Introduction
Any good project manager will tell you the importance of having a Plan B in store, in the event that a risk materializes unexpectedly. A backup strategy, Plan B is not considered for deployment in the normal course of things. It is the path of action that the project manager will embark on, to reduce the impact of unforeseen risks that have materialized. It is drawn up even before the project has started, after in-depth evaluations of the risk tolerance levels of all stakeholders. As part of Risk Management, it remains a crucial tool for Project Managers.
In the cybersecurity world, where increased online activity is matched by a commensurate rise in cyber threats and cyber incidents, planning for risk goes beyond the realms of a Plan B. With risk mitigation being a priority that is outsourced to Managed Service Providers (MSPs) (10) by SOCs today, Mitigation Services is tipped to increase manifold in the coming periods.
Explaining the need
Checkpoint (4) reports that 2023 marked another year of ‘relentless cyberattacks globally’ with organizations, on average, experiencing over 60,000 attacks in the year. Ransomware attacks in 2023 for example showed a spurt of over 33% over 2022, with one in every 10 organizations being hit with ransomware demands.
McKinsey (7) says that damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a 300 percent increase from 2015 levels. Threat prevention provider Perception Point (1) points out that attack vectors have changed as threat actors have redirected their arsenal from addressing email and web browsers to cloud-based apps, services, and collaboration platforms.
Their report indicates that organizations are spending a whopping USD 1,197 per employee a year to address cybersecurity incidents across all interfaces. For a mid-sized organization of 500 employees, that amounts to USD 600,000 a year. Yet that is only skimming the surface, for it does not reckon the damage wrought by business losses, loss of goodwill and customer confidence, fines by compliance authorities, and remediation costs, often leading to bankruptcy or inability to operate.
With such crippling costs and devastating consequences always likely, Mitigation Services in the cybersecurity world are in many ways, considered rightly as the equivalent of cyber insurance (2).
What it is
TechTarget (5) calls Mitigation Services ‘the process of planning for disasters and having a way to lessen negative impacts.’ Risk is inherent in business, and though businesses would like to eschew risks altogether, the truth is that risk cannot be avoided, and despite even the best risk management measures, some damage can always occur.
Risk management is not about planning to avoid a risk, but planning to mitigate or reduce the impact of that risk should and when it occurs. It involves setting out the steps that need to be taken before the event occurs so that adverse and long-term effects are mitigated.
Amongst the first steps is identifying vulnerabilities and potential weaknesses in a system or network. This can involve regularly patching software, updating security protocols, and implementing controls to monitor and detect potential threats, such as intrusion detection systems or network monitoring tools.
Another important step is embedding an awareness in employees and stakeholders about the need for responsible online user behavior necessary for potential threats. Experts call this the first line of defense. Crowdstrike’s article (3) serves as a best practice guide for responsible user behaviors.
Damage control is the next strategy of mitigation. With attacks being potentiated with alarming frequency, organizations need to have a clear and well-defined incident response plan in place. Remediation measures are the steps that need to be taken to contain the incident, investigate the cause, ensure timely data recovery and restoration of backups, and resume normal operations.
Mitigation Services and organizations
Cybersecurity risks now rank high in the hierarchy of risks of organizations. Over the years these risks have evolved considerably starting out with exfiltration of sensitive corporate data and expanding to ransoms, compliance violations, loss of face and reputation, and erosion of stakeholder confidence. Most organizations today have a risk management department with a Risk Management Officer (RMO) at its helm.
The RMO (6) is tasked with risk identification and evaluation, embedding a risk-awareness mindset amongst employees, and setting up a risk mitigation plan. Mature organizations recognize and acknowledge risk mitigation as a strategic corporate enabler and not a cost center or a compliance mandate. The RMO is responsible for putting in place a set of measures to mitigate risks.
Amongst the steps that the RMO will take in the risk mitigation plan is the appointment of a vendor who offers a wide variety of mitigation services, that include but are not necessarily restricted to:
- Conducting risk audits periodically
- Carrying out regular vulnerability scans and penetration testing
- Overseeing security protocols including data recovery and backup
- Assisting in embedding a safety culture
- Providing Virtual CSO services
- Organizing industry-specific compliance services
- Carrying out frequent cyber hygiene planning
- Setting up, monitoring, and testing a robust Risk Reporting System
- Establishing an effective Incident Response Plan
Here to stay
Gartner (9) predicts that 2024 will witness an increase in IT spending worldwide with the spend likely to be in the vicinity of $5 trillion, an increase of 6.8% over 2023, when the industry was deemed to be experiencing change fatigue, due to a reluctance of CIOs being reluctant to move away from existing technology partners and commit to new long-term cybersecurity contracts. 2024 however is tipped to see IT Services – which include Mitigation Services – for the first time overtake Communications Services in the cybersecurity spend landscape.
Cybersecurity Dive (8) says that a continuously growing digital user footprint, remote and hybrid working patterns of employees, and governmental pressure to standardize enterprise security approaches are driving the steep demand that the industry is experiencing. Their article quotes PwC as saying that organizations are ‘seeing greater value in the separation of duties, both through a lens of greater risk mitigation as well as better specialization.’
The writing therefore is clearly on the wall. Mitigation Services, another in a long list of services provided by Managed Service Providers (MSPs), are tipped to increase and quite clearly, here to stay!
References
- Cybersecurity incidents cost organizations $1,197 per employee, per year | VentureBeat
- Redefining Cybersecurity Insurance for the Evolving Digital Threat Landscape | Aurora (aurorait.com)
- What is a Polymorphic Virus? Examples & More – CrowdStrike
- 2023 – The Year of Mega Ransomware Attacks – Check Point Blog
- What is Risk Mitigation? Definition, Strategies and Planning (techtarget.com)
- Integrating Risk Mitigation Into Corporate Culture (forbes.com)
- New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers | McKinsey
- As companies tighten tech spend, demand for cybersecurity services grows | Cybersecurity Dive
- Gartner Forecasts Worldwide IT Spending to Grow 6.8% in 2024
- Managed Service Providers – And Just Why Organizations Need Them On Board | Aurora (aurorait.com)
