1-929-800-1184

Tag: CEO

Leave a comment

The Top 7 Cybersecurity Threats for C-Level Leaders in 2020 That Will Impact Your Company This Decade (If Not Addressed)

 

In looking at the future we must first look to the past. Without a doubt, there will be key cybersecurity focuses from the past five years that will continue into 2020 and beyond. This includes mitigating phishing and ransomware attacks, IoT vulnerabilities, mobile security threats, as well as increasing secure dev ops, and continued migration to the cloud. This is probably not a surprise and something many C-level leaders are aware of whether, or not, their company has fully invested in these areas.

However, in addressing cybersecurity concerns that will impact businesses over the next 10 years they are just as complex, more deeply rooted, and in some cases harder to change. In this article I am not referring to something like quantum computing. I am referring to the challenges that have already plagued us the past few years, and can no longer be allowed to continue over the next ten years if you want to have a thriving business in the next decade and beyond. I am referencing the reality of living in a video streaming world, but still using DVDs players (or beta players) to watch movies. These threats don’t always evolve around technology. It’s a mindset that requires behavior change. It can be hard to understand, and often require us as leaders to look at ourselves and ask the hard questions.

For C-level executives, here are 7 cybersecurity threats of 2020 that will impact your business this decade if not addressed.

  1. Uninformed executives continue to be the #1 cybersecurity risk for a company. I know this is a bold statement, but can you really think of anything scarier in a company today than an uninformed C-level executive making decisions that impact not only the cybersecurity program of an organization but the alignment of security and business objectives, including the cybersecurity budget, the organization’s approach to vendor risk, and the overall impact to clients? The ultimate accountability of the cybersecurity program lies with the management team of a business and a true lack of understanding of risks by C-level executives is what will cause a business to not survive in 2020 and beyond. I am not just referring to the impact of one breach. I am talking about on the consistent and ongoing lack of engagement by an executive, or executive team, on the topic of cybersecurity and then making decisions that impacts clients, employees and other stakeholders. Demonstrating cybersecurity understanding and awareness, in the next five years will be critical for all members of executive teams and board members regardless of your role. It will be a qualifying piece in the price of admission. Globally, 40% of companies cited their executives, including the CEOs, as their highest security risk (Information Age/Prescient, 2019). In many cases, executives can be the target of a malicious hacking scheme, and in other cases, an executive can fall prey to an attacker via social media, when traveling, or when accessing email.
  2. Thinking global politics and security trends won’t impact your business. In 2016 we saw how the election impacted the public but also Facebook. Economic espionage by countries, particularly China, is well known and continues to be a persistent threat to business and universities in the United States. Nation-state hacking does not appear to be slowing down and potential war with Iran only increases the likelihood of a cyber war impacting businesses. A cyber war puts all businesses, including small business, on the front lines of a war.
  3. Dismissing AI as part of your company’s detection and response strategy. In this decade as the cyber threats become more AI enabled, our ability to respond will need to be congruent. As technology threats change the way we defend against them will need to change. As a c-level executive, do you know how AI and machine learning are being utilized in your company’s cybersecurity program? The Capgemini Reinventing Cybersecurity and Artificial Intelligence Report states that 69% of enterprises believe AI will be necessary to respond to cyber-attacks. Additionally, 64% of enterprises say that AI lowers the cost to detect and respond to breaches and reduces the overall time taken to detect threats and breaches by up to 12%. The amount of time threat actors remains undetected drops by 11% with the use of AI (Forbes).
  4. Unaware of vulnerabilities from IT teams or managed service providers. Ignoring, or failing to mitigate, risk from those who have access to our environment can be “business ending” in this decade. Managed service providers are increasingly targeted by cyber criminals. Building a zero-trust technology environment is only one a way to address this. Having consistent follow up with third party technology vendors and checks and balances with the IT team, internally, is a trifecta approach to this risk.
  5. Underestimating the impact of 5G on your business. This will severely impact IoT devices in your business and your home. As a c-level executive, are you thinking about the impact of 5G to your company infrastructure and cybersecurity program? Once 5G networks are rolled out to the larger public, devices (IoT) will be connected from a variety of mediums increasing vulnerability from attackers (Malwarebytes). The NotPeyta attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks didn’t exist at the time, of course, but the attack illustrates the high cost of such incursions (Brookings).
  6. Playing the “waiting game” on privacy. Compliance overall will impact a company’s profitability if there is a breach AND a lack of adherence to a regulation resulting in fines. Privacy and cybersecurity regulations are increasing annually. As a C-level leader, are you reviewing the type of data you collect, what you do with it, and how you protect it? The Global Data Protection Regulation, GDPR (privacy regulation in Europe), and the California Consumer Privacy Act, CCPA (effective January 1, 2020), indicate maintaining reasonable data security is no longer enough. If operating in regulated areas, you must determine how to align your business goals with privacy rights of individuals around the world. Adherence to GDPR (which applies to all businesses, large and small, that collect data on European residents), CCPA or PIPEDA (Personal Information Protection and Documents Act in Canada) is a must as well as understanding how it impacts the roles and responsibilities of the security and technical teams. The European Data Protection Board’s recap of GDPR activities between May 2018 and May 2019 states 144,376 complaints or queries were lodged with EU data protection authorities during that year (The Legal Intelligence).
  7. Believing it’s impossible to defend against cyber threats. This is the defeatist mentality. It’s amazing how many people I meet that say, “Is there really anything you can do about hackers anyway?” Or “We’re too small.” If you don’t impact this way of thinking it will impact your business in the next decade. If fact, you may no longer have a business. In the 2020s, doing nothing in regards to cybersecurity in your business will not be an option. It’s now part of the cost of doing business.

Jessica Robinson is CEO of PurePoint International and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. You can reach her at jessica@purepoint-international.com.

 

5 Questions the NY Attorney General is Asking TransUnion and Experian, and the 5 Questions CEOs Should Be Asking Themselves (and Their Team)

Leave a comment

 

Leading cybersecurity can be challenging as a CEO if you don’t know what questions to ask. A top down approach is necessary for an organization to be successful in creating a cyber security culture.

With the recent Equifax breach, many CEOs who haven’t paid attention in the past are starting to ask questions. The truth is, it doesn’t matter what industry you are in, or how many employees or clients you have, just the fact that you exist as a business owner, or entrepreneur, makes you a potential target. Just like being a consumer makes you a potential victim of a breach at every place you spend money.

As a CEO, if you have large B2B clients, irrespective of industry, then that can make you a potential target for a beach because a hacker may want to use your company to get to your client. According to a study by the Identity Theft Resource Center, as many as 42 colleges and universities were victims of cyber-attacks in 2014 alone. The number of U.S. data breaches tracked through June 30, 2017 hit a half-year high of 791. This represents a significant jump of 29% over 2016 figures during the same period. According to SANS, ransomware is the top attack threat to financial institutions (55%), followed by phishing (50%).

Additionally, if you do business with, purchase from or take money from a business that has been breached, that makes you vulnerable. Since 90% of breaches impact small businesses, as a CEO, you can’t escape cyber security, no matter how small you are.

In New York, where the Department of Financial Services enacted cybersecurity regulations for the banking, financial services and insurance industries, the current Attorney General, Eric Schneiderman, is not only investigating the Equifax data breach, but asking TransUnion and Experian what their cyber security strategy was before the Equifax breach and what they have done since the breach.

There are supposedly five questions that Schneiderman’s office wants answers to from Experian and TransUnion by Friday, September 21st:

What security measures did TransUnion (Experian) have in place to ensure the safety of private consumer information before it learned of the Equifax breach, including but not limited to administrative safeguards, technical safeguards, and physical safeguards, as well any best practices or certifications of compliance with any data security regulations or leading standards?

What steps has TransUnion (Experian) taken since learning of the Equifax breach to ensure that TransUnion (Experian) has not already suffered any similar intrusions?

What steps has TransUnion (Experian) taken since learning of the Equifax breach to ensure that it does not experience breaches going forward? Please address steps to prevent both malicious hacking as well as breaches caused by employee negligence.

What steps has TransUnion (Experian) taken since learning of the Equifax breach to help consumers implement additional protections for their private data in TransUnion’s (Experian’s) possession?

Will TransUnion (Experian) consider waiving any fees it currently charges for New York consumers who wish to implement and manage a credit freeze for their files through TransUnion (Experian)?

With the CEO of Equifax testifying before Congress on October 3rd here are 5 questions all CEOs should be asking themselves (before a breach):

What is my cyber security incident response plan for when a breach occurs?

If you don’t have a plan for what to do if there is a breach you are already behind. This also means you most likely don’t have a way to proactively detect if a breach is occurring. The fallacy that you have be a multi-billion-dollar company to be impacted by a breach is false. Living Social, during the same quarter that they announced their data breach revealed the company had a first-quarter operating loss of $44 million on revenue of $135 million. We are seeing solopreneurs lawyers who haven’t taken security seriously compromise their client’s information. Your Chief Information Officer (CIO), General Counsel, or IT team can help you address this question, but as the CEO you have you lead the way.

What are the compliance risks and are they systemic across every vertical?

What are the SOC and PCI challenges that your company many not be reviewing regularly? Do you have a lawyer, or a compliance exert to help you meet regulations for your industry?  This would also be a great question to ask your lawyer or General Counsel.

How long would our business halt if we had a breach?

In other words, how many hours could your team not access email? How many days? How many days could your company go without receiving, or giving, payment until it becomes a liability for the company. One hour? One day? Some companies take up to three weeks just to access email again after a breach. What would that do to your business? Business continuity is critical. As a CEO, you have to know how long your business will stop if there is a breach and how much that will cost you. What is your risk appetite? Your CIO and IT team can help give you an accurate response to this question.

What type of data do we have and who would want it? 

For some companies, they know exactly what data they have that is of valuable. Other companies think they have nothing of value to potential hackers. Does your company collect donor information, PII, user activity or user data? Do you store intellectual property from your company or another companies? Where do you keep your financial and employee data? What data do you have that could be valuable to a third party that you don’t even realize? For example, maybe your client’s customer base. As a CEO, you should know what your most valuable data is, how you collect it and where it is stored. Your CIO or IT leader can help you identify this information.

What is our cyber insurance policy?

We are slowly approaching the point where every business should have a cyber security insurance policy. Especially if you are a B2B company, in highly regulated industries, or if your total sales are over $1 million a year. Cyber insurance will pay for a crisis communications team to help you communicate to internal and external stakeholders. They will also pay for a digital forensics team to support with the response to the breach.  The smaller the company the harder it is to bounce back from a cyber breach. This is a great question to discuss with your corporate attorney.

 

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security expert, she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com.