Businesses know cybersecurity is bad, but still aren’t sure how to fix it

Cyber risk from new technologies is better understood, but response is still maturing

Credit: Illustration 93326447 © Vs1489 -

The overall risk posed by cybersecurity threats has increased over the past 12 months and adoption of cloud technologies is by far the biggest reason, according to new research that found just 31 percent of organisations can mitigate a new risk within a month.

Cybersecurity risk was by far the most frequently named risk category facing organisations today, with 29 percent of the 4500 risk-management experts contributing to the ISACA-Infosecurity-CMMI Institute State of Enterprise Risk Management 2020 report nominating it as one of the three most important risk categories; reputation and financial risk were the other most frequently named.

That trend is only set to continue in the next 24 months, with fully a third of respondents expecting that cybersecurity will present the most critical risk to the business in that time.

The widely-feared BlueKeep vulnerability – which was deemed so important by Microsoft that it released an out-of-band patch for Windows XP – may have brought forward that timetable for many companies, with a recent BinaryEdge audit suggesting there are 4500 publicly accessible systems in Australia that are vulnerable to the flaw.

With reports suggesting that cybercriminals had recently achieved the first in-the-wild exploitation of BlueKeep and that attacks were still coming thick and fast, Tenable senior research engineer Satnam Narang said the reports should set alarm bells off for organisations that have yet to patch vulnerable systems.”

“The risks here cannot be overstated – organisations must patch their systems immediately.”

Yet while cybersecurity threats emerged on a regular basis, respondents said that its risk was as difficult to define and assess as strategic and reputational risk, and harder even than technology risk. In addition, cybersecurity risk was deemed to be as hard to mitigate as reputational and political risk – with 49 percent of respondents saying that mitigating cybersecurity risks was difficult or very difficult.

The results add clarity around the ongoing immaturity of cybersecurity risk-management processes – which, the ISACA report notes, have continued to struggle matching executive engagement and organisational capabilities to “unprecedented turbulence in the risk landscape”.

Technology changes and advances were deemed to be the most complex cybersecurity challenge faced by organisations today, with 64 percent of respondents naming it as an issue – just ahead of the 60 percent that cited the changes in the types of threats, and 52 percent that named skills-related issues.

Read more: Microsoft: find and patch RDP services now because new BlueKeep threats are coming

Yet even where cybersecurity risks are well appreciated, execution remains a sticking point. Although familiarity with risk increased with the seniority of the respondent, just over a third of respondents said their risk identification processes are at the ‘managed’ or ‘optimised’ level and just 57 percent said their executives are very or extremely responsive to new mitigation tactics.

“Big risks can be ignored when the right people aren’t in the room for the conversation,” said ISACA board director Tracey Dedrick in a statement. “Start at the highest level within the organisation and get the people in the room that own the risk from the top down. This will ensure the right themes are addressed and important organisational alignment takes place.”

Technology linked to risk

Many organisations were quick to link new technologies with cybersecurity risk, with fully 70 percent of respondents saying that cloud technologies increase risk. This was more than twice the 34 percent that nominated Internet of Things (IoT) and 25 percent that attributed risk to machine learning and AI techniques.

Yet just 56 percent of companies said they used third-party assessments to protect against a critical cybersecurity failure, with governance, disaster recovery and encryption each named by around two-thirds of respondents. This highlights the variety of organisational responses that organisations adopt in order to better mitigate risk – and the common understanding that user training, named by 80 percent of respondents, remains a critical part of the response.”

“The trajectory of cloud – both its adoption dynamics and the risk it introduces – can serve as a bellwether for future technologies,” ISACA board chair Brennan P. Baybeck noted.

“While cloud was initially seen as creating new risks and challenges to be solved, it also delivers incredible value. Strong governance and risk management helps ensure that the value exceeds the risk—and the same is true for newly emerging technologies.”


Tags risk managementVulnerabilitiesISACAcyber criminalsAIcybersecurity riskscybercriminalsBlueKeep

Show Comments