Security threats have been around forever. Accenture, for one, has been producing threat intelligence for more than 20 years.
But lately my CISO clients say the nature of threats is changing, as is the scale and breadth of its potential impact. COVID-19 has exposed new vulnerabilities. With many employees quickly shifting to virtual, malware and ransomware are finding new ways into people’s devices through fake COVID-19 clickbait, among other routes. The effects are adding up, with Accenture’s 2020 Cyber Threatscape Report identifying up to a 60 percent increase in the average ransom payment from the first to the second quarter of 2020.
Meanwhile, supply chains are a new target for malicious actors. For my consumer goods clients, this means thinking beyond just-in-time delivery pressures and focusing on the vulnerabilities within their global value chains.
Against this backdrop, CISOs are asking two things. How do I ensure security runs through my organisation and how do I know if my security is effective?
<<< Start >>>
<<< End >>>
Here are four possible things I am counselling my CISO clients to do, now.
#1: Focus on the fundamentals and prioritise insight
Threat intelligence is your friend, and the first line of defence. To bolster this important part of cyber defence, invest in outside intelligence that helps you get to know the threat actors, their methods and their mindsets. This is the foundation of a coherent strategy. To safeguard your data, trade secrets and systems, know your enemy.
Once you’ve secured outside intelligence, act fast. Fix what you know needs fixing now. Also, accept that whatever you don’t know now, you can fix later. I advise my clients to forget about trying to know everything before acting because the picture is changing too fast. By the time threats are mapped, they’ve changed. So ask yourself:
- Are you buying the best threat intelligence you can, as well as using insights from governmental agencies and other third parties?
- Is that intelligence customised for your business so it’s truly effective?
- Do you have the right sort of tools and prevention mechanisms indicated by that intelligence, i.e., based on those actionable threats, rather than assumptions about what they might be?
#2: Look at your supply chain
For all my clients, but particularly for those in consumer goods, supply chain is a pressing concern. And it should be—we know that close to 40 percent of security breaches at UK organisations target weak links in the supply chain.
Particularly this year, supply chains have been stress-tested to the max by snowballing demand and customers’ expectations on speed. Consumers want a wide range of products, a great customer experience and same-day delivery when possible.
Legacy systems are strained by this scale and pace. In this landscape, it’s understandable that security has slipped in the priority list. Even now, CEOs in consumer goods are most worried about material reaching the factory in time; supermarket shelves being full; payments being processed effectively; and the balance sheet adding up.
So how are companies getting those deliveries out on time? Too often, they’re scrambling to piece together their supply chains, often with IoT devices (unpatched and untested), and new system connections with multiple partners for various functions, including last-mile delivery, for example. Cyberthreat actors are exploiting these holes in new ways, even employing “island-hopping” techniques—compromising small firms to gain access to their larger partners.
For CISOs, it comes back to using intelligence and thinking systemically about security across the whole supply chain. It’s also about working with suppliers to increase visibility and developing a range of flexible tools and best practices to tackle risk head on, in pursuit of a supply chain that’s truly fit for purpose.
#3: Think explicitly about how people work from home
We all know 2020 has been the year of working from home, with thousands of agents sitting at desks and couches taking calls routed by cloud technology. CISOs are acutely aware of the new vulnerabilities this brings. Most pressingly, DDoS attacks have strong potential to cause operational downtime issues. CISOs can respond by thinking, "anytime, anywhere." Consistently secure all users, devices and network traffic with the same degree of effectiveness, which often means investing in secure VPNs and/or multi-factor authentication.
#4: Think secure cloud
Everyone’s talking about “moving to the cloud.” For some, it feels like a step into the unknown. But cloud is no less secure than any other technology, and in fact generally is far more secure. In addition to robust built-in security, when you move to the cloud you can embed security as part of the design (instead of an afterthought). It’s a chance for a clean slate.
Security should not be considered a burden or a box-ticking exercise
It’s an essential, business-enabling design principle and a theme that can and should run through everything your organisation does. Would you lock your front door but leave your windows open? That’s the equivalent of a half-baked security strategy.
It’s time for CISOs to be empowered and equipped with the appropriate insights, the appropriate leadership support and the appropriate resources and investments needed to lock the front door and the windows.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defence, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved.