Technology Can Be Both a “Cure” and a “Curse”
Information and communication technology (ICT) is everywhere in our personal and professional lives today, and enables most of our daily activities, from business to government, plus education and our social lives. The COVID-19 pandemic has increased our dependence on this technology exponentially, given the rise in working from home for many professionals and schooling for tomorrow’s leaders moving online.
This increased dependence on technology comes with a corresponding increase in cyber risk. Greater awareness and understanding of this cyber-related risk, and its potential impact(s) is fundamental to prioritization, preparation, and mitigation of the effects of resultant vulnerabilities. Awareness of related impacts and “related, but unintended consequences” is an important aspect of these considerations as we navigate today’s internet-connected world.
The Internet of Things (IoT) is the network of physical objects embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet. The most common examples of IoT devices include cell phones, smart TVs and watches, as well as commercial security systems, and industrial traffic- and weather-monitoring systems.
IoT and internet-connected devices have provided us enhanced connectivity, functionality, and the improved ability to gather information and perform automation. The number of IoT devices is constantly increasing, with an estimate that there will be 41 billion internet-connected devices by 2027. Given the convergence of our dependence on ICT and emerging reliance on IoT, a heightened awareness of cyber risk is critical to ensuring that risks arising from the use of these technologies do not outweigh the benefits they bring to achieving the goals of our most important organizations, including work, school, and government.
As the world increasingly becomes interconnected through ongoing advances in ICT and IoT, there is an equivalent need to increasingly take additional measures to protect our operating environment and maintain a perspective on security that ensures we maximize the benefits of networked technology while minimizing the adverse impact that can arise from its use.
The following list represents just a few examples of how our enhanced ICT, IoT devices, and other information technology-enabled capabilities are just as vulnerable as they are beneficial.
Since our society will almost certainly adopt the latest technologies to make our lives easier and businesses more successful, we increasingly take on more risk any time an IoT or information technology asset is utilized. Understanding this risk is crucial to effective mitigation to an acceptable level to maintain the security of the organizations we rely upon.
Cyber risk is defined as any risk associated with financial loss, disruption, or damage to an organization's reputation from operational failure or data loss, and unauthorized or erroneous use of its information systems. It is very common for organizations to overestimate their cybersecurity posture and accept risks for the sake of mission or business objectives. Knowing your cyber risks and your organization’s risk tolerance is critical, along with understanding how to prepare and allocate your resources to ensure that your exposure to cyber risk is mitigated appropriately based on objective evidence.
Effective risk mitigation does not always require a technical (asset) solution—the common response of adopting the latest firewall, or Security Information and Event Management tool may not be sufficient to mitigate the ever-increasing threat of cyber actors evolving and adapting in step with the latest technologies. Addressing cyber risk is just as much a business concern as it is a technology issue and warrants an organization-wide response that is not limited to the concerns of the technology team.
Applying proper cyber risk strategies and governance will help your organization evolve, and once proper cyber risk management concepts are employed, your organization will limit the likelihood of a cyber event from occurring and increase the probability of a successful response should an incident occur.
Cyber resilience integrates cybersecurity with business and mission priorities to enable organizations to make informed and prioritized cyber risk decisions to support strategic and operational business objectives. Traditional risk management conducted in most organizations is not conducted holistically and is often compartmentalized. Cybersecurity activities need to be applied universally across the entire organization’s enterprise, from a cyber architecture as well as a cyber hygiene perspective, and enable cybersecurity risk and resource decisions to occur at all organizational levels, informed and prioritized by business goals.
Each organization can be broken down into three tiers to understand its current state of cyber resilience. Cyber risk can occur and impact organizations uniquely at each of these tiers. At the top (Tier 1), the organization or enterprise view encompasses executives and decisions that affect the people, processes, and technology that compose the whole organization. Second, the business line or mission (Tier 2) view of how people, processes, and technology are charged with carrying out the organizational level decisions. Finally, Tier 3 represents the project and systems view, focused on individual information technology assets and their associated processes and the people that utilize them to fulfill those processes.
Cyber resilience is a holistic approach addressing cyber risk proactively at all three tiers of the organization. This proactive approach is carried out primarily through the following:
Carried out during the assessment phase, this provides clarity to business and mission owners, what technology and data needs are required for mission fulfillment.
The cyber risk governance phase takes effective action to develop the strategies, policies, and guidelines needed to mitigate your identified cyber risks.
These actions are essential to understand the drivers in the cyber risks your organization faces, along with the indicators of change or continuity of your risk posture.
After the required data is obtained and analyzed, it is of great benefit to stakeholders to create tailored outputs for proactive risk mitigation and preparedness to initiate action and therefore, change within the organization.
Rapid advances and the introduction of new technology has created new challenges for many organizations. As vendors rush to market to beat their competitors, addressing cybersecurity concerns of new technology often lags the delivery of the capabilities. Consumers are most concerned with obtaining a new capability and may assume that security is automatically built-in. In addition to the need to balance security with incorporating emerging technology into existing security and governance structures and processes, new cyber risks, threat vectors, and critical dependencies have a greater impact on organizations than ever before. The adoption of new internet-connected technology must be effectively managed with a mission-driven approach to fully understand the business impacts of technology exposure to ensure cyber resilience for the organization.
Before you, or your organization, consider plugging in a new IoT asset, it is vital to understand the greater mission context, which is accomplished through holistic cyber resilience. Remember, if you connect it, protect it. And most importantly, understand the risks.