#one: Humans are the weakest link, given their lack of technological understanding.
>
In a clear majority of cases, cyberattackers have taken advantage of unsuspecting employees and human error. Approximately 80 percent of all data breaches, based on a blended average of multiple sources, are a function of compromising the way humans interface with technology. People can inadvertently send sensitive documents to unintended recipients, fall for phishing attacks that allow malware onto their systems via email accounts, let unauthorized users access corporate devices, and choose easily decoded passwords.
Solutions require either changing human behavior or removing computers’ reliance on humans. However, employee-driven risks do not necessarily decrease with more stringent protocols. With more cumbersome security protocols, employees may develop habits of non-compliance, especially in businesses (or from people) that view cybersecurity as solely an IT problem.
Entirely eliminating humans from the equation through robots or automation is difficult and shifts the risk to more centralized-system vulnerabilities, increasing the potential impact of a successful attack. For the foreseeable future, systems will continue to be designed by humans and human error in the design of the system will continue to be a cyber risk.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Reduce the impact of human vulnerabilities on cybersecurity.  |
The more cumbersome security protocols are, the more likely people will circumvent them. Automating processes to eliminate human risks may centralize cyber risk within the technology architecture, creating additional weaknesses in the design. Cultural education about cyber best practices has proven difficult to implement. It is unlikely a business today can claim to have demonstrated a truly successful model of education and practice throughout its workforce. The complexity and increasing opacity of technology is exacerbating the problem. As soon as new security practices are embedded, new threats evolve to circumvent them. |
#two: Interdependency and the risk exposure from ever-increasing connectivity.
>
The more interconnected and data-rich are capabilities, tools, and apps, the larger the attack surface and consequent cyber-risk exposure. With more parties embedded within complex and highly interconnected ecosystems, the danger of systemic cyberattacks increases, especially for extended supply chains or networks. This makes it increasingly challenging to assess, manage, and control interdependency risks.
If impactful solutions are not identified or the rate of interdependency continues unchecked, the current trajectory points to a major increase in cyber-related events. If attackers continue to target previously undiscovered interconnections, potential targets will struggle to predict attacks.
Quantification of interdependency is not possible to any degree of granularity today. Existing risk-management tools and cyber-testing protocols generally provide only limited visibility into interdependency risks. Limited coherence of internal data strategies for many businesses and institutions mean that data is stored, processed, and shared in a chaotic fashion, across unsecured environments.
New sources of interdependency are always emerging. Greater concentration of risk is due to consolidation of cloud services to a small number of large providers and growth of centralized systems in critical infrastructure. The network effect, growing supply chains, and corporate consolidation increases third- and fourth-party risk.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Mitigate cyber-risk exposure due to increasing interdependency of entities and systems.  | The number of new devices, connections between devices and systems, and sharing of information continue to grow. Business models are commercially driven towards greater innovation that is leading to greater cyber risk. However, the cyber threat is not yet sufficiently visible to deter the commercial imperative. The drive toward seamless integration of IT systems is forcing businesses to develop more integrated solutions for consumers. |
#three: Increasing cybersecurity demands entangle government and public-sector responsibilities.
>
All governments and public-sector institutions are facing an increasingly challenging set of cyber risks.
The public sector often sets standards and regulations for industry, yet these are proving complex and burdensome for many businesses. The drain of skills away from public-sector institutions and the age of their legacy infrastructure also affects trust in collaboration and sharing of information with the private sector.
The public sector should be a key driver of cyber solutions with education, investment incentives, and technological development. It is also essential in tackling cybercrime, and uncovering fraud, financial crime, or illegal activity often hidden on the Dark Web. However, governments are not proactively engaged with these efforts. According to one study, only 58 percent of governments reported having a national cybersecurity strategy in 2018.
Conversely, some governments are very active in military or foreign-diplomacy cyber activities. Individuals and the private sector are often caught up in the crossfire or the target of many state-actor attacks, damaging trust and confidence in a nation-state’s cybersecurity.
What are the roles of governments and the public sector? Are there activities they should not be involved in? What are their priorities and responsibilities?
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Identify the appropriate cybersecurity responsibilities of the public sector and drive proactive engagement.  | A fragmented regulatory landscape with differing policy approaches and political motivations is sustained by ideological differences and a lack of collaboration.
While the public sector is expected to lead the way in providing solutions, it suffers from a cyber-skills deficit, limited trust in its alignment with other stakeholders’ interests, aging legacy systems, limited cybersecurity for its own systems, and a lack of a cyber strategy. Nation-state espionage and attacks are very real. This “cyberwarfare,” although real, is not classified as such, in part so insurance companies are not liable for damages. Indeed, much of the private sector and most citizens do not realize their countries are engaged in a global cyberwar. |
#four: There is a cyber-resilience divide: Some businesses are prepared to respond to attacks, but most cannot meet a minimum level of readiness to respond.
