Cybersecurity – the business differentiator of the future

01 Mar 2021

Patrick Lawlor

Editor

Cybersecurity has become a hot topic in boardrooms across the world as an increasingly sophisticated cohort of criminals look for new ways to hack into our systems. 

Watch the webcast

The fact that so many people are now accessing office networks remotely has emphasised the need for secure networks. How should you as a business be dealing with cybersecurity? What are some of the current trends, as well as future issues, that you should be aware of? And what does success look like when it comes to cybersecurity?
 
Our panel tackles these questions, and looks ahead to what challenges will be faced in a world of artificial intelligence, quantum computing and the internet of things.
 
The panel is made up of:
 
Greg Griessel (GG), solutions architect, Cisco
Herman Young (HY), global chief of information security, Investec
 
Reagile Moatshe, head of supplier finance, Investec for Corporates and Institutions, was the moderator.

On how cybersecurity is changing in an age of remote working
 
GG: “Distributing the necessary security controls and making sure that those are now enabled is definitely at the forefront for most people out there. We've seen shifts towards the cloud, towards many innovative new ways of working to enable people.”
 
HY: “The attack vectors have changed now that so many people are working remotely. The most prevalent attacks we're seeing across the industry globally are cyber extortion attacks, where they try to compromise data and install ransomware.”
 
Why cybersecurity is so important for shareholders, customers, and all other stakeholders
 
HY: “For me, trust is at the core of our business. Investors need to be able to trust that their data is safe, that their finances are safe, that the systems are available to operate. What we should do from a business differentiating point of view is to expose or to make visible that trust, or make it tangible. 
“So, the idea would be to look at a cyber score, very much like the Moody's type ratings. How do you know that you can invest in a country? You look at Moody's sovereign credit ratings. How do you know you must bank with a specific institution? Let's look at their cybersecurity scores and see whether they are better than the others."

GG: “One of the things that companies can do is to make sure that their cybersecurity frameworks are built off a foundation that is standards-based – something that they measure, something that the industry is using. Then they can say: if you have these controls in place, we can be assured that you are at a level of some cybersecurity.” 
“When we look at the regulatory frameworks, we need to balance and make sure those are in touch with exactly what the company is doing, otherwise they are going off on a completely different tangent. Ultimately we need to standardise.”
 
On scorecards and why having a cybersecurity framework in place is essential in order to get industry buy-in
 
GG: “Irrespective of the industry and what other companies are doing, you need to work according to some form of a cybersecurity framework. That sets the baseline for what you do beyond that and I think if everyone can set some form of a standard, some form of an ISO standard, it definitely helps.”
 
“We need to work out a way of doing that in a tangible way, to understand where the bad actors are, what we are protecting against, and then, from the other perspective: look at how those threats are being propagated. There should also be some consistency in the ways of looking at it and making it relevant in terms of the scorecard.”
“If we look at the scorecards that we currently have out there, a lot of them are outward-facing and that isn't always a true reflection of what the company is doing on the inside.”
 
HY: “There are a few companies in the world that already produce cybersecurity scores based on the information they can glean from the internet. I think it's critical that we all, as an industry, buy into the scoring system we decide on, or the methodology and algorithms. I think it's critically important that we take the lead on this.”

Staying cyber secure requires a healthy dose of scepticism

Misha Glenny, one of the UK’s leading organised crime and cybersecurity experts joins “ethical hacker” Dominic White for a discussion on how the pandemic has increased the number of cyber breaches and what you can do about it.
How can you use cybersecurity as a tool to grow your business?
 
GG: “The more secure we are for customers, the better it is for the industry as a whole and of course if we can prevent cyberattacks and loss of data, all the better.”
HY: “I can promise you that the moment [a score board] is industry-wide, the only thing a company’s board will want to know is: what's our cyber score? I think that will make the whole industry more secure.”
 
Where is the industry at the moment? Are we doing enough?
 
GG: “One of the things that we're seeing is a move towards a solution-centric / holistic approach. It's about how we look at the entirety of your cybersecurity challenges. What are the frameworks? What are the controls? What do you need to have in place? And then putting together end-to-end solutions to make that happen.”
 
