The most recent global cyber-attacks, WannaCry and Petya, have led to renewed focus on cyber security for business, worldwide. The risks remain rife as many boards still struggle to set the challenge in a business context, demystify the complexities and, move beyond the jargon, to understand the real risks of IT security in the digital world.

Adding to this challenge; there are those who criticise cyber security companies for scaremongering or exaggerating the threats, however, the reality is that cybercrime is big business. In fact, current research indicates that cybercrime cost the global economy over  $450 billion in 2016, and it is estimated that the cost of cybercrime to businesses will increase to north of $2 trillion by 2019.

And - if we consider the exponential growth that has been forecasted for the digital economy over the next few years, coupled with rapid growth rates of cybercrime to date - this projected future potential cost is absolutely believable. Businesses therefore have every reason to be concerned about the rising threat level facing them. Rarely, a week goes by without IT security hitting the headlines around the world – and the threats are rising rapidly every day, as more and more people and devices connect to the internet.

Although large scale attacks tend to receive a lot of public hype and media coverage, most businesses face low-level cyber-attacks daily. The majority of these are unsophisticated, but depressingly effective nevertheless; if we just consider effects of WannaCry and Petya, for example. However, despite details of these and other similar attacks being public knowledge, according to a new cyber security whitepaper we recently published, “The cyber security journey – from denial to opportunity”, only 26% of CEOs see security as a differentiator in their digital transformation programmes.

Regrettably, many people look at the technical issues and not the business holistically; when in actual fact threats do not necessarily require technologically advanced tools, but may be very damaging by simply exploiting known weaknesses in a business’ systems. It is for this reason we implore business leaders to look beyond their denial about cybercrime and their false sense of confidence about their security measures, and rather focus on getting back to basics and getting these right.

For instance, the top three most important factors in cutting any business’ security risks are; security governance processes, security technology and sharing tools and knowledge with peers, partners and employees. With this, possibly one of the biggest potential traps and opportunities for businesses is to not start with technology. Too often it seems that many businesses first resort to buying and deploying technology solutions, however, the technology alone shouldn’t be the first priority. Rather, businesses should begin by assessing their current controls against best practices and take time to understand how they may protect the assets they have against the threats they are actually seeing. Only when the business understands the potential gaps can the controls be refined to plug these so that the business gets the full benefit from their controls and technology investments. Also, by continuing to invest in effective IT security technologies, policies, education and training for staff as an ongoing process – and not a once-off - businesses will be better placed to maintain a sustainable risk position against the evolving threat landscape in the digital world.

For instance, cyber security is in for some big changes as the shift to cloud holds bigger surprises. Businesses who work entirely in the cloud and don’t have the expected traditional IT infrastructure have arrived; which also means the defences we would see at the perimeter have disappeared. Added to this, more businesses are looking at adopting a digital, mobile and/or bring your own device (BYOD) strategy. This can be daunting, not only for the business and its Chief Information Security Officers (CISO), but also for regulators. Suddenly regulators are finding that how businesses secure their network doesn’t work anymore.

From the board down, there needs to be a fundamental change in how cyber security is viewed within any business. Cyber security is not something that can be “fixed” overnight, least not in a permanent sense, as cyber criminals – as well as their motives and methods – continue to evolve. True leaders who think differently about IT security therefore see it as an opportunity – a vital business unit, not a cost centre – and treat cyber security as a journey, not a destination. Businesses therefore must look for opportunities to embed security as their business changes and as the threats shift and the technology to combat threats evolves. Flexibility and embedding accountability at all levels of the business will be key to building resilience against attacks, now and well into the future.