that this will not happen to them — and not paying enough attention before the fact. Instead, they pay the consequences after.”
“If you're not prepared, you have to be ready to bear the consequences and challenges to get back in business,” Castañeda said. “There are ransomware attacks, but also some regulations have disclosure requirements that can result in non-compliance. It's potential litigation, and then you have lawyers involved,” Castañeda said. “Even if you pay a ransomware demand, you also have to pay experts to determine if your data is now truly safe, and how the incident happened.” If companies are unprepared, their risk exposure and regulatory fines can drag out over time.
Organizations need cyber resilience that aligns with regulations like the SEC Final Rule on Cybersecurity, and the New York Department of Financial Services (NYDFS) regulations. These regulations can require comprehensive disclosures to be filed within 72 hours after determining that an event has occurred. They can also require clarifying the material changes and notice and explanation of extortion payments, if made.
Collecting and documenting the information for these disclosures can be especially time-consuming for companies that are unprepared, and the SEC has fined companies millions of dollars for “insufficient” and “misleading cyber disclosures” regarding cyber hacks. Likewise, the NYDFS has imposed significant fines on companies that failed to comply with the state’s cybersecurity regulations, including ongoing fines that can amount to thousands of dollars per day. Even worse, a cybersecurity breach that isn’t sufficiently resolved can leave your organization and its data exposed to disruption or continued ransomware demands.
To be resilient to cybersecurity threats, companies need to prepare and act swiftly and provide a comprehensive response. “What we're seeing is that a combination of these evolving threats is starting to impact day-to-day operations, and organizations will need to revisit the definition of what it means to be “resilient” and “ready,” said Grant Thornton Risk Advisory Services Managing Director Vikrant Rai.
Ready to respond
To stay ready and resilient to cyberthreats, organizations need to proactively evaluate and update their responses. “For small businesses, the biggest risk might be that they get left behind. They need to keep adapting to advanced technologies and methods,” Rai said. There are multiple factors driving the changes in cyberthreats, so it’s important to understand and adapt to each.
Cloud strategies
Cloud strategies have traditionally focused on moving on-premise solutions and infrastructure to a cloud platform — often one platform, since consolidation comes with cost savings and efficiency.
However, consolidation can also create a cloud concentration risk because it means that an issue at just one cloud provider can take an organization offline completely. “Regulators are concerned that a single incident could impact critical national infrastructure, by impacting multiple business-critical institutions. In addition, many risk executives have identified cloud concentration risks as a leading risk,” Rai said. “They're asking industries to look at bottlenecks of resources, and reevaluate how that could impact the economy, day-to-day operations and customer sentiment at the receiving end of the services. The organizations that do not have a multi-cloud strategy are at highest level of risk, should there be a material impact where a cloud service provider goes offline. Even with resilience by design built into cloud solutions, many organizations have untested recovery strategies often fully reliant on a cloud service provider, which is also a risk.”
Most organizations and cloud service providers have closely examined the cybersecurity measures that block potential threats. To build resilience, though, organizations need to look beyond a single provider. They need to consider where they should strategically balance across alternative cloud providers, and even consider what’s required to exit a cloud provider (if needed) as part of an incident response. “Your cloud strategy is of strategic importance,” Rai said. “Generally, there are discounts that build over time, which makes it challenging for an organization to switch or unplug from one provider to another. Some get into binding contracts where, if they exit, they lose. Yet, if they don't know how to exit, they might have little or no control at the receiving end of whatever happens next.”
Exit plans, multi-cloud strategies and even hybrid cloud strategies can help an organization build resilience against cloud concentration risks. Rai said, “Some organizations are even looking at their most critical assets, which might be just a few applications and systems, and exploring alternatives like going back to an in-house data center that can help them keep the ‘lights on’ in case of a wide-scale event.”
Third parties
The risks associated with cloud platforms are often related to the third-party software and service providers. Often, third-party solutions are built upon solutions from other providers, which can create a cloud-based supply chain that is hard to fully perceive, and even harder to secure.
“With increased reliance on third-party providers that develop products with AI coding automation, we're going to start to see an evolution of attacks primarily driven by the software supply chain,” Rai said. “Think about traditional code development. It could take developers writing thousands of lines of code to build a product. Now, that can be done in minutes with the help of AI, which can build, test and even deploy code with minimal instructions. In the next two to three years, we'll see a large volume of apps released on mobile platforms that might go without rigorous testing standards. That could pose a significant risk of compromising endpoints and loss of data, if left unchecked.”
