Chances are, you will hear of Log4j soon
At the time of writing, a new software vulnerability found on Log4j is disseminating panic among cybersecurity experts. The bug has been given a full risk score 10 out of 10 – for context: only 1.7% of software bugs reach this mark. Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computing.
As Log4j is widely used across many software products, which means that in return, a vulnerability on this software may impact a substantial number of users. In the first days since it was discovered, it has already proven to its ability to affect products such as Apple and Samsung Cloud, Tesla cars, as well as less known products and services utilised across all industries. Furthermore, unlike most cyber threats that download files to, for example, take control of the victim’s computer, this vulnerability acts directly via web traffic, making it significantly hard to detect by traditional means.
As a cybersecurity SaaS developer and founder, I have often witnessed similar scenarios: cybersecurity tends to appear in board meetings after a major risk pops up in the radar and organisations are trying to contain the damage. Otherwise, it is rarely discussed at a high level. However, this reactive or firefighting mindset is outdated and just cannot cope with the risks that inevitably accompany the many opportunities of digital transformation. To be fair, we are seeing some improvement in Hong Kong as well as the APAC region, as more and more businesses start to take cyber security into consideration as part of their wider efforts to improve governance and meet ESG standards.
My main advice for 2022 is to make cybersecurity part of your daily operation. A reactive or firefighting approach to cyber risk would be an unforgivable mistake.
So, what can we do to effectively change our attitude towards cyber in 2022?
1. Aim at speaking the same language internally
Years of experience in digital and cybersecurity education have taught me that in large teams, people have diverse points of view, experiences, needs and trainings, and cybersecurity being by nature such a complex and evolving topic, it can be overwhelming to manage across departments, or among employees, consultants and vendors.
Having a common language and being able to communicate efficiently means building a good foundation for execution. Universally accepted frameworks like ISO 27001, ISACA Cobit, UK Cyber Essential and US NIST Nice can help in that sense. Following these standard or industry frameworks, business leaders can align the organization and making business decision more effectively. Companies might not need to get a formal certification but can still benefit from referring to these systematic and structured knowledges systems.
2. Encourage participation
No matter how strong your defence is, hackers will always try to attack the weakest point in the system. Sadly, oftentimes, employees are the weakness point when it comes to cybersecurity. Cybersecurity measures that impact operations can meet internal resistance at the same time as employees themselves are constantly targeted by email or web-based attacks. Security managers alone cannot win this battle. Business owners and decision makers must therefore make cybersecurity part of the culture of the organization. While teaching cybersecurity at the Hong Kong Institute of Bankers, one of the exercises involved asking teams to make decisions on how to assign a given cybersecurity budget, and I would often end up being positively surprised by the creativity and problem-solving skills of the teams. When given a chance to participate and contribute, people can become an asset, instead of being a liability for a company’s internal cybersecurity goals.
When given a chance to participate and contribute, people can become an asset, instead of being a liability for a company’s internal cybersecurity goals
3. Make cybersecurity a brand asset
Cybersecurity and data protection are important to tech giants like Google. For such corporations, making sure they are perceived as a trusted guardian of users' data is part of the core business. But cybersecurity awareness and users’ data protection can be a brand asset for any business.
In the recent years, ESG values like diversity, inclusion, or responsibility towards the environment have (thankfully!) become a must-have for businesses to earn and retain the trust of the public. Today, cybersecurity is set to become the next trait businesses will want to associate to their brand. Users everywhere are becoming more concerned about data protection, and they will certainly differentiate between companies that take this important concern of theirs at heart.
We are already starting to see very good examples of this new trend in Hong Kong. At the Hong Kong Jockey Club (HKJC) this year, the team’s security awareness training was not yet another mandatory task routinely assigned to employees, but became an important event for the whole company, where employees gathered and had a chance to celebrate and share their learning and achievements during the course, with photos and rewards being shared on the company’s media.
In 2022, cybersecurity should become not only part of your daily operations but should take a central role in your PR and marketing activities as well!
4. Act, don’t react
Cybercrime affects victims in several ways, ranging from business interruption, confidentiality breaches, theft of intellectual property, loss of financial assets and reputation damage.
However, cyber risk is virtual and most of the time difficult to articulate. Hence, it is easy to overlook it until when absolutely necessary. It is no mystery that the cost of cyber-attacks keeps increasing. McAfee estimates that roughly one percent of global GDP was lost to cybercrime in 2021. According to RiskIQ, cybercrime results in a $2.9 million loss every minute. As tech and digital transformation becomes an essential aspect of business operations, business leaders must include cyber risk among the key aspects to consider when making decisions. Taking steps to turn cybersecurity into business as usual might very well end up being your competitive advantage in 2022.
Taking steps to turn cybersecurity into business as usual might very well end up being your competitive advantage in 2022.
Get Started with AP Lens Now.
Free demo. No committment.