In this series, Deloitte Cyber leaders explore the hot topics and most pressing cyber challenges facing organisations and governments today – from an industry perspective. Come back often for the latest recommendations on what your organisation can do to empower your people for the future through understanding, connection and trust.
Businesses have been forced to respond to an unprecedented global challenge and we know complexity is here to stay. Hybrid work environments are becoming a fixture, the cloud is growing in importance to almost every type of enterprise and as devices and applications evolve they are evermore connected.
There is no choice but to gain greater visibility across ecosystems lacking clearly defined perimeters. The stakes—be they operational disruption, reputational loss, or deflated equity valuations—are too high.
Just as complexity is the problem, the solutions are also far from simple.
In this survey report, learn the perspectives from cyber’s greatest champions—CEOs, CFOs, CMOs, CIOs and CISOs—and how those vary across geographies and industries.
The future of cyber : Download the PDF
The language for translating government cyber risks into outcomes
It’s a cybersecurity nightmare: More than 18,000 organisations around the world installed a software update in 2020 from their provider, SolarWinds—not knowing it was contaminated with malicious code. The massive cyber vulnerability—which impacted public sector organisations as well as private businesses—proved to be a stark wake-up call for all involved and shone an unflattering spotlight on the gaps in cybersecurity across government agencies.
In response, many governments took action to explore how to better assess cyber risk, both internally and externally. The US Congress, for instance, recently required all US government organisations and agencies to adopt a single formula to quantify cyber risk by 2024. The move, which mirrors actions taken by the European Union, is intended to encourage greater transparency around how risk is calculated.
Adopting this common formula will be no easy feat. It requires a unifying approach to aggregating data and making information more consumable and sharable across branches and agencies.
The language for translating government cyber risks into outcomes
Two steps ahead: How life sciences and healthcare can improve their cyber posture
It’s no secret that Ransomware attacks on hospitals and health care providers are on the rise. Institutions should take immediate action to protect themselves.
While enhancing your cyber risk analytics and reporting is a critical milestone for life sciences and health care organisations, it is only the first step. Once the foundation is in place to actively manage cyber risks through data insights— and drive actions to help you reach your key performance indicators (KPIs)—it then becomes possible to use that data to advance your organisation even further.
Starkly stated, cybercriminals see life sciences and health care organisations not only as a source of significant revenue, but also as treasure troves of sensitive data. To counter these threats, the time has come for the industry to up its cybersecurity game.
Two steps ahead: How life sciences and healthcare can improve their cyber posture
When will the threat of a cyberattack be enough to spark real organisational resilience?
Ransomware attacks are on the rise, with increasing persistence and sophistication by threat actors who are adept in evasion techniques. These attacks on industrial, utilities and life sciences and healthcare companies continue to grow in frequency and impact, leading industry experts to warn that failing to address key cybersecurity concerns may have even more devastating consequences in future attacks, to both economies and to critical infrastructure.
Every organisation is vulnerable to ransomware attacks and next-generation disruptive technologies from ransomware attackers are making it increasingly difficult to reduce the attack surface. Organisations that don’t put effort into mitigating that part of the hacker’s modus operandi are opening themselves up to costly and sometimes catastrophic consequences. Strong cyber hygiene practices should be prioritised by organisations, regardless of industry, to reduce the threat of ransomware attacks, which includes workforce training on sound cyber practices.
When will the threat of a cyberattack be enough to spark real organisational resilience?
A framework for quantifying cyber risk: Pipedream or possible?
For financial services organisations, cybersecurity is about much more than meeting regulatory mandates. Ultimately, it’s about trust. Boards, executives and the organisation at large recognise their fiduciary responsibilities to customers—and take those duties seriously.
Yet, when it comes to identifying cyber risks and efficiently allocating resources towards mitigating them, the industry continues to struggle. Certainly, many financial services organisations have taken steps to identify the risk scenarios most likely to affect them and have modelled the financial impacts should those scenarios come to pass.
But are the numbers accurate? Can they be relied upon when making significant cybersecurity investment decisions? And what about the scenarios they can’t predict? Let’s face it: threat actors are ingeniously creative. How can businesses calculate and plan for, this type of variability?
A framework for quantifying cyber risk: Pipedream or possible?
Vaccine certificates, cybersecurity and trust: A primer for credential verifiers
After a solid year of on-again/off-again global lockdowns, most of the world is itching to get back to “business as usual”. This likely explains why putative credential verifiers—organisations ranging from airlines and entertainment venues to academic institutions—are eagerly awaiting the rollout of vaccine credentials.
The idea behind these vaccine credential certificates is fairly straightforward—in essence, they’re supposed to provide people with proof that they’ve been vaccinated. Dig beneath the surface, however and a swarm of complexities unfolds. In this second installment of our vaccine article series, we dive deeper into the ethical and trust-related concerns that credential verifiers will need to consider in reviewing both local and out-of-country vaccine credentials.
Vaccine certificates, cybersecurity and trust: A primer for credential verifiers
The SolarWinds wake-up call: Why it’s time to tackle concentration risks
In late 2020, SolarWinds, a software company with over 300,000 customers issued a notification that potentially 18,000 customers downloaded a flagship product that may have been infected with a malicious code that gives threat actors backdoor access into their systems. This led to a slew of high-level government agencies and major corporations across North America, Europe, Asia and the Middle East to check if their networks may have been exposed by suspected nation-state threat actors.
