Skip to main content

March 2020, a month that will continue to resonate with most, every individual on the planet. The month that most countries across the globe implemented COVID 19 hard lockdowns within their countries. The month that changed the way we do business, in the most, rapid, and significant way, ever seen to this point.

Some will say that there was simply no interruption at all, as they were already well into a “business as usual” cloud adoption strategy within their business. Others struggled to come to terms with all or a large portion of their workforce, now working from a “home office”. Such “offices”, being the spare room, a study, the kitchen counter.

Two and a half years later, and I do believe we can all agree, this year and all the changes it brought, had a serious impact in escalation, of what can now be said, to be the number 1 risk, for most businesses anywhere in the world.

the cyber risk evolution - Rubiq

PREDICTABLY UNPREDICTABLE, THE CYBER RISK EVOLUTION

“Tomorrow is going to be predictably unpredictable”, (to quote Mr. Todd Nightingale Cisco Executive VP, in a recent Sunday Times article), really sums up the state of all things 2022, as we contemplate the future business landscape, two and a half years from ground zero, where COVID 19 lockdowns, hit the world and changed it immeasurably.

The changes that the pandemic brough, in every aspect of life and livingness, are still evolving and the impacts still being evaluated. However, the major impacts relating to, how we work, I do believe is a change that will stay with us permanently. Perhaps not in every business, but certainly in many.

The Work from Home event was the most rapid change ever to occur in business operation, on a worldwide scale in known history. This change impacted many things, at both personal and business levels, but very specifically impacted IT departments and management of information, and most particularly, the way we need to think about our Governance, Risk and Compliance strategies, including Continuity of Business and Business Resilience strategies.

Given the speed of most of the Work from Home implementation strategies, adopted by businesses, many failed to effectively carry out, a complete, context informed, business impact assessment, and consequence analysis in the fine detail that was really needed. As a result, many organizations who had, to that point, largely on-premises IT infrastructure or an evolving cloud hybrid, rapidly migrated, into hybrid cloud or total cloud adoption, in a very short time. They then, through the pandemic, over the last 2 years, maintained a “management by crisis” business as “unusual” strategy, reactively dealing with event after event, as the cybercrime wave evolved.

During this last 2 years we have see an explosion of cyber risk, resulting in company data compromise, loss, extortion, ransomware attacks, information leakage, like the world never really thought was possible in 2019, certainly not on the scale we see today, but, sadly, is now a daily norm in 2022.

However, what has, unfortunately, not occurred, is a robust evolution in IT GRC and enterprise GRC approach, over the last 2 years, to match the cyber risks growth path. A lot of technology adoption might have occurred, with a fuzzy comfort level of, “I’m pretty sure we are secure”, yet organizations still get severely compromised. Why?

Many organizations lack the GRC, (governance, risk, and compliance) maturity levels needed to deal with the scope of risk as the world was in 2019. For the most part, they certainly are not ready for the unknown scope of the unpredictable, rapidly evolving and changing risks of 2022 and beyond.

So, what then is the answer?

Where's this going - Ranswomware attacks - Rubiq

THE CHALLENGE

Ransomware attacks continue to evolve at a pace that outranks most business’s ability to keep up and keep their information secure. This has increased exponentially with most businesses, at a scale that few really want to confront or admit. There is no business that can honestly say that cybercrime is not a number one risk concern right now. Work from Home strategies, which are now evolving into hybrid work schedules, along with new emerging risks, of high fuel costs, supply chain disruptions and shortages, emergence of digital currencies and digital exchanges, branchless banking and more. All of which should have significantly evolved the “Context of the Organisations” evaluation assessments, as should be, being contemplated, in effective Risk Management strategies. However, this is not occurring, or not occurring effectively enough, given the magnitude of contextual change in the risk universe. Many Risk and GRC professionals have grappled with bringing an understanding, to the business as a whole, of the critical value of a Context of the Organisation Impact assessment. An activity that should be occurring as a business-as-usual tool, every time a key change occurs in the business. Yet maturity benchmark results, statistically indicate that most business executive and management teams, don’t know what this tool is, never mind being consistently effective in continuous use, in the business, as part of strategy and business planning at operational levels.

The Security Focus Africa survey for “State of Ransomware 2022”, indicates that 51% of the South African companies included in the survey, were hit by a ransomware. Many of which succumbed to paying the ransom, yet still remained compromised in getting their data back.

Our ongoing consultations with clients, within the processes of closing identified security and cyber risks gaps, indicate that even though there may be good back up procedures and quick restoration of data, which would avoid paying the ransom, such clients have then been subject to extortion, whereby data has been encrypted and taken by the ransom attackers, who then contact the affected company and threaten to publish sensitive information on open internet and social media forums. Thus, the ransom attack becomes extortion.

We often are told by management teams, MD’s, CEO’ s and business owners, that their IT teams have told them, that security is under control and well managed. When pushed for specifics, this conversation takes a very different course, where senior management become less confident that they “really” know, transparently, with an unbiased slant, the state of security and cyber risks resilience levels, within their business.

