What are the four key challenges for companies? And above all: how can they strengthen their resilience in concrete terms?

1. new threats from generative AI and quantum computers

The rapid pace of technological development not only brings advances, but also new threats. Generative AI can be a powerful tool, but it also allows cybercriminals to create extremely convincing phishing emails or deepfakes that can easily bypass traditional security systems. In addition, it is already clear that advances in quantum computing could make traditional encryption methods obsolete in the future.

To meet these challenges, companies must act proactively. A critical factor is the modernization of IT infrastructure, which includes both AI-powered security solutions and quantum-safe encryption technologies. The Kyndryl Readiness Report[1] shows that 86% of organizations consider their AI implementation to be top-notch, but at the same time only 29% believe their AI systems are ready to handle future risks. So it's clear that strategic planning and continuous innovation are needed to both anticipate emerging threats and make the best use of existing technologies.

2. overcoming organizational silos

A key challenge for organizations is the fragmentation between security and business areas, which often leads to inefficiencies and increased risks.

Effective management systems such as ISO 27001 provide a structured approach to overcoming these silos by linking security strategies to overarching business objectives. Establishing an information security management system (ISMS) helps to define clear processes and responsibilities and promote collaboration between IT, security and business units. At the same time, ISO 27001 promotes a culture of continuous improvement that enables organizations to respond flexibly to new threats and meet regulatory requirements efficiently.

Despite technological advances, however, people remain a key factor. Structured training programmes such as phishing simulations or training on secure password use increase cyber vigilance at all levels of the organization. By raising awareness of security risks and encouraging active participation, employees can better recognize and respond to potential threats. The combination of effective management systems and a well-informed workforce strengthens organizations' ability to mitigate risk and increase their resilience.

3. efficient use of security tools

The multitude of security tools available can give the impression that more tools automatically mean more protection. In reality, however, this often leads to an over-complexity that makes it difficult to maintain an overview and favors security gaps. A consolidated security platform that integrates various functions can provide a remedy here. By centralizing security data and processes, companies can detect and respond to threats more quickly. Standardized dashboards and automated workflows improve efficiency and reduce human error. In addition, such a platform enables security managers to focus on strategic tasks instead of investing valuable resources in the management of individual solutions. Furthermore, a consolidated solution creates transparency, which is essential for both internal and external audits.

4. anchoring readiness for cyber security at C levels

However, the biggest hurdle to a holistic cybersecurity strategy is often organizational in nature: the lack of support from senior management. According to the Kyndryl Readiness Report, 69% of large organizations report a lack of critical support from their boards of directors. Additionally, 73% of security leaders indicate that their boards of directors do not take an active interest in their organization's cybersecurity readiness. Without the active involvement of the board and C-level, cybersecurity therefore often remains an isolated issue.

Strategies to promote cyber awareness at senior management level include regular reporting on security risks and their potential business impact. A clear overview of the return on investment (ROI) of security investments can also be persuasive. Workshops and simulations of cyber attacks for top management can also raise awareness of the urgency of the issue.

Another important measure is the appointment of a Chief Information Security Officer (CISO), who reports directly to the management level (see also article on p. 34). This ensures that cyber security is anchored as a strategic goal and does not just remain at an operational level.

Cybersecurity as a strategic competitive advantage

Cyber security has become a strategic business imperative. Given the increasingly complex and dynamic threat landscape, organizations must take a holistic, long-term approach to their security strategies and cyber resilience. The four challenges described above - from emerging threats to organizational silos to strategic gaps at the executive level - illustrate the complexity of this task.

Companies that successfully overcome these challenges achieve more than just strengthening their lines of defense - they gain a strong competitive advantage. By linking cyber security to overarching business objectives, they not only close the gap between perceived and actual security, but also position themselves for sustainable success in an increasingly digitalized world.

[1] https://www.kyndryl.com/content/dam/kyndrylprogram/doc/en/2024/kyndryl-readiness-report.pdf

Author

Maria Kirschner is Vice President and General Manager of Kyndryl Alps. Kyndryl claims to be one of the world's largest providers of IT infrastructure services for thousands of corporate customers in more than 60 countries.

> www.kyndryl.com

Due to the global IT world, it is primarily English technical terms that are used when talking about cyber security and sources of danger: AI-based phishing attacks, credential stuffing, web scraping, skewing, DDoS and DNS scrubbing, and so on. Just reading them in can be a headache, at least if you're not familiar with the virtual world of data and communication. And this often happens in smaller companies. This is because there is neither a head of security nor an IT manager; these services are usually outsourced to external experts and agencies or you "muddle" through the issue as best you can. Both approaches also have disadvantages: External agencies keep their expertise to themselves and thus create dependency. And "muddling through" yourself harbors the aforementioned dangers, about which you simply know too little and therefore cannot protect yourself.

Sources of danger

To give you an idea of the dimensions, here is a brief summary of the threats mentioned: The term phishing (comes from "fishing") refers to attempts to impersonate a trustworthy communication partner via fake emails or websites. The aim of the fraudsters is to persuade Internet users to log in to fake advertising worlds, where they may leave behind confidential data such as passwords or user names.

Credential stuffing is an automated and frequently repeated cyberattack in which hackers use bots (from the English word "robot") in a largely automated attempt to access background data on a website. This is partly legal and desirable so that search engines can identify and publish the requested information. But there are also harmful methods of the process known as web scraping: data is misused, falsified or fed into the darknet.

Skewing attacks, the English verb to skew meaning to distort, also fit in with this. Attackers attempt to distort the information and statistics obtained via web analytics data, for example from Google Analytics. It is therefore not about data theft, but about the target companies being misled into making the wrong business decisions because of the manipulated data. And finally, DDoS; it stands for Distributed Denial of Service and describes cyber attacks that cause website outages by means of artificial and repetitive requests. So-called scrubbing services work against this, identifying such harmful traffic and preventing systems from being overloaded. And these are by no means all the dangers. How can small and medium-sized companies defend themselves against this?

Larger flashlight

The first step is to look closer and more closely, because the theft or misuse of internal company digital information has become the most frequently reported fraud, far more intense than physical theft. So whether a company has adopted cloud computing or only sends two or three emails a week, cyber security has become a core competency for even the smallest businesses. The key task for every responsible manager is therefore to create a culture of security.

Step 1 has already been mentioned several times in M&Q: regardless of which generation you belong to, you need to read up on the topic and get to grips with it. This does not mean that a manager has to understand or master everything, but that they have an overview of the topic, the external and internal influences, the opportunities and challenges, and any budgetary elements. If younger and more digital-savvy people in the team then take on certain tasks, that's perfectly fine. But the boss needs to know the big picture.

Safety culture

The first thing to do is to keep your system clean. This requires regular cleaning of old data, the latest security software and the installation of software updates as soon as they are available. Anti-virus software should be set up so that it automatically runs a scan after every update. This also includes the need to back up all company data at least once a week and store it off-site. The most important documents include personnel files, financial files, accounts receivable and accounts payable, as well as word processing documents. Anyone who does not do this is ultimately grossly negligent.

With the basic understanding gained through reading, a manager must now be able to define the basic security practices and guidelines for the company and its employees. These include clearly defined access rights to the system and to data, secure passwords, guidelines for using the Internet (including during free time spent in the office), and rules of conduct regarding company data and customer information.

Monitor accesses

Quite underestimated: private mobile devices can also cause considerable security problems, especially if they contain confidential information or can access the company network. Employees should protect such devices with a password, encrypt the data or install security apps. The same applies to laptops, which can easily be stolen or lost. Each employee should have a separate user account; and the corresponding passwords should only be assigned by expert IT personnel.

The company's internal Wi-Fi network can also be a potential source of trouble. It should be encrypted, only accessible with a password and set up using a router so that the network name (SSID, the so-called service set identifier) is not transmitted.

Either way, all passwords are potential areas of attack: firstly, they must be created in a complex way. This means that they must be at least eight characters long and consist of four different types of characters (upper and lower case letters, numbers and special characters). Secondly, sensitive passwords should be changed every three months, including those for employees' private devices. And thirdly, there is the option of multi-factor authentication for sensitive data, which requires further information in addition to the password. Certain banks, for example, offer their customers such services.

Cybersecurity is a core competence - and it can only be properly illuminated with a powerful flashlight.

Author

Daniel Tschudy is a publicist, speaker and consultant in the hospitality sector. However, he also deals with other topics relating to the new dimensions of global cooperation.