Exclusive contribution for The Executive Magazine by Steve Williamson, Audit Account Director (Cyber Security and Data Privacy) at GSK.
In 2000, the “Love Bug” virus infected approximately fifty million computers. Spreading through email with the subject line “ILOVEYOU” and an attachment labelled “Love-Letter-For-You.Txt,” it remains one of the most far-reaching malware attacks in history. Fast forward to 2024, when the CrowdStrike incident affected 8.5 million computers, causing widespread disruption, including grounded flights and cancelled medical procedures. While the Love Bug attack resulted from malicious intent, the CrowdStrike “glitch” stemmed from a human error. Whether driven by malice or mistakes, cyber incidents — and their potential to disrupt business operations — are on the rise. As businesses continue to integrate more digital solutions, these disruptions will only increase.
The digital landscape has dramatically changed since 2000. The complexity of cyber threats has grown, organisations’ digital footprints have expanded, and new regulations — covering data privacy, AI, and cybersecurity — are emerging.
Today, e-crime and nation-state actors dominate the threat landscape. Financial gain is the primary driver for e-criminals, who deploy ransomware, steal sensitive data, and use extortion tactics to target organisations. Many businesses, facing no viable alternative, pay the ransom to restore their systems or protect their stolen data. These threat actors are well-organised, often purchasing services through dark web marketplaces. Yet, despite their sophistication, they frequently rely on familiar attack methods such as social engineering, credential theft, and exploiting unpatched vulnerabilities in software.
A growing complexity for organisations is managing their increasingly distributed digital ecosystem, which spans on-premise infrastructure and cloud service providers. Mapping this web of third-party dependencies — including software as a service (SaaS) providers, software distributors, technology support specialists, and major cloud service players like Microsoft, Google, and Amazon — can be daunting. This distributed model offers many advantages, such as dynamic, consumption-based pricing, the ability to access best-in-class services and ease of scalability. A small enterprise with only twenty employees can leverage the same functionality, security, and resilience as a large corporation, thanks to cloud services. This enables businesses to innovate rapidly, allowing them to integrate advanced technologies like generative AI with minimal investment in infrastructure. However, this continued expansion of the digital footprint introduces more attack vectors and points of failure.
As organisations become more reliant on digital and data, the fundamental cybersecurity triad — Confidentiality, Integrity, and Availability (CIA) — takes on new importance. Availability has become a critical focus, as businesses from manufacturing to e-commerce can no longer operate without their digital infrastructure. Therefore, their tolerance for downtime is low. As such, it’s no longer sufficient to rely solely on business continuity and IT disaster recovery plans. Systems must be resilient. For instance, if a data centre experiences an outage, workloads should automatically failover to an alternate data centre to minimise disruption to business workflows.
Technology outages can occur due to cyber-attacks, system failures, or human errors. Mitigating these risks requires a balanced approach with preventive, detective, and corrective controls. Preventive measures include cybersecurity education for all users, identity and access management, and continuous software patching. Detective controls enable security teams to monitor and respond to suspicious activities that could indicate a breach. Corrective controls focus on system redundancy, failover mechanisms, and effective backup and restore processes. Together, these layers of defence ensure data security and system resiliency.
Much has changed since the Love Bug computer worm. Organisations have a vastly more complex digital environment, resulting in an accumulation of technology risk. The growing internal digital footprint, combined with a more challenging external threat landscape and the increasing regulatory burden, means that cybersecurity must now be considered an enterprise-level risk. Ensuring that systems are designed with the right mix of preventive, detective, and corrective controls is essential to achieving a high level of security and resiliency. While it’s impossible to eliminate all risk, this proactive approach will enable businesses to manage their digital transformation whilst reducing their risk to an acceptable level. This is the cost of innovation.