Leveraging regulations to strengthen cyber resilience
Written by Sean Tilley, Senior Director Sales at 11:11 Systems
In today’s interconnected global landscape, operational and cyber resilience stands at the forefront of organisational priorities. The digital age, while unlocking unparalleled opportunities for innovation and growth, brings a new era of cyber threats. These threats – which continue to increase in size, sophistication, and severity – come in many forms, from calculated ransomware and distributed denial of service (DDoS) attacks to phishing, spoofing, and social engineering. As new headlines continue to shine the spotlight on high-profile attacks, it brings home the fact that such threats and their resulting data breaches and downtime have the power to cripple organisations, erode public trust and inflict substantial economic losses.
These threats are further amplified by the surge in remote working and access, exposing vulnerabilities in what were typically considered robust digital defences. Cybercriminals have become more daring and innovative, exploiting these newfound vulnerabilities to orchestrate more pervasive, sophisticated and damaging attacks than ever before. They can cause immediate operational disruptions, compromised data security, and financial setbacks, and also long-term reputational and trust damage.
This evolving threat landscape has prompted a heightened focus on regulatory compliance and operational and cyber resilience to mitigate the risks and ensure organisations can survive an attack.
Regulations drive cyber resilience
Cyber resilience is a specific strategic and comprehensive approach that organisations can adopt to enhance their ability to anticipate, prevent, respond to, and recover from cyber risks and incidents.
True operational and cyber resilience is what governments and regulatory bodies across the globe are hoping to achieve as they design regulatory frameworks that incorporate not just technology, but also people, processes, and information. However, navigating this complex regulatory environment demands a strategic approach, where understanding the nuances of each regulation, its implications, and timelines for compliance becomes critical.
Regulations such as GDPR, HIPAA, and Sarbanes-Oxley (SOX) have already shaped how organisations safeguard data and compliance, but upcoming mandates like NIS2, DORA, and FCA CP19/32 are reshaping how organisations must approach data security, privacy, and cybersecurity to ensure continued levels of customer service despite the surging threats businesses face.
Regulatory compliance is not just a legal obligation but a strategic imperative for operational resilience, necessitating a comprehensive, well-planned approach to cybersecurity. Organisations stand to benefit from reassessing, reinforcing, and revitalising their cybersecurity postures, turning regulatory adherence into a competitive advantage.
The Surging Threat of Cyberattacks
The digital age has ushered in a new era of cyber threats and the statistics paint a stark picture, not solely defined by an increase in total attacks, but also by their sophistication and severity.
Cybersecurity Ventures estimated that in 2021 businesses would fall victim to a ransomware attack every 11 seconds. It now predicts that attacks on businesses, consumers, governments, and devices will happen every two seconds by 2031. It is not surprising then that ransomware attacks were involved in 24% of all breaches and ransomware payments in cryptocurrency surpassed the $1 billion mark in 2023, the highest number to date.
The Cost of Cyber Insecurity
In 2023, the average total cost of a data breach rose to $4.45 million, the highest in the 19-year history of the Ponemon Institute and IBM’s Cost of Data Breach Report. This upward trajectory is not expected to plateau; experts warn of a continued rise in both the frequency and sophistication of cyberattacks.
Email, the most ubiquitous tool in business communication, has also proven to be a significant vulnerability, responsible for approximately 94% of all malware today and phishing, a method exploiting human error and lack of cybersecurity awareness, remains the most common form of cybercrime. According to a report by email security company Valimail, over three billion malicious phishing emails are sent every day, which amounts to 1% of all email traffic worldwide.
In a recent survey from Egress Software, 94% of organisations reported being the victim of phishing with virtually all attacks leading to a negative outcome of some kind, financial or otherwise. In most of those cases, unfortunately, the incidents imposed at least some financial cost (79%) with 64% of companies reporting that phishing had impacted their bottom line.
From financial losses, customer churn, and reputational damage to lengthy remediation processes and legal repercussions, the impact of cybercrime is far-reaching, affecting every sector and size of business. According to Cybersecurity Ventures, cybercrime is expected to inflict 9.5 trillion USD in total damage in 2024 and another 10.5 trillion USD annually by 2025—up from 3 trillion USD less than a decade ago. If it were measured as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China.
The alarming rise in cyber incidents and their cost is a primary catalyst driving the wave of new regulations in cybersecurity and data protection.
Moving from reactive to proactive cyber strategies
Governments and regulatory bodies worldwide are recognising the critical need to fortify digital infrastructures against evolving cyber threats, as well as liability resulting from defective or malicious artificial intelligence (AI) products. The aim is not just to respond reactively to incidents but to establish a proactive, resilient framework that can anticipate and withstand cyber threats and disruptions.
However, the implications of the new regulations are profound for businesses. They necessitate a shift from traditional cybersecurity practices to more integrated, comprehensive strategies that encompass not only technical solutions but also organisational culture, in-depth planning and employee awareness at every level.
The surge in cyber threats has pushed cybersecurity to the forefront of boardroom agendas. As businesses navigate this new terrain, staying informed and agile will be key to both complying with emerging regulations as well as safeguarding their digital assets and their future. This gap between awareness and preparedness underscores the need for a strategic overhaul in how businesses approach cybersecurity and cyber resilience.
Regulations and cyber resilience
For businesses, this evolving regulatory landscape means that cybersecurity and data protection are no longer just IT issues but are integral to corporate governance and strategy. Adapting to these regulations requires a comprehensive approach, combining legal compliance with robust cybersecurity and data recovery practices, personnel training and system monitoring to create a resilient operational framework capable of withstanding the challenges of a digitalised economy.
When it comes to cybersecurity and cyber recovery, the complexity and severity of the risk must be considered from a business risk, technology, reputational, and regulatory compliance perspective. There is typically no one-size-fits-all approach. However, companies that stay abreast of potential changes to the regulatory landscape, which is continuing to evolve to stay a step ahead of cyber threats, not only maintain compliance but are better able to navigate the complexities of the environment and bolster their cyber and operational resilience.