In conducting GRC and related, cyber risk and information security and data privacy maturity evaluations, we consistently see the following risk areas, with low maturity scores.

RUBIQ Maturity Accessment

Common Cybersecurity | Data Privacy | Information Security | IT Governance Maturity Gaps

Common Cybersecurity - Data Privacy

Maturity Evaluation GRC Verticals Covered by Assessed Respondents:

Of the 437 maturity evaluations conducted by the RUBIQ Team to date, the most significant area of identified weakness, is in the area of, a structured approach to Information Security Management. Many organisations would significantly benefit from the implementation of an ISO 27001 aligned ISMS Information Management System. However, few have taken the time to effectively design and implement an ISMS. There is no doubt that we see exceptional improvement in the management of IT Governance, Data Privacy Management, and an overall maturity across the organization, with companies that have focused on implementation of an ISMS, which includes the scope of Data Privacy and Cyber Security.

Data Privacy and Cyber Security Scope

Given the hype around POPIA in 2021, many organisations opted to conduct Data Privacy and POPIA / GDPR maturity assessments, which does make up the bulk of the data set. Within the maturity evaluations completed by companies on Data Privacy, we included a key focus on Security of Information. We then cross referenced this data with the alignment in the company to ISO 27001 clause assessment and the ISO 27002 Annexure A Controls review, and the results were universally very poor. Giving clear indication of the very low maturity that exists within organisations in this regard.

Coupled with the evaluations we conducted during the maturity assessment, related to the organisations approach and general practice to Good IT Housekeeping practice, which included an assessment related to Ransomware and Data Breach susceptibility, the results were again very poor, with most orgranisation showing high probability of a ransomware attack, given their cyber risks scores and demonstrated maturity levels for protection of information and management of Data Privacy and Cyber risks.

The Maturity evaluation benchmark data further highlights the averagely low maturity levels related to several of the other enterprise GRC verticals, such as Ethics, People Risks, Financial Controls and EGRC approach overall, to Governance, Risk and Compliance management, as well as maturity related to Internal Audit.

The spread of companies included in the Maturity Evaluations to date, covered a board spectrum sampling, of various sectors and industries, as well as an inclusion in the sampling of small, medium, medium large and enterprise organisations.

Maturity Evaluations

Key findings, we should take note of, relate to the following aspects.

Lack of correlation of perception of control, at different levels in the organisation;

This translates to, all parties not on the same page. Where control processes and procedure are reviewed and discussed at senior levels, vs IT Admins and Technicians, at lower levels, the common perception, of what is thought to be in practice and consistently applied, is found, to in fact, not be what is actively taking place, in day-to-day practice. Thus, creating hidden risk and opportunity for threat actors to exploit human factor vulnerabilities. Further, where we have deployed sensors and run attack simulations, in client environments, we find weaknesses, that should have been identified under IT vulnerability testing and on-going monitoring techniques. But were in fact missed. We have even made discovery in some clients, where the attackers, had been lurking for not just hours, or even days, but months within the internal IT environments of the client, taking their time, in planning their attack to the best advantage for themselves. Remaining undetected and identified by standard IT monitoring and assessment tools in place within the client environments.

No insights to, unknown / changing / emerging risks tracking and Control Assurance;

This translates to weak risk evaluation and risk identification practices, which includes processes that consider the changing aspects of the Context of the Organisation. Weak interpretation skills of data, trends, and risk indicators. Risk registers are documented, often in excel spreadsheets, and generally with no context of the organisation, evaluation assessment process at all. General times, these “risk assessment” exercises tend to be “old school”, tick box, subjective type of exercises and fail to make use of insights tools and effective information and key indicator, interpretation, due to lack of skills, time, and expertise, to read the data outputs, in risks terms. We are living in an age of information and 4IR, which is utterly technology dominant. Criminals understand this world and use it to their best advantage. However, expertise, skills, knowhow and the right use of the right insights and detective technologies are not used, effectively, by business and IT teams. Add to this state of affairs, the very weak maturity, in adoption of governance driven risk and Control Assurance Attestation Frameworks, embedded and enforced within organisation, with clear lines of accountability and responsibility, and you have a recipe for “Management by Crisis”.

Lack of understanding of the real time risk posture;

Given the fact that these days, time is a scarce commodity, risk and compliance systems tend to remain static and one dimensional. Input data to such GRC or IT GRC information systems, becomes a grudge to maintain, API integrations are expensive, to ensure all data is transparently available, and needs skill to interpret the right data input into Risk Reporting. Risk ownership across the organisation landscape, is usually, never well enough defined and clearly understood. With the perception often being, it should all be dealt with by the IT Department. This could not be further from the ideal, yet time and again, it is the state of how it is, company for company. Everyone in the organisation deals with Information, thus the safeguarding of information is in everyone’s job description, to one degree or another. Without a risk informed culture, well entrenched into the organisation, the human risk factor will always be the weakest link. Add into the mix, that technical salespeople, sell cool technical tools to IT people, who consume the latest and greatest in tech. As opposed to, the right tools to support, a well-crafted and understood and contextualised risk evaluated landscape. We cannot be surprised, really, that the maturity in IT GRC, information security, is as low as it is. There are many that will not like this statement, however, the statistics don’t lie, and they are what they are.

