As we approach what promises to be another year where the only certainty is uncertainty, cybersecurity remains front and centre of the news agenda.
With increasing complexity in the supply chain and new regulation emerging at pace, it’s never been more important for organisations to get their approach right. This starts with awareness – 74% of global data breaches are caused by a human element.
Here are three things your business needs to know for 2024:
It’s time to embrace a new culture
In late 2023 cybersecurity is no longer just about technology, it’s about people. And I’m not just talking about the IT department, I’m talking about everyone. And just as it’s not a job for one team, it’s also not a job for one day in the month or the year – best-in-class cybersecurity is a process of continual improvement driven by behaviours and daily habits which create an environment where good cyber hygiene is standard practice and cyber confidence underpins operations.
Today’s reality is that, partly driven by the explosion of artificial intelligence, social engineering – or tricking people – is on the rise so we need to be better prepared. As technology barriers increase it exerts even greater pressure on the people (cyber criminals) behind them so it’s critical that organisations build more robust layers of defence, both technological and human, so that if one layer is overcome, there’s another one behind it. Clearly, best practice such as the timely patching of devices to reduce the exposure to changing vulnerabilities is central to this but ultimately companies need to embrace a culture which encourages and nurtures greater cyber awareness.
The move from specific responsibility to collective responsibility is an important cultural shift and organisations still playing ‘the blame game’ need to rethink because the key to better cybersecurity lies in fostering a culture of empathy and support where colleagues feel empowered to report suspicious activity without judgement.
Small actions can have a big impact
There is no doubt that 2024 promises to be another tough year, but with a clear cyber culture in place, organisations can proceed with confidence provided this culture is built on best practice.
At ISS we have a mantra of ‘Pause, Think, Protect’ designed to develop secure habits so that people don’t see cybersecurity as a chore. The reality is that small actions can have a big impact – for example, ensuring there is a strong unique password for each account or move away from passwords altogether (like with Windows Hello for business) – and this is something we need to instil in our teams as we look ahead to next year because with the global supply chain ever more complex and interconnected, cybersecurity is not going to get any easier anytime soon. Cyber criminals are targeting an already stressed supply chain and cyber vulnerability and ransomware are likely to increase further in 2024.
With this in mind, organisations should consider greater investment beyond the IT department – as referenced earlier, this is about improving digital skills right across the business. Central to this is the role of training and key events such as Cyber Security Awareness Month which was launched 20 years ago to provide valuable resources to support security for businesses of all sizes and sectors.
Evolving regulation needs an evolving approach
Evolving regulation has been a key trend for several years but the introduction of NIS2 represents a major step change. This directive – which comes into effect in 2024 – is the first piece of EU-wide legislation on cybersecurity and is designed to improve cybersecurity risk management by introducing reporting obligations across sectors such as energy, transport, health and digital.
In general terms, organisations should seek to get ahead of regulations – ultimately, ensuring that their supply chain is fully up to speed allows more time to plan and implement new processes.
As I assess the landscape ahead, we have a huge individual and collective opportunity to take cybersecurity to the next level in 2024. Not just as a form of defence but as a form of attack because secure technologies not only increase efficiencies, but also provide insight and allow us to predict situations based on real-time data. But, as we said at the start, let’s remember that today cybersecurity is as much about people as it is technology – if we embrace this approach, we are well placed to navigate the potentially choppy waters ahead.