“We've seen consolidation of vendors within the space and the reason for that is because more and more vendors are trying to get that end-to-end holistic approach with a customer.”
 
HY: “I think the biggest issue is that the industry tends to be super reactive: we have regulation; we have controls; we have politics in organisations; we have silos. None of those things work in our favour.
 
“Companies have to employ a strategy of saying: I've got this technology, it's not effective anymore so I'm going to rip it out and replace it with something else. The vendors and suppliers of these technologies have to be comfortable with that.”
 
Are vendors moving fast enough to meet the challenges?
 
GG: “Obviously having the right product and the right flexibility for the customer is essential. But then we have to make sure we can meet the challenge of what the attackers are doing by augmenting that against the right level of threat intelligence.
“We can block as much as we want but we know someone's going to find a way around it, so ultimately we want to try and get to the source and try and help take it down.
 
"Partnering with law enforcement, with regulatory programmes and all those types of things, is really essential.”
 
HY: “There are a few large cybersecurity companies that get this right. They're generally the more niche companies with a specifically defined product and solution focus.
“Cybersecurity at the end of the day is an adversarial game between people. We are basically playing a cat-and-mouse game.”
The specific challenges facing emerging markets like Africa
 
HY: “The opportunity for Africa is to see if we can leapfrog and learn from others. Maybe cloud is the answer: we put all our systems in the cloud and that means we don't need as much bandwidth."
 
GG: “Ultimately, what we are trying to do is make sure that any technology that is put down has still got some form of that cloud backing and the cloud protection that goes with it.”
 
Some words on the future
 
GG: “Firstly, cloud is definitely the approach for the future. You are going to see more and more investment into cloud-based technologies.
 
“Secondly, how do we use more automation orchestration, machine learning, artificial intelligence, and (probably more in the future) things like quantum computing?”  
 
“Thirdly. is investment into education and making sure we get to the level where whole industry understands the need for cybersecurity and how they ultimately invest in it. One of the responsible things we need to do, from any vendor point of view, is to provide education back into industry and make sure that it is widespread.”
HY: “In the future, you will see increasingly more automated attacks and I'm not even talking about machine learning or artificial intelligence. I'm talking about scripting, just automation.
 
"If you get into the artificial intelligence type attacks, that will be another ball game altogether. What that will then imply is that your defences will have to be automated as well – you can't manually defend against an automated attack.
 
“Quantum computing is another risk we should be aware of as it may render all our current encryption obsolete. Some people are saying it's 20 years off, but it's almost the next Y2K problem. We have to start building quantum-resilient encryption today because replacing all the encryption will take time.
 
"There's even a risk to cryptocurrencies and blockchain with quantum because at the end of the day, it's all just public and private keys and if you have a quantum computer that can guess the private key of your Bitcoin wallet, the attackers can access it.”
 
"The Internet of Things (IOT) and Operational Technology (OT) security are also of concern. Most of these devices don’t have any security built in, on some devices you cannot even set a password. Once these devices are connected to the Internet, especially with the adoption of 5G, you may be inadvertently  exposing your home network or company network to attackers."
 

Get Focus insights straight to your inbox

Sending...

Please complete all required fields before sending.

Thank you

We look forward to sharing out of the ordinary insights with you

Sorry there seems to be a technical issue

  • Disclaimer

    Investec Corporate and Institutional Banking is a division of Investec Bank Limited registration number 1969/004763/06, an Authorised Financial Services Provider (11750), a Registered Credit Provider (NCRCP 9), an authorised Over the Counter Derivatives Provider, and a member of the JSE. Investec is committed to the Code of Banking Practice as regulated by the Ombudsman for Banking Services. Copies of the Code and the Ombudsman's details are available on request or visit www.investec.com.

About the author

Patrick Lawlor

Patrick Lawlor

Editor

Patrick writes and edits content for Investec Wealth & Investment, and Corporate and Institutional Banking, including editing the Daily View, Monthly View and One Magazine - an online publication for Investec's Wealth clients. Patrick was a financial journalist for many years for publications such as Financial Mail, Finweek and Business Report. He holds a BA and a PDM (Bus.Admin.) both from Wits University.

This Focus article also forms part of the Business Class series. For more insights into other Business Class content, click the image below: