In this week's issue of Resilience Reflections, Abhishta Abhishta stresses the importance of sharing knowledge on and creating a culture of cyber security for the resilience and ultimate success of an organisation.
In this regular series by the Resilience@UT and 4TU Resilience programmes, UT researchers share their personal reflections on current events and trends that impact our daily lives, exploring their implications for resilience. The series is just one of many UT initiatives responding to the urgent need to respond to rapid societal and environmental change. As an academic institution, we have a role to play in strengthening the resilience of the social, technological and environmental systems that support us. The opinions expressed in this article are the author’s own.
Cybersecurity is critical in safeguarding digital infrastructures (such as the Cloud) and assets (like proprietary datasets) that support our society. The European Union, recognising this imperative, has introduced regulations such as the Network and Information Systems Directive 2 (NIS2) and the Critical Resilience Act (CRA), underscoring the importance of continuous investments in cybersecurity measures. The new Network and Information Systems Directive, for instance, broadens the scope of sectors considered as critical infrastructure. Among other things, the directive ensures that more sectors, such as providers of public electronic communications networks or services, are covered under stringent cybersecurity protocols. Similarly, the Critical Resilience Act also focuses on ensuring that products sold in the EU market meet high cybersecurity standards. Now, organisations should shift their perspective from merely investing in cybersecurity to meet regulatory standards (such as ISO2700X or BIO) towards strategically investing in cybersecurity to enhance overall business value.
Demonstrating the benefits of cybersecurity
However, in making this shift the challenge lies in raising awareness of and achieving the benefits of such investments in cybersecurity. For many businesses and individuals, the advantages of cybersecurity measures such as implementing zero-trust policies and multi-factor authentication are not immediately apparent. This is primarily because the benefits are often achieved in the long term. These measures prevent potential breaches targeting individual organisations and their data and cyber-attacks against any system, network, or device connected to the internet, which might otherwise result in significant financial losses and damage to reputation.
It is therefore crucial to develop methods for effectively demonstrating to organisations the return on investment in cybersecurity without having to endure the consequences of a massive security failure. There are a couple of measures organisations looking to implement cybersecurity measures can carry out to improve the visibility of security benefits.
Sharing information and experiences
Organisations should actively participate in industry forums and collaborate with peers to share experiences and insights on cybersecurity challenges and solutions. This could include setting up channels for sharing intelligence about threats and details on effective countermeasures. Engaging in dialogues about best practices in cybersecurity with similar organisations can aid in comparing the effectiveness of security measures and adopting superior practices. Moreover, conducting training and simulation exercises (as for example, promoted by the Anti-DDoS Coalition) with other organisations can enhance preparedness for real-world cyber incidents and encourage a more proactive approach to cybersecurity.
A culture of cybersecurity
Organisations should also strive to create a culture of cybersecurity, starting with a strong commitment from the organisation’s leadership. This involves integrating cybersecurity into all aspects of the business. Regular training and awareness programs should be conducted to educate employees about cybersecurity threats and the importance of following security protocols (just like we do it with physical safety drills). Also, encouraging open communication and creating an environment where individuals are not punished for reporting potential security incidents is essential.
The immediate benefits of investing in cybersecurity might not be directly visible. However, organisations that develop a comprehensive strategy to assess, demonstrate, and communicate the effectiveness of these measures will be able to track and make decisions on the benefits of cybersecurity. This involves not only quantitative assessments of infrastructure and assets but also a cultural shift towards recognising cybersecurity as an integral part of organisational resilience and success. The Twente University Centre for Cybersecurity Research (TUCCR) and the Centrum voor Veiligheid en Digitalisering (CVD), with their industry-centric research and lifelong learning-oriented courses, recognise the importance of this cultural shift. Aligning with the University of Twente's mission to drive societal impact, I invite organisations to reach out to me or my cybersecurity colleagues for any inquiries or to share thoughts on this topic.
Abhishta Abhishta is an Assistant Professor in the Industrial Engineering and Business Information Systems group. He specialises in Security Management including among other themes, data privacy, business continuity planning, and network security. In his work, he focuses on measuring the economic/financial impact of cyber attacks.
Find more information about the Resilience @ UT programme at our website.