The creation of computer technologies dates back to the 1930s when Alan Turing developed the universal machine. IBM then went on to mass-produce the first computer in the 1970s, which essentially led to the invention of the Internet. During all this time, the thought of criminal minds hacking into these supercomputers seemed impossible. However, the founder of Knowbe4, Kevin Mitnick, amongst other world-famous hackers, created a multi-billion-dollar industry around cybersecurity. Ten years ago, corporate businesses saw Cyber threats as a myth and cyber security products as a grudge purchase. Today cybersecurity is seen as one of the most important aspects of a business, and on average, it will budget and spend between 10 and 12% of its IT budget on Cyber Security. In 2019, the World Economic Forum highlighted the top 3 risks most likely to happen with the highest risk of impact, which included climate change, cyber-attacks and terrorist attacks. 2021 sees climate change replaced by Infectious disease, obviously due to the Covid 19 pandemic however, Cyber Threats are still rated amongst the highest.

The cost of cybercrime has skyrocketed from $ 600 billion in 2018 to 1.2 trillion and is estimated to grow by a staggering 42% over the next two years with no signs of slowing down. The current global average cost of data breaches considering all major industries is estimated at $ 3.86 million. The current climate has seen businesses worldwide downscaling and moving to remote working environments, reducing their workforce to become more agile and competitive. The cause and effect is a notable increase in unemployment with less business expertise and fundamental cyber knowledge to protect businesses from rising cyber-attacks. Looking at the Marriott breach of 2018 where the company went public revealing that 500 million customers had been affected by exposing 5.25 million unencrypted, 20.3 million encrypted passwords and a further 8.6 million encrypted payment card details from the security breach. The irony of this story is that the bad actors penetrated the Marriott network 2 years before and did reconnaissance at their own leisure, which is the blueprint for any attackers’ modes operande, enter Lockheed Martin an American-based security and aerospace company that specializes in the research, design and development of advanced technology systems. They have designed the Cyber Kill Chain methodology used by the National Institute of Standards and Technology (NIST) as a component of the Cyber Security Framework.

The steps include;

Reconnaissance - where the attacker chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

Weaponization - is when the intruder creates a malware weapon like a virus, worm, or such in order to exploit the vulnerabilities of the target. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as zero-day exploits) or it can focus on a combination of different vulnerabilities.

Delivery - This step involves transmitting the weapon to the target. The intruder/attacker can employ different methods like USB drives, e-mail attachments and websites for this purpose.

Exploitation - In this step, the malware starts the action. The program code of the malware is triggered to exploit the target’s vulnerability/vulnerabilities.

Installation - In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

Command and Control - The malware gives the intruder/attacker access to the network/system.

Actions on Objective - Once the attacker/intruder gains persistent access, they finally take action to fulfil their purposes, such as encryption for ransom, data exfiltration or even data destruction.

Currently, there is an estimated 6’000 online marketplace stores offering over 45’000 ready-to-deploy ransomware products, allowing virtually any person the ability to become a serial hacker.

The global adoption of social media saw an increased online user population from 970 million in 2010 to 3 billion in 2020. Businesses, governments, and people of importance use social media to gain exposure and communicate information to their followers. This is ideal for the hacker community to track and profile their victims in real-time. Fuelling the fire is the migration to the cloud, until 2018 almost 90% of all data was kept local and on-premise under lock and key. It is now estimated that at the end of 2021, One Hundred Zettabytes = Ninety-Three Trillion, One Hundred Thirty-Two Billion, Two Hundred Fifty-Seven Million, Four Hundred Sixty-One Thousand, Five Hundred and Forty-Seven Point Eight Five One Five Six Two Five Gibibytes of data will have moved to public cloud environments. Hosted cloud technologies like Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are now more widely used than their on-premises counterparts due to the scalability and less need for onsite maintenance of IT equipment.

The most disruptive business risks for 2021 will come from Internet of Things, Insider threats, Endpoint attacks, Social Engineering, AI-Driven attacks, Phishing, Ransomware and Malware. These attacks are designed to find and exploit vulnerabilities in an organization’s network to release its payload and gain valuable personal data to complete its purpose. Attack vectors are everchanging, making static KPI's and rudimentary manual Governance, Risk and Compliance reporting inefficient and time-consuming. On the other hand, cloud-based proactive Information Risk Management solutions like the CyberStrong platform offer a targeted approach to business risk management.