Companies that allow employees to access information with mobile devices might have considered how they should protect data over a distributed network and infrastructure. They also need to make sure they update their monitoring controls to quickly identify any incidents, and update their risk management to respond and contain incidents across their distributed infrastructure.
Quantum computing
Quantum computing technology might seem like a distant concept, but it’s closer than most leaders think.
Major cloud providers already offer quantum cloud computing services. These services have controls to prevent misuse, but cyberthreats that gain access to native quantum computing could have the power to quickly overcome traditional cybersecurity controls like password-based technology. “Encryption technologies would no longer be as effective,” Rai said. “If you conduct a brute-force attack using a traditional computer, it could take you weeks or even months to crack a safe password. With quantum computing, in theory, the attack time could be reduced to its square root. In other words, it would pose a significant risk.”
“The need to address the challenges of adopting post-quantum cryptography is around the corner,” Rai said. “Organizations will need additional layers of security to address encryption replacement or upgrade options. Size of key and cipher text might require larger processing times, which could impact performance. We will likely see those trends to address such challenges pick up in the next three-to-five years.”
That’s a quick timeline for companies to look at building resilience in their cybersecurity. Organizations need to think beyond their current cybersecurity tools to forecast and build resilience at multiple levels, establishing resilient governance and controls as part of a strategy that quickly identifies any issues and specifies how the organization should react.
Humans
The risks that come with humans aren’t new — but they’re constantly changing.
“One of the biggest things missing from cyber resiliency at many organizations is that, no matter how much you invest, the failure point is usually humans,” Castañeda said. “You have to make sure you have the proper preparation for every employee, because humans are the weak links that get exploited most of the time.”
“Training and awareness are aspects of it but, because of the sophistication of these attacks, training alone is not sufficient,” Rai said. “Attackers are leveraging cloud platforms to send emails that seem like they’re coming from legitimate sources. It's getting more challenging to identify what's a legitimate email and what’s not.” Connected devices can also present a threat, including false Wi-Fi networks. “People can sit at an airport and broadcast free Wi-Fi that looks almost like an airport network. They can use that to capture data packets from anyone who connects to the network, building attack vectors and compromising endpoints.” Business, healthcare, legal and other professionals who are managing private data can accidentally connect on Wi-Fi traps, or risky networks, and leave their systems exposed.
Resilience requires training that is combined with change management to drive true process adoption, along with monitoring that identifies when those processes break down. “It's not just creating policies, procedures and training, it's the monitoring,” Castañeda said. “It's creating phishing campaigns like the ones we create for clients, where you can see if employees will click on links that could expose the organization to risk.”
To build cyber resilience across the evolving range of risks and responses, you need a strategy that takes a broad view of your organization from its top down to its data.
Ready to recover
Cyber resilience demands a strategy that goes beyond cybersecurity. It must include a plan for dealing with the issues that occur today and potential threats in the future. It also needs to be comprehensive enough to address business challenges beyond technology.
“Look at your risk concentration,” Jimenez said. “Implement a robust disaster recovery plan that includes backup systems and data redundancy across multiple regions, for providers and businesses. Also, conduct regular vendor risk assessments to ensure that cloud providers and others have resilience and recovery capabilities to meet your risk tolerance.”
“You need to find the right balance, and find ways to stay ahead of business disruption challenges,” Rai said. “Take a data-first approach. Protect your data to protect your brand and reputation, because once that's impacted, a lot of smaller businesses find it very challenging to bounce back. If they do, they often spend a lot more than if they had proactively prepared. It is a continuous battle, and we always need to find ways to anticipate and prepare for what’s out there.”
Contacts:
Andres Castañeda
Principal, Florida Risk Services Leader, Hispanic/Latinx Group Executive Sponsor,
Risk Advisory Services
Grant Thornton Advisors LLC
Andres has over twenty-two years of experience providing advisory services in the United States, Europe, and Latin America.
Fort Lauderdale, Florida
Industries
- Manufacturing, Transportation & Distribution
- Asset management
- Healthcare
- Banking
- Technology, media & telecommunications
Service Experience
- Advisory
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Our featured insights
No Results Found. Please search again using different keywords and/or filters.