If your cybersecurity strategy isn’t planned out properly, you might find yourself in dangerous territory where be dragons, warns James Costanzo.
“It does not do to leave a live dragon out of your calculations, if you live near him,” writes JRR Tolkien in The Hobbit.
What, exactly, makes a calculation sufficiently dragon-proof? We’ll get there, rest assured. But first, let’s agree on this: There is a dragon, and he’s moved in next door.
For those unfamiliar with Smaug, the arrogant, cunning, wealth-hoarding dragon of The Hobbit, or the existential threat he presents to the book’s protagonist, Bilbo Baggins, here’s all you need to know. The dragons of Middle Earth are mean and greedy, greedy and mean. They love gold, and take it with impunity.
In my estimation, this is the perfect analogy for our current data protection predicament, where data is akin to gold. And instead of one fire-breathing menace intent on stealing it, there are many.
Either way, it simply does not do to be unprepared.
A mountain of gold
From 2010 to 2020, the total amount of data created, captured, copied, and consumed globally increased by more than 62 zettabytes, according to Statista. Over the next half a decade, that number is expected to triple.
As the volume of data increases worldwide, so does its value. Just think of all the valuable information that now lives in virtualised environments: Medical records, financial statements, confidential employee information, classified government documents, photos of family pets, and so on.
Another way to frame this would be that the more data we have, the more we have to lose. Today, the pain associated with losing data – because of human error, hardware failure, natural disaster, or theft – is almost ubiquitous. Even my 85-year-old grandparents (generally) understand the importance of backing up their photos to the cloud.
While losing family photographs can be frustrating, even saddening, the financial, legal, and reputational ramifications associated with data loss can be catastrophic for businesses, governments, and other large organisations.
And so, at last, we’ve reached the razor-sharp nadir of our logical chain reaction. Unfortunately, as the volume and value of our data continues to grow, so will attempts to steal and/or compromise it. Those who pay attention to recent headlines already know this to be true.
Enter the dragon
In May 2021, Colonial Pipeline, which operates the 5,500-mile network of pipes responsible for roughly 45pc of the gasoline and diesel fuel consumed on the US east coast, was forced to close following a ransomware attack. It took five days for the company to begin restarting operations and, even then, fully restoring the flow of fuel was not immediate.
The attack’s impact was felt nationwide, with frenzied runs on fuel resulting in long lines and shortages up and down the east coast, surging gas prices, and volatility across the energy market. It even prompted an emergency response from the Biden Administration, which addressed the growing threat of ransomware by name.
This, of course, is but one high-profile example in what is now a worldwide crisis. In the wake of the Covid-19 pandemic, especially, organisations have experienced an acute struggle to maintain security and business continuity.
Between 2019 and 2021, the number of ransomware complaints reported to the FBI increased by 82pc. With millions more people working from home, the risk of cyber-threats and system breaches has grown exponentially and is continuing to rise.
According to Cybersecurity Ventures, ransomware attacks alone are expected to impact a business, consumer, or device every two seconds by 2031, up from every 11 seconds in 2021. Over that same time frame, the total global cost of ransomware is projected to increase from £19bn to a staggering £240bn. All totalled, the global cost of cybercrime is forecasted to grow by 15pc year over year.
By 2025, the damages are predicted to reach £13.9trn annually, up from £2.8trn in 2015. That would represent the greatest transfer of economic wealth in human history – exponentially larger than costs associated with natural disasters and more profitable than the global sale of all major illegal drugs combined.
Now that’s what I’d call a dragon-sized problem, one we’d be foolish to leave out of our calculations.
Plan for protection with NIST CSF
There’s something to be said for having a plan. A great many things, in fact.
From Confucius to Benjamin Franklin to Tolkien to today’s TikTok influencer du jour, human beings have long recognised (and touted) the virtue of preparation. And while we have no shortage of pithy reminders to plaster on posters, embroider on throw pillows, or wedge into articles (wink, wink), finding the right way to prepare for life’s many dragons is easier said than done.
When it comes to data security and protection planning, specifically, there are but a few accepted, cohesive frameworks. One such cybersecurity framework (CSF) was crafted and introduced by the US National Institute of Standards and Technology (NIST).
This voluntary framework consists of standards, guidelines and best practices designed to help organisations of any size and sector improve the cybersecurity, risk management, and resilience of their systems. Critical calculations for nearby dragons, as Tolkien might say.
Originally intended for critical infrastructure, today it has broader applicability across all organisation types. The NIST CSF has been increasingly recognised by governments and organisations as the recommended best practice guide to help improve the cybersecurity risk management and resilience of their systems. As of 2022, it has been downloaded more than 1.7m times, and is currently being used by organisations across a wide range of sectors, sizes, and geographies.
When boiled down, the NIST CSF consists of five key functions: identify, protect, detect, respond and recover. According to the framework, these are the five primary pillars for a successful and holistic cybersecurity program. They aid organisations in easily expressing their management of cybersecurity risk at a high level, enabling risk management decisions and acting as the backbone around which all other framework elements are organised.
It has never been more important to have a cohesive and holistic approach to your organisation’s cybersecurity. The increasingly dire state of data protection and security and growing demand for data-heavy online services means the need for action to protect your organisation and maintain operational resilience has never been higher.
Implementing the NIST CSF framework is a great step to protect your gold from the growing number of dragons in the world.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.