Situation Update: Coronavirus and What You Need to Know

Situation Update: World Health Organization has declared a global public health emergency for the novel (WuHan) cornoavirus. There are currently over 8,100 cases with 170 people confirmed dead. There are more than 100 confirmed cases in 20 places outside of China.

What Has Changed Today: It has been confirmed the virus was transferred from person to person in the United States today after someone returned from visiting China. There is currently no vaccine.

How serous is this as a US resident? There have been 6 cases of outbreak in the US. The person to person spread of the virus occurs when people are in close contact for a number of days with someone who carries the virus.

What Are Our Responsibilities to Our Business/Organization? This outbreak will continue, so as you think about workplace over the next several days here are some considerations for you or your leadership team.

Upcoming Travel: Trips are being cancelled (some) from the US to China. For other travel updates you can check the local airport you are flying from for domestic travel, and the State Department especially for international travel. If you are traveling in the coming days possibly expect longer than usual lines and travel wait times.
Local Alerts: Check alerts from your local public health department.
Business Operations: Think about what you would do if a higher than normal percentage of your staff called in sick. How could this impact your business operations? What if an employee’s family member is impacted? If a person on your team gets sick from the Wuhan virus, who is the back up for their role, especially if it is supporting a critical function or business critical process for the organization. Think about how this will impact the continuity of your business and current delivery expectations for internal and external stakeholders. In more serious cases, think about what would happen if your entire building or town was quarantined.
Internal Company Communications: What is your communication plan internally? Some organizations in the wake of a major snowstorm, earthquake, or hurricane will make the decision to communicate via phone or text in deciding to close the office for the safety of the employees and clients. It just simply may be safer for employees not travel into work. Who is involved with this decision? What leader has the authority to makes these decisions?
Working from Home Policy: What is the determining factor to have people work from home. What would determine that and for how long would someone need to stay home?
Go Bag: If your office has Go Bags this could be a good time to update them. Though it may not directly relate to a virus outbreak, it is meant for several emergencies and can be beneficial, especially if your bag happens to have Personal Protective Equipment like facemasks.
Top Down Approach: When deciding what action to take for any Crisis Plan this should not be a unilateral approach. It does need to be consistent with existing labor laws and regulations. Partner with your HR partners, security/operations partner and legal counsel if necessary.
Resource and Fact Sheet for the Virus: Here is an information resource for the leadership team on the virus (symptoms, how individuals can protect themselves).
What We Can Expect: Global coordination by governments to stop the spread of the virus. As necessary, federal, state and local governments have and/or will update travel advisories and guidelines or recommendations for jurisdictions in the United States impacted by the Wuhan Virus.There will be stringent and required monitoring of this outbreak by government officials which could impact small and large businesses alike.

If you have additional questions, please let us know: If you have a Crisis Management Plan with us and have specific questions or updates that require implementation, please let us know. If you don’t have a Crisis Management Plan or Business Continuity Plan, but would like to discuss implementing one, please feel free to contact Jessica directly at Jessica@purepoint-international.

The Top 7 Cybersecurity Threats for C-Level Leaders in 2020 That Will Impact Your Company This Decade (If Not Addressed)

In looking at the future we must first look to the past. Without a doubt, there will be key cybersecurity focuses from the past five years that will continue into 2020 and beyond. This includes mitigating phishing and ransomware attacks, IoT vulnerabilities, mobile security threats, as well as increasing secure dev ops, and continued migration to the cloud. This is probably not a surprise and something many C-level leaders are aware of whether, or not, their company has fully invested in these areas.

However, in addressing cybersecurity concerns that will impact businesses over the next 10 years they are just as complex, more deeply rooted, and in some cases harder to change. In this article I am not referring to something like quantum computing. I am referring to the challenges that have already plagued us the past few years, and can no longer be allowed to continue over the next ten years if you want to have a thriving business in the next decade and beyond. I am referencing the reality of living in a video streaming world, but still using DVDs players (or beta players) to watch movies. These threats don’t always evolve around technology. It’s a mindset that requires behavior change. It can be hard to understand, and often require us as leaders to look at ourselves and ask the hard questions.

For C-level executives, here are 7 cybersecurity threats of 2020 that will impact your business this decade if not addressed.

Uninformed executives continue to be the #1 cybersecurity risk for a company. I know this is a bold statement, but can you really think of anything scarier in a company today than an uninformed C-level executive making decisions that impact not only the cybersecurity program of an organization but the alignment of security and business objectives, including the cybersecurity budget, the organization’s approach to vendor risk, and the overall impact to clients? The ultimate accountability of the cybersecurity program lies with the management team of a business and a true lack of understanding of risks by C-level executives is what will cause a business to not survive in 2020 and beyond. I am not just referring to the impact of one breach. I am talking about on the consistent and ongoing lack of engagement by an executive, or executive team, on the topic of cybersecurity and then making decisions that impacts clients, employees and other stakeholders. Demonstrating cybersecurity understanding and awareness, in the next five years will be critical for all members of executive teams and board members regardless of your role. It will be a qualifying piece in the price of admission. Globally, 40% of companies cited their executives, including the CEOs, as their highest security risk (Information Age/Prescient, 2019). In many cases, executives can be the target of a malicious hacking scheme, and in other cases, an executive can fall prey to an attacker via social media, when traveling, or when accessing email.
Thinking global politics and security trends won’t impact your business. In 2016 we saw how the election impacted the public but also Facebook. Economic espionage by countries, particularly China, is well known and continues to be a persistent threat to business and universities in the United States. Nation-state hacking does not appear to be slowing down and potential war with Iran only increases the likelihood of a cyber war impacting businesses. A cyber war puts all businesses, including small business, on the front lines of a war.
Dismissing AI as part of your company’s detection and response strategy. In this decade as the cyber threats become more AI enabled, our ability to respond will need to be congruent. As technology threats change the way we defend against them will need to change. As a c-level executive, do you know how AI and machine learning are being utilized in your company’s cybersecurity program? The Capgemini Reinventing Cybersecurity and Artificial Intelligence Report states that 69% of enterprises believe AI will be necessary to respond to cyber-attacks. Additionally, 64% of enterprises say that AI lowers the cost to detect and respond to breaches and reduces the overall time taken to detect threats and breaches by up to 12%. The amount of time threat actors remains undetected drops by 11% with the use of AI (Forbes).
Unaware of vulnerabilities from IT teams or managed service providers. Ignoring, or failing to mitigate, risk from those who have access to our environment can be “business ending” in this decade. Managed service providers are increasingly targeted by cyber criminals. Building a zero-trust technology environment is only one a way to address this. Having consistent follow up with third party technology vendors and checks and balances with the IT team, internally, is a trifecta approach to this risk.
Underestimating the impact of 5G on your business. This will severely impact IoT devices in your business and your home. As a c-level executive, are you thinking about the impact of 5G to your company infrastructure and cybersecurity program? Once 5G networks are rolled out to the larger public, devices (IoT) will be connected from a variety of mediums increasing vulnerability from attackers (Malwarebytes). The NotPeyta attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks didn’t exist at the time, of course, but the attack illustrates the high cost of such incursions (Brookings).
Playing the “waiting game” on privacy. Compliance overall will impact a company’s profitability if there is a breach AND a lack of adherence to a regulation resulting in fines. Privacy and cybersecurity regulations are increasing annually. As a C-level leader, are you reviewing the type of data you collect, what you do with it, and how you protect it? The Global Data Protection Regulation, GDPR (privacy regulation in Europe), and the California Consumer Privacy Act, CCPA (effective January 1, 2020), indicate maintaining reasonable data security is no longer enough. If operating in regulated areas, you must determine how to align your business goals with privacy rights of individuals around the world. Adherence to GDPR (which applies to all businesses, large and small, that collect data on European residents), CCPA or PIPEDA (Personal Information Protection and Documents Act in Canada) is a must as well as understanding how it impacts the roles and responsibilities of the security and technical teams. The European Data Protection Board’s recap of GDPR activities between May 2018 and May 2019 states 144,376 complaints or queries were lodged with EU data protection authorities during that year (The Legal Intelligence).
Believing it’s impossible to defend against cyber threats. This is the defeatist mentality. It’s amazing how many people I meet that say, “Is there really anything you can do about hackers anyway?” Or “We’re too small.” If you don’t impact this way of thinking it will impact your business in the next decade. If fact, you may no longer have a business. In the 2020s, doing nothing in regards to cybersecurity in your business will not be an option. It’s now part of the cost of doing business.

Jessica Robinson is CEO of PurePoint International and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. You can reach her at jessica@purepoint-international.com.