The world is heading towards the 4th industrial revolution, which will see technological advancements driven on a molecular level. Quantum mechanics will change not only the way we work but also the way we look at privacy, security and risk. Cryptology will be one of the most severely and negatively impacted industries because quantum technology will be able to decipher all forms of algorithms, including but not limited to symmetric and asymmetric encryption. For those who did not know Quantum technology uses qubits instead of bits, and both can be one of two states being either 1 or 0; however, qubits have characteristics called superposition. This means that qubits can be a 0 and 1 at the same time in other words they can exist in multiple states simultaneously and therefore hold 2 bits of data simultaneously.

To give this some perspective, Quantum technology processes in four days what would take a current-day quad-core processor 400 years to complete. Having such processing power combined with 5G Internet speeds opens many opportunities for the Internet of Things (IoT) to take off and become a realistic reality. Adding artificial intelligence and deep learning to the mix allows us to immediately analyse data in real time and detect and respond to cyber threats instantaneously. Finally, blockchain security will become a formidable contender when it comes to identity protection while it works on the same principle as the current crypto blockchain peer-to-peer method, whereby each block will generate its hash based on the present value and the hash from the previous block. This technology still in its infancy will rely heavily on cryptography and could fall prone to a significant risk of breach when quantum technology is realised in the near future.

When we look at the most widely adopted security model the CIA-Triad which incorporates three principles for the protection of Information Security systems. Confidentiality – the ability to hide information from unauthorised people, Integrity – the ability to ensure data is kept accurate and unchanged from its original format and Availability – the ability to ensure information is available for authorised viewers. To assess a company's risk posture, key performance indicators relating to quantitive and qualitative risk assessment strategies are typically adopted. Let me explain, the Quantitative assessment narrative which associates incidents with probabilities over a predefined period of time. This calculation reflects the exposure factor and single loss expectancy per asset to produce an annual rate at which this loss could occur. A result is then a quantifiable number that will predict the total loss expected from this asset over the predetermined time frame. The final step in quantitative risk assessment is a cost-benefit calculation to determine risk tolerance which will see the risk being accepted, transferred, mitigated or avoided.

Instead, a qualitative assessment method considers human and social factors such as beliefs, acts, and motives associated with threats. This exercise's output is a risk assessment matrix that will identify the impact of the vulnerability related to an asset's risk. Taking the human factor into consideration when assessing risk exposes many variables relating to a business, including age, level of seniority, level of responsibility, knowledge of information security and ability to make crucial decisions that could positively or negatively affect the outcome.

How do we quantify Risks?

Known-Known Risks - Elephant in the room: Well-known obvious risk that no one wants to talk about or address. Known knowns are the easiest type of risk when it comes to risk management. One known stands for the fact that the organisation is aware that such a risk exists. The other known is the fact that the risk can be measured and its effects can be quantified.

Known-Unknown Risks - Black jellyfish: Unintended risks arising from the known phenomena. Known unknown risks are the second category of risks that companies generally face. These risks are called known unknowns because the organisation is aware of the existence of such a risk. However, at the same time, the organisation is not aware of the probability that this risk will affect them. At the same time, they are not able to quantify the impact that these risks will have on their business if they materialise.

Unknown-Known Risks - Gray rhino: A grey rhino is a highly probable, high-impact yet neglected threat: These are risks that are created due to the negligence of the company.

Unknown-Unknown Risks - Black swan are the most dangerous type of risks which an organisation faces. One unknown stand for the fact that the company is not even aware of the existence of such a risk. The other unknown goes without saying. This is because the company is not even aware of the existence of such a risk. Hence, the question of measuring and quantifying risk does not really arise. These risks typically tend to have a very high impact and endanger the very existence of the organisation.

In conclusion, many organisations are adopting the phrase “Zero Trust” to protect their intellectual property meaning no one in any organisation, including your own, should be trusted. This distorts the reality as Zero Trust should not be seen as the end goal but rather as a means to an end. Computer users are considered the most significant threat to network security, and without people, no breaches will occur. This is true; however, people are the business, and without them, there will be no economy. A different perspective should be taken instead, where people become the enablers of their own destinies. Initiatives like Human Risk Management should become second nature throughout business where knowledge transfer is done on a larger scale, investing the time and effort to pursue knowledge transfer so that all these great technologies work for us and not against us.