Cybersecurity: more than just a protective shield

Cybersecurity to protect a sustainable world and our digital future

A dark figure in a hoodie or a black screen quickly running a code? These are probably the images that come to mind when you think of cybersecurity. Images that are shaped by films or the media.

I had the privilege of working in cybersecurity when my career paths in technology and sustainability intersected. Working for a global cybersecurity software vendor gave me an insight into the dangers that cyber risks pose to both businesses and the public sector. I learnt from experts about the efforts software vendors and IT service providers are making to prevent and mitigate cyber attacks. It always seemed like an endless race between the “bad guys” who exploit vulnerabilities in software and human behaviour to commit acts of terror or make money, and the “good guys” who are constantly working on prevention through software, processes and training to protect companies’ data and systems.

Working with security professionals around the world has also taught me that the purpose is often hidden in inconspicuous places. IT security professionals, regardless of their location or role, always share a passion for helping organisations stay secure. It is therefore no surprise that regulations such as the European General Data Protection Regulation (GDPR)¹ or the European Cyber Resilience Act (CRA)² are causing a stir in the industry – and raising hopes that executives will recognise the need to protect their data and that of their customers through comprehensive IT security measures.

But there is still a long way to go before this realisation, because for some companies, cybersecurity is a hygiene factor that is barely noticeable when it works. So why spend more money and effort on it? However, when it doesn’t work, it quickly becomes a major obstacle, as organisations can lose data, money and ultimately seriously damage their reputation. I often hear from security professionals who report talking to potential clients, only to learn months later that the company they spoke to has been the victim of a cyber-attack. Nevertheless, most organisations I have worked with take IT security and data protection seriously and invest in policies, software, processes and training.

“Hardware and software products are increasingly the subject of successful cyberattacks, leading to an estimated annual cost of cybercrime of €5.5 trillion worldwide by 2021.”³

Combining technology and people to protect data and systems

Protecting a company or public organisation from cyber security threats means protecting the data and access to its critical systems such as operating systems, network services or energy supply.

This is made possible by a wide range of software solutions such as email security, web security, data security, network security or cloud access protection. As the way people work and access systems and data is constantly changing, cyber security solutions are also evolving.

For example, when the COVID-19 pandemic led to the sudden need for remote working, many organisations had to provide their employees with remote access to business-critical systems and data. This created the need to protect this access outside the physical security boundaries of the organisation. It was no longer possible to protect the organisation like a fortress; employees were in the wild. And with the continuing trend towards hybrid working, this challenge will remain in the future.

The human factor also poses a security risk. Misbehaviour such as the disclosure of critical data can be intentional or accidental. In most cases, it is an employee who inadvertently gives malicious attackers access to this data. There have been numerous cases of hackers using social engineering to trick employees into depositing money into a fake account or giving hackers access to company data and systems. And with the advent of artificial intelligence, it will certainly become even easier to manipulate people.⁴

So there’s a good reason for the “S” in cybersecurity (from “social”, you get the idea). Employees are key to the security of the organisation; it is important to warn them of the dangers and the consequences, provide them with technical training and alert them to new tips and tricks. As is usual in business management, IT security is not just about the technology used, but also about how people act.

Cybersecurity as an important aspect of sustainability

It didn’t take me long to realise that cybersecurity is one of the most important aspects of sustainable management, both for companies and governments. The security of data, systems and processes is critical not only for the financial health of an organisation, but also for its customers and business partners. It’s scary to imagine a cyber-attack exposing your data to hackers who could misuse it for fraud or extortion. Your data is stored in so many different systems, with so many companies, financial institutions and authorities. Fortunately, most of them take cyber security very seriously.

At the same time, IT security is one of the risk areas that must be disclosed in financial and sustainability reports. The Sustainability Accounting Standards Board (now part of IFRS⁵) has included IT security metrics in the sustainability reporting standards used by companies and investors worldwide:

“Software and IT services companies are targets of growing data security threats from cyberattacks and social engineering that put their own data and their customers’ data at risk. Failure to adequately prevent, recognise and remediate data security threats can impact customer acquisition and retention, leading to a decline in market share and demand for the company’s products. In addition to reputational damage and customer churn, data breaches can also lead to increased costs, usually associated with measures such as identity protection offerings and employee training on data protection. Meanwhile, new and emerging data security standards and regulations are likely to impact companies’ operating costs as the cost of compliance increases. In addition, companies in this industry are well positioned to capitalise on revenue opportunities by providing secure software and services to meet the demand for secure data.”⁶

SASB’s reporting criteria for software and IT services companies include quantitative metrics such as

• number of data breaches,
• percentage of personal data,
• number of users affected

as well as a commentary on the IT security measures

• to identify and manage data security risks, including the use of third-party cybersecurity standards.

The European Sustainability Reporting Standards (ESRS) also address data security issues and measures as part of the disclosure requirements to consumers and end users.

It is clear that data security is more relevant as a risk management, sustainability issue and even as an opportunity for certain industries. In general, organisations that collect and manage large amounts of data are more affected by IT security risks. They need to disclose their policies, measures and metrics to show investors and other stakeholders how the organisation protects its customers’ data.

A global threat to sustainability: the cyber arms race

On a larger scale, cybersecurity is a critical national and global challenge. For example, cyber threats to hospitals that spy on patient data or paralyse operations can endanger many lives. Cyberattacks on utilities such as nuclear power plants, power generators and distributors or dam operators can threaten the safety and well-being of entire populations. For years, cyberattacks have been used as a means of warfare, and the rise of state-sponsored cyberterrorism has become a global threat.

“This is how they tell me the world ends” by Nicole Perlroth, cybersecurity reporter for the New York Times, is a fascinating book ⁷. The author reveals a global system in which small actors such as brilliant hackers, in collaboration with governments, intelligence agencies and IT companies, play a major role in some of the biggest threats to human security. I learnt about zero-day exploits: vulnerabilities in software applications that allow hackers to inject malware into those applications. It is both understandable and frightening that there is a black market for zero-day exploits. It brings together sellers and buyers with good intentions: to fix the vulnerabilities or prevent them from becoming a weapon for cyber terrorists. But as you may have guessed, there are also sellers with less good intentions. From spying on journalists or regime opponents to mobile phone apps and nationwide cyberattacks, some organisations and even nation states are not afraid to use software and hacking genius to put their plans into action. Read this book to learn more about the background and research, and believe me, you’ll never take cybersecurity for granted again.

Notes:

Do you want to increase your positive impact on the environment, social issues or governance? Then check out the beautiful website of Dunn & Falkenstein Consulting.

[1] Europäische Datenschutzgrundverordnung (GDPR)
[2] [3] European Cyber Resilience Act (CRA)
[4] Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’
[5] IFRS – International Financial Reporting Standards
[6] SASB, “SOFTWARE & IT SERVICES Sustainability Accounting Standard”
[7] Nicole Perlroth: This is how they tell me the world ends

If you like the article or want to discuss it, please feel free to share it in your network.

Olivia Falkenstein has published another post on the t2informatik Blog:

What does t2informatik actually do? One click and you'll know.