During Covid times, the high volume of ransomware attacks, highly public data thefts, or the concerns of remote system breaches have become more prominent. Cybercriminals and advanced persistent threat (APT) groups consistently target even the most secure environments. Despite the higher threshold to hack these environments, the payoff is considerable: rather than gaining access to one or several backend systems, this approach can give them entry to an entire industry or geography. This has led CISOs and their teams to prioritise their resources.
As many organisations identify these potential Cyber risks, there is a need for the right approach to minimise overall impact and design an industrious crisis response system for a more secured future.
Cyber - Solar Winds Perspective
The financial services sector is experiencing rapid change as Open Banking becomes more prevalent. The world’s banks are finding themselves ceding market share to a growing number of non-traditional banking institutions, captive finance companies and fintech firms. Consumers have increased access to financial services and are becoming more vocal in their demands that businesses and governments adhere to the highest standards of integrity. In an attempt by banks to maintain their market share, there is a definitive focus on creating an unparalleled customer experience through understanding the customer journey and providing customised solutions. This also makes it vital for banks to build trust with their customers by protecting customer data and identity.
Cyber security provides a systemic promise to create an environment that makes it safe for people to bank. Identity management plays a large role in enabling banks to effectively verify and authenticate consumers, safeguard consumer data when gathering marketing intelligence and even create new revenue streams.
Want to retain customer loyalty in an Open Banking world?
The pointlessness of pointing fingers: Can business, IT and OT stakeholders play nice?
Things are changing radically in the energy, resources and industrial (ER&I) space. Industry 4.0 and the emergence of autonomous systems powered by data, analytics and AI have led to an unprecedented wave of transformation. A growing number of mergers, acquisitions and divestitures, a rising number of cyber incidents and a greater board focus on cyber maturity are all impacting this industry.
There is an imperative to find innovative solutions to address rampant challenges—ranging from improved environmental performance to more collaborative community relationships— that are altering operational realities. And the spread of COVID-19 has only accelerated this trend, forcing organisations to transition to remote work at breakneck speeds.
There is also a conflict between the digital teams championing these new initiatives and the operational technology (OT) teams expected to operationalise them. Although cultural clashes between IT (Information Technology) and OT have been ubiquitous, the fallouts threaten to affect more just productivity challenges. They also open enterprises up to higher levels of cyber risk. It is imperative that along with IT/OT integration, organisations develop a security governance framework that permeates the enterprise—from the boardroom to the shop floor.
The pointlessness of pointing fingers: Can business, IT and OT stakeholders play nice?
Even though we have come a long way from physically standing in a queue in government offices for transactional services, there is considerable work to be done before governments can deliver fully digital citizen services experiences. The pandemic has arguably led to condense the digital innovation journey from ten years to six months and this move towards e-government transition has been haphazard at best. Despite the technology available to shift to digital channels, most governments lack the resources, capacity and knowledge to validate and protect their citizen’s digital identities.
As countless agencies launched isolated initiatives, citizens were presented with a mishmash of access points that required them to set up unique user accounts and tolerate multiple layers of credential checks. A lack of robust security postures has made it difficult for the governments to protect their citizen’s identities and personal information and provide a seamless digital transformation experience. Chief Information Security Officers (CISOs) across government sectors implicitly understand that passwords alone are insufficient protection against cybercriminals.
Rather than simply developing solutions that give users easier access to online services that are sensitive and have inadequately protected private data in the process, industries need to adapt strategies to simplify authentication and enable the digital exchange of verifiable identity-linked information of any kind. This requires governments to more carefully think through how they can reduce the need to store citizen data by empowering citizens to directly own and control that data.
Solving the public sector identity crisis
Are vaccine credentials the next vector for cyber risks?
Following the formulation by the pharmaceutical industry of several viable vaccines to combat COVID-19, the prospect for a return to some semblance of normality is on the horizon. By stemming the spread of the virus, the hope is that vaccines will enable people to return to work, head back to restaurants and retail stores, attend public events and recommence travel. Implicit in these assumptions is the idea that people will be issued some kind of vaccine certificate they can use to establish proof of vaccination. It seems simple in theory. In practice, however, vaccine credentials are fraught with a wide range of complexities, many of which link back to cybersecurity concerns.
The two main challenges? The imperative to create digital versions of these certificates in addition to a secure paper-based solution and the requirement to make the credential both interoperable and capable of being shared with third parties globally. In essence, this means a digital proof-of-vaccination issued to a traveler in the UK must have the ability to be accepted and trusted by government authorities and private businesses in Singapore or Australia if it is to drive the benefits required to reopen the global economy.
To bridge the gap between the need for a vaccine certificate and the protection of an individual’s digital identity (not to mention their privacy), governments, consortia, healthcare organisations and the private sector are rapidly coming together to vault several hurdles in the current race against the clock. Here we set out just some of the issues that will need to be addressed in relatively short order—with the caveat that this is only the start of the conversation.
Are vaccine credentials the next vector for cyber risks?