>
Over the past decade, a divide has grown between different organizations’ ability to invest in sufficient human and technological resources to sustain adequate cyber resilience—defined as the ability to continually deliver products or services despite attacks. This divide is typically seen across a couple of vectors (large corporations versus SMEs) and between certain sectors (such as Financial Services versus Energy). This divide can leave large parts of national economies exposed to systemic cyber risk.
According to a recent survey of small and midsized companies in the UK, 67 percent of SMEs have been attacked in the last year, 60 percent have insufficient resources for cyber defense, and 40 percent have no incident-response plan. Few SMEs feel confident in their ability to mitigate cyber risks and defend against cyberattacks.
Reasons for this state of affairs include resource constraints, lack of cyber awareness, culture, safety and security factors, complacency in ignoring threats, and lack of responsiveness to attacks. The challenge to substantially improve the cybersecurity standards of a vast number of businesses is not insignificant.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Rapidly elevate the cyber resilience of companies to close the current divide between “secure” and “insecure” companies.  |
As long as market players perceive cyber resilience as a competitive advantage, they will be reluctant to collaborate with competitors.
Cooperation in cybersecurity and resilience is highly complex and expensive for SMEs, so much so that it may outweigh the perceived cost of cyber risk. Outsourcing via Security Operations Centers (SOCs) creates more uncertain centralized risks that organizations must manage in any partnership model. Sectoral practices and lessons can be shared across industries, but information is not now flowing at the pace required. Moreover, these sharing solutions are often inaccessible to many SMEs. |
#five: There is a cyber-skills shortage and the need for short-term solutions.
>
Over the past decade, a skills shortage in cybersecurity has been growing substantially. According to a number of reports, the rate of unfilled cybersecurity jobs has grown by more than 50 percent since 2015 and will reach 1.8 million open jobs by 2022.
Both short- and long-term solutions are lacking investment and attention. Causes include a gap between accelerating job openings and supply of talent, lack of alignment between formal education and private-sector technical needs, lack of non-formal training opportunities, and the career paths potential cybersecurity experts are choosing. This skills shortage results in insecure IT systems and a limited ability to assess the level of necessary cybersecurity.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Identify and implement new short-term remedies while driving established solutions that have longer lead times to deliver.  |
Many of the large-scale solutions have long lead times as people transition through education programs, academic courses, or apprenticeship schemes. And such programs are under-funded and under-resourced.
Lack of formal career paths and career incentives reduces employee stickiness, particularly as wage growth encourages job hopping. Smaller firms unable to compete for talent lose out on capabilities as large companies hoard resources. Full outsourcing of cybersecurity leads to loss of control and uncertainty about cybersecurity capabilities, converting cyber risk into a third-party problem. In the short term, the skills shortage will get more severe before it improves. Demand will outstrip supply unless innovative solutions can be determined. |
#six: Emerging technology drives cyberattacks.
>
Most cyberattacks could not have been predicted by assessing past attacks, although some “old chestnuts” like phishing are a staple. Attacks utilizing new technologies further increase the divergence from the historical norm, which makes attacks harder to predict, prevent, and protect against. To date, antagonists have been able to utilize new technologies far more effectively than have those trying to prevent attacks.
Technology-driven innovations can increase cyber risk in two ways: Data becomes more valuable and abundant, and attackers become more sophisticated. With the growth in the collection, sharing, and federation of data, attackers can find more valuable datasets in more places.
At the same time, emerging technologies can also be used to protect against cyberattacks. The use of AI, machine learning, and advanced cryptography offer opportunities in prevention, detection, and response stages of the cybersecurity lifecycle.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Identify emerging technologies that attackers are using—and develop emerging-technology solutions to thwart them.  |
Emerging technologies—AI, machine learning, IoT, quantum computing—
show greater potential for disruption than prevention or defense. Given the speed of innovation, it can be easier to leverage new technologies to attack than to protect an expanding attack surface.
Any disruptive technology can create novel cyber risks. These risks are typically discovered and mitigated only after damage is done. |
#seven: How do you know if you’re cyber resilient?
>
The asymmetry between antagonists and defenders means that an attacker only has to find a single point of entry while the target has to protect against all potential weak spots. The challenge is how to prepare for cyberattacks, particularly low-probability/high-impact cyberattacks.
Today, it is widely acknowledged that a large majority of businesses and individuals do not have a minimum level of understanding or processes in place to prepare for cyberattacks. How much should a local hospital invest in its IT-security solutions, what are the minimum resourcing roles that a medium-sized energy supplier requires, what are the key safety behaviors that young, social media consumers need to practice? The inability to communicate a clear set of targets and responses inhibits our effectiveness to drive necessary change. And this, of course, provides motivation for attackers.
| \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | |
|---|---|
Challenge |
Dilemmas |
Provide effective and holistic cyber-risk quantification to assess your exposure and define how to mitigate that risk.  |
A business must consider a number of factors in developing a cyber strategy: investment, resource, technical solutions, remediation actions, and media/PR response.
Given the many factors that favor attackers, adequately preparing and protecting any business or institution is a major challenge. |