In the rapidly evolving digital landscape, cybersecurity has emerged as a critical business issue that leaders across all sectors must grapple with. The increasing sophistication and frequency of cyberattacks have made it clear that cybersecurity is no longer just a technology concern, but a business one. Leaders who fail to recognize this are at risk of being caught off guard, with potentially devastating consequences for their organizations.

The EY 2023 Global Cybersecurity Leadership Insights Study found that the average annual spend on cybersecurity in 2023 was US$35 million. This significant investment underscores the growing recognition of the importance of cybersecurity. However, despite this increased spending, only one in five cybersecurity leaders considers their organization’s cybersecurity approach to be effective for current and future threats. This is a concerning statistic, especially considering that the World Economic Forum has identified cybercrime as one of the most significant risks for the next decade.

The study also revealed that known cyberattacks have surged by 75% over the past five years. This dramatic increase is a stark reminder of the escalating threat that cybercrime poses to businesses. Even more alarming is the fact that most companies take more than six months to respond to an incident. This slow response time is a clear indication that many organizations are struggling to keep up with the rapidly evolving threat landscape and underscores the need for more effective incident response strategies.

The rise of next-generation technologies such as automation and artificial intelligence has further complicated the landscape. These technologies are being leveraged by adversaries to launch increasingly sophisticated cyberattacks. The global cost of cybercrime is projected to grow by 15 percent each year, reaching US$8 trillion in 2023, a significant rise from US$3 trillion in 2015.

These figures highlight the urgent need for leaders to take a proactive approach to cybersecurity, but the number of potential attack points is too vast for any cybersecurity team to manage effectively. Our cybersecurity study revealed that 84 percent of organizations are in the early stages of incorporating at least two additional technologies into their existing cybersecurity measures. However, paradoxically, each new technology introduces an additional cybersecurity risk. Organizations with complex, outdated technology are attractive targets for cybercriminals. The more congested your technology stack, the more difficult it becomes to detect suspicious activity.

Another significant challenge is ensuring that the employees are not inadvertently providing attack surfaces for cyberattacks. Even the most robust cybersecurity defenses are ineffective if employees do not comprehend and react appropriately to the risks. This issue is further complicated by the fact that all organizations are now digitally interconnected with businesses in their supply chains, making the challenges appear insurmountable.

What can we infer from all these? It suggests that the boundary of a company’s cybersecurity issue is not where they presume it to be. Cybercriminals employ a “one-to-many” strategy, targeting the weakest link to infiltrate thousands of businesses. Most business leaders, including those who believed they were proactive in addressing cybersecurity, find themselves unprepared.

To safeguard your organization’s cybersecurity, consider the following actions:

1. Leverage generative AI (GenAI)

GenAI is a hot topic in the cybersecurity world. While it hasn’t been extensively used in cyberattacks yet, it’s crucial to stay ahead of potential threats. Cybercriminals are likely to start using GenAI to create more sophisticated malware, leveraging large language models based on existing malware and other exploits. This could result in faster and more novel attacks. On the defense side, it’s time to move from experimentation to implementation. Start implementing GenAI-based defenses, like Microsoft Copilot for Security, in your Security Operations Center. However, remember that this is just the first step in a multi-year journey.

2. Build resilience

Given the inevitability of cyberattacks, it’s essential to focus on building resilience into your operations. Prioritize data resilience, including backup and recovery of immutable copies. This is particularly important in light of the increasing number of successful ransomware attacks. Also, work on improving the resilience of mission-critical processes and systems. But resilience isn’t just about technology investments. It also involves spending more time and effort on incident response planning and simulations to ensure your organization is cross-functionally ready to respond when an attack occurs.

3. Comply with regulations

Regulatory scrutiny on cybersecurity and risk management is increasing. Ensure your organization is compliant with all relevant regulations. This may require investments in governance, reporting, and deeper transformation. Keep an eye on new regulations, such as the cyber disclosure rules of the U.S. Securities and Exchange Commission. Regulatory compliance is not just about avoiding penalties; it’s also about demonstrating to stakeholders that you take cybersecurity seriously.

4. Optimize existing resources

With cybersecurity budgets tightening, it’s important to maximize the value of existing cyber assets. This can be achieved by improving people and processes. Work on transforming data and better integrating it across the cyber stack for greater insights and response capabilities. This will help you detect threats earlier and respond more effectively.

5. Shift left

Aim to achieve the “holy grail” of cybersecurity — “shifting left” or embedding security controls at the design and development stage. This is often easier said than done, but it’s a goal worth pursuing. Work with internal development teams to drive stronger secure design and coding principles. Also, be prepared for increased pressure from agencies like the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation on commercial software vendors to ensure security. This shift will not only enhance your organization’s security but also save time and resources in the long run by preventing security issues before they occur.


Jeremy Pizzala

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.

LLMs, safety and sentience: Would AI consciousness surpass humans’?