The process of truly contextualising the risk, with consultation and insights from both the internal and external risk universe of the organisation, is just not effectively done, or in most cases just not done at all. The result, lots of cool tech stuff, often misconfigured, and leaving gaps open for criminals to come along and exploit.

The impact of such attacks can be, at a worst-case scenario, an extinction event for a company, at a most likely case scenario, significant and often crippling cost. Costs not just from the ransomware itself, but also direct costs of regulatory fines and penalties, and more worrying, the hidden costs of customer shrinkage, due to the consequence of reputational damage, drop in stakeholder trust and other knock-on effects. As this impact, can come sometime after a serious event, it often, is not seen as a consequence of the initial incident. But when the client, does not deal with the company further or contracts are just not re-signed for the next year, the cost of knock-on effect can be larger than the original event itself.

All in all, it should not be surprising, that cybercrime is a breath-taking worldwide issue, that is just not under effective control, for many businesses.

A SOLUTION

RUBIQ is a cloud-based platform that uses cutting-edge technology to provide a genuinely unique, comprehensive, and dynamic governance, risk, and compliance (“GRC”) management solution for any sized company, wherever in the world. RUBIQ is easy to use, has a lot of, ready to use knowledge repositories and information and features, and is, relatively, inexpensive, regardless of the size of your company, without negating, the sophistication of the insights, that our approach brings to your business.

RUBIQ is the culmination of the combined experience of GRC knowledge and expertise and GRC Technology know-how on the part of the Founder, CEO and key subject matter experts, that exceeds 75 years.

The RUBIQ Team has developed a unique and proprietary approach, to addressing the challenges in IT GRC. This approach has been developed in line with the key discoveries made from our GRC and IT GRC Maturity assessment initiative, that has been running for the last year and half. The Maturity assessment initiative has led to the fine tuning of our Advisory / Solution programmes, which makes unique use of both a select set of technical insights, analysis, and data governance audit tools, as well as the body of Subject Matter Expert, developed content, where we have worked with leading advisory specialists in their fields. The RUBIQ Advisory Programmes are broken down into 3 initial phases, with a final 4th embedment and enforcement phase.

Phase 1 – is a discovery insights phase, which helps a customer discover what they don’t know that they don’t know. One cannot obviously address a challenge / problem, that they do not know exists. We have addressed some of the findings in the bullet points above, but an overarching issue, is the biased information that tends to reach business owner / C-Level and Board ears. The problem being that the information providers, tend to have personal or job preservation objective, that they cannot help but drive, it is unfortunately in human nature. Thus, the real hidden risk, or the true opportunity for risk, tends to be either watered down, in “the, we have it covered”, statements, or the risk is actually truly unknown, as the context of the environment is not being effectively enough, interrogated. This can lead to opportunity for threat actors, who can many a time, be deep within your organisation, strategizing attacks, for months ahead of the actual attack. As management of wholistic GRC strategies, including IT GRC strategics, still lack levels of optimum maturity, criminals take advantage and have the upper hand, completely unknown to IT administrators and Management. This phase helps identify what management and IT Teams don’t know that they don’t know.

Phase 2 – addresses a plan to close the gaps identified and sets priorities in order of criticality of risk exposure.

Phase 3 – addresses a step-by-step approach to implement new process, rectify configuration of technical controls, reinforce both process and technical tools and add or remove tools to streamline efficiency of overall IT GRC to deal with Cyber Risks, Data Privacy and manage the Security of information, that is in line with best practice frameworks and legislation and regulatory requirements.

Phase 4 – offers an ongoing support, under a month-to-month subscription, whereby the control assurance, improved framework developed in Phase 3, is embedded, and continually enforced, thus offering transparent information to management, that is unbiased, and supports informed decision making.

The results of all 4 phases, fully completed and embedded are:

RUBIQ Advisory Programmes

WHY CONDUCT MATURITY EVALUATIONS?

What are Maturity Assessments?

In a nutshell…

It is well documented that Companies with a high degree of GRC / IT GRC, integrated maturity, achieved within their organisations are:

More likely to meet and exceed expectations in achievement of objectives.

Less likely to be the adverse effect of a serious incident / event.

Have far higher customer retention levels than their competitors.

Are perceived by their customers and key stakeholders with a higher level of trust and confidence.

Demonstrate significant increased capabilities to deal with the “unexpected”.

Demonstrate far higher levels of resilience to interruptions and crisis.

Realize the value of better decision making, through access to unbiased & transparent information.

Unfortunately, very few organisations take the time to effectively develop a GRC / IT GRC roadmap and supporting strategy, against a proven and workable, GRC Maturity Model.

Take the free online quick assessment, as a quick test of your current IT GRC status.

Leave a Reply