American Water, the largest regulated water utility company in the U.S.., was shut down recently following a cyber attack. The shutdown followed similarly high-profile attacks, including one across the Atlantic on the body that runs transport in the U.K. capital, Transport for London. Attacks like these can cost a fortune, to say nothing of the havoc they can cause to ordinary people. And they’re becoming more frequent and more serious all the time.
The most recent AXA Future Risk Report named cybersecurity risks third (after climate change and geopolitical instability) among the greatest current challenges worldwide. There were 2,365 cyberattacks in 2023, with 343,338,964 victims. Data breaches were 72% above 2021, which had held the record. Data breaches cost $4.9 million on average in 2024. More More than 90% of organizations have reported email security incidents. And compromised business email accounts accounted for over $2.9 billion in losses in 2023. The numbers show the scale of the challenge.
See also: The Evolving Landscape of Cyber Risk and Insurance
Clearly, therefore, we need a new approach. The traditional one relies heavily on a perimeter-based defense strategy, often referred to as the "castle-and-moat" approach. This emphasizes building strong defenses around the perimeter of a network to stop unauthorized access. But there’s a problem here: The approach assumes that threats are mostly outside the system in question, and that internal systems and users are secure and can be trusted. It doesn’t account for possible insider threats, stolen details, or malicious actors able to get beyond the "castle and moat" via phishing or other methods.
In fact, 95% of successful cyberattacks are believed to take place because of errors or weaknesses caused by people, rather than technical problems in the system. Traditional security measures also depend too frequently on recognizing known threats and applying fixed rules to detect and stop attacks. This may have worked in the past, but it needs to evolve.
What might a new approach look like? There are at least three main aspects. education, risk assessment, and risk prevention.
First, education. The best defense against a cyberattack on an organization is a workforce that consists of people who can recognize risks, understand them, and respond to them in the right way – and to do that on a continuing basis, as risks morph. This "human firewall" is a powerful form of defense against bad actors. To develop one, organizations must invest in high-level education and training, recruiting, where possible, government agents, former hackers, and others who understand cyber-risk from the other side.
Second, risk assessment. It’s hard to solve a problem when you don’t know what the problem is. There are now tools that use cutting-edge technology to score organizations according to how vulnerable they are to cyberattack. That score can be broken down into different areas of potential vulnerability, giving organizations a way to gauge their exposure quickly and know where they should invest their time, money, and other resources to limit the likelihood of a costly breach. Cybersecurity companies are developing the means to provide an increasingly vivid picture of organizations from the standpoint of their robustness to cyberattacks. Now and for the foreseeable future, organizations should assess their vulnerability continually.
Connected to that discipline is the third: risk prevention. Once you know where your vulnerabilities are, you can take bold action. There has been enormous innovation in cybersecurity in recent years, and it would be remiss of any company not to take advantage. The difficulty is that there are so many companies selling services it’s hard to know which ones to buy; this is why it’s worth seeking out experts and partners to guide you.
See also: A New Focus for Cyber Criminals
Cybersecurity companies are engaged in an arms race with their "black hat" counterparts. There will always be those who use their undoubted talents for nefarious ends, and as cybersecurity gets better, cyberattacks will inevitably become cleverer. From the standpoint of an organization, the key, then, is not to put some measures in place and then forget about them. Organizations must be constantly vigilant and take a continuous-improvement approach to cybersecurity if they’re going to anticipate and remain robust against mutating cyberthreats. That means investing in education and training, in tools to evaluate vulnerabilities, and in the software that makes those weaknesses into strengths.
For individuals and for organizations, suffering a cyberattack can be stressful and costly. The fact that cyberattacks are largely invisible can elicit a sense of powerlessness, and even when the cyberattack is dealt with, there can be a lingering fear that something is still in the system, working its way through sensitive files and folders, perhaps stealing personal data from your clients or customers. The damage, in other words, can be emotional and reputational, as well as financial.
But organizations are not at the mercy of cyber-criminals. Companies around the world have developed truly cutting-edge software solutions, tools, and forms of technology to help make the digital information infrastructure of companies all but impregnable. Taken together, they represent a whole new approach to cybersecurity – one fit for our age.