Cybersecurity Awareness in the C-Suite is Key to Safeguarding Organizations

A Talk with Aftab Saloda, Business Head of Cybersecurity Services, Silverse

Cyber-attacks grow more expensive each year, with the average cost of a data breach in the US alone touching $9.48 million. C-suite executives and board members stand at a fork in the road. Whether or not they adapt to the rapidly evolving cybersecurity landscape will determine the success of their businesses. This itself will depend on their level of cybersecurity awareness.

To better understand what C-suite members can do to safeguard their companies against cyber-attacks, Aftab Saloda, senior vice president and business head of cybersecurity services at Silverse, shares his insights.

What are some cybersecurity misconceptions that businesses may have?

Cybersecurity misconceptions vary among businesses depending on their levels of cybersecurity maturity. It also depends on the industry. Here are some common cybersecurity myths that organizations tend to have.

Cybersecurity spend is a direct cost, and returns cannot be directly converted into revenue.This is the single largest cybersecurity myth that acts as a roadblock against building a cybersecurity program. However, this should be dealt with in both tactical and strategic ways depending on business priorities and data available on cybersecurity risks.
I’ve not been breached so far, so I’m doing fine on cybersecurity.Not being breached does not mean that your business does not face any risks. There can be a potential or persistent threat that you are not aware of, or a breach might have already occurred. Hence, proactively understanding your business threats is crucial. Cybersecurity advisory services can help to ensure this.

What kind of cyber threats are the most difficult or complicated to detect? How can businesses address such threats?

An important part of cybersecurity awareness is understanding which threats are harder to detect. While it is always advisable to engage a cybersecurity consultant to help detect and deal with such threats, there are 3 types of cyber security threats that businesses may not be aware of, but should be. Of course, there are other threats, but these ones should be at the forefront of industry leaders’ minds.

Advanced Persistent Threats (APTs) – Long-term targeted attacks on specific businesses. These can go undetected for extended periods. Here, the hacker gets unauthorized access through open vulnerabilities in the environment. Such an attack requires a high degree of sophistication and customization, and they are generally done by well-funded cybercriminal teams that target high-value companies. The goals of such attacks tend to be cyber espionage, hacktivism, eCrime, and destruction.
Insider Threats – Employees are considered the weakest link in the value chain. Data breaches or malicious actions by employees, ex-employees or disgruntled employees are hard to detect, as they may have legitimate access to systems and information, and it can be merged into regular operations.
Zero-Day Exploits – These are cyber-attack techniques or vectors that take advantage of unknown or unaddressed security vulnerabilities in computer firmware, software or hardware. “Zero day” refers to the fact that the device vendor or software are left with no time (or “zero days”) to fix the problem. Vulnerabilities are exploited, as no fixes or patches are available. An example of a zero-day exploit would be the 2022 Google Chrome attacks by North Korean hackers.

Businesses can address such threats in the following ways:

Firstly – and most importantly – management needs to acknowledge that there is a threat to the business. Cyber awareness can only work when it is backed by recognition.
Put a system in place to detect both internal and external cyber threats to the business.
Deploy advanced security measures to detect these threats, leveraging machine learning (ML), artificial intelligence (AI), and behavioral analysis to identify anomalies in network traffic, system behavior, or user activities.
Build a strong process to regularly patch the environment and develop a culture where every system and application owner embeds the patching in their day-to-day operations.
Implement continuous monitoring, ideally in the form of managed security, and a clear incident response and recovery plan.
Build a community of practise to share information internally and across business to leverage the power of “share and care”.

How have recent wars affected governments’ views on cybersecurity?

They have put the importance of cybersecurity awareness in the spotlight.

They have served as a wake-up call for governments around the globe, emphasizing the need for implementing strong cybersecurity measures across businesses and, most importantly, the government sector. Not only this, but they have also shown how cyber threats can pose risks to human life and communities.
Globally, governments are gearing up to implement strong cybersecurity acts and laws to address their cyber risks. The number of regulations has increased significantly in the past 2-3 years.
Furthermore, there is more focus on the nationalization of cybersecurity, which means laws and acts will be specific to countries. This will affect how the countries’ data is treated, including personal data, government data and business data.
Investment in cybersecurity has increased in order to build more cyber resilience and be better prepared to address attackers.
There is increased cooperation and information sharing amongst international communities, as well as increased public-private sector partnerships.

There has been increasing concern about cyber warfare between nation states. What are some examples of cyber threats to national security?

One of the concerns about cyber warfare is that it is global in nature, and not limited to the nations going through war. Anyone operating from any part of the world can participate in warfare, and there are no boundaries.

The conflict has underscored the concept of hybrid warfare, which combines conventional warfare with cyber-attacks, disinformation, and other non-traditional tactics. Governments are adapting their defense strategies to counter such multifaceted threats.

What do you predict the cybersecurity landscape will look like in 10 years?

The future of cybersecurity is both exhilarating and full of potential, and both C-suite and board members should keep an eye on the evolving landscape.

Business/industry: Implementing cybersecurity for small and medium businesses (SMBs) will be key. Large businesses will continue to mature. Operational technology (OT) security will be required in specific industry segment, such as healthcare, manufacturing, and resources.
Technology: Security in AI and AI in security will play a significant role. It’s important to implement right controls to limit the misuse of technology. There will be more and more tech adoption, and organizations will require easy-to-use cybersecurity tools and processes that are strong and scalable.
Government: Governments will need to develop programs that provide guidelines to benefit people and communities, as well as provide cyber information that is easy to consume and scalable in various areas.
People: Individuals will have to be made aware of their own cyber responsibilities. They will need to actively participate in cyber initiatives with business and government projects. Hackers will need to be investigated, but it would also be wise to leverage their expertise to safeguard nations and catch other hackers.