The Top 7 Cybersecurity Threats for C-Level Leaders in 2020 That Will Impact Your Company This Decade (If Not Addressed)

 

In looking at the future we must first look to the past. Without a doubt, there will be key cybersecurity focuses from the past five years that will continue into 2020 and beyond. This includes mitigating phishing and ransomware attacks, IoT vulnerabilities, mobile security threats, as well as increasing secure dev ops, and continued migration to the cloud. This is probably not a surprise and something many C-level leaders are aware of whether, or not, their company has fully invested in these areas.

However, in addressing cybersecurity concerns that will impact businesses over the next 10 years they are just as complex, more deeply rooted, and in some cases harder to change. In this article I am not referring to something like quantum computing. I am referring to the challenges that have already plagued us the past few years, and can no longer be allowed to continue over the next ten years if you want to have a thriving business in the next decade and beyond. I am referencing the reality of living in a video streaming world, but still using DVDs players (or beta players) to watch movies. These threats don’t always evolve around technology. It’s a mindset that requires behavior change. It can be hard to understand, and often require us as leaders to look at ourselves and ask the hard questions.

For C-level executives, here are 7 cybersecurity threats of 2020 that will impact your business this decade if not addressed.

  1. Uninformed executives continue to be the #1 cybersecurity risk for a company. I know this is a bold statement, but can you really think of anything scarier in a company today than an uninformed C-level executive making decisions that impact not only the cybersecurity program of an organization but the alignment of security and business objectives, including the cybersecurity budget, the organization’s approach to vendor risk, and the overall impact to clients? The ultimate accountability of the cybersecurity program lies with the management team of a business and a true lack of understanding of risks by C-level executives is what will cause a business to not survive in 2020 and beyond. I am not just referring to the impact of one breach. I am talking about on the consistent and ongoing lack of engagement by an executive, or executive team, on the topic of cybersecurity and then making decisions that impacts clients, employees and other stakeholders. Demonstrating cybersecurity understanding and awareness, in the next five years will be critical for all members of executive teams and board members regardless of your role. It will be a qualifying piece in the price of admission. Globally, 40% of companies cited their executives, including the CEOs, as their highest security risk (Information Age/Prescient, 2019). In many cases, executives can be the target of a malicious hacking scheme, and in other cases, an executive can fall prey to an attacker via social media, when traveling, or when accessing email.
  2. Thinking global politics and security trends won’t impact your business. In 2016 we saw how the election impacted the public but also Facebook. Economic espionage by countries, particularly China, is well known and continues to be a persistent threat to business and universities in the United States. Nation-state hacking does not appear to be slowing down and potential war with Iran only increases the likelihood of a cyber war impacting businesses. A cyber war puts all businesses, including small business, on the front lines of a war.
  3. Dismissing AI as part of your company’s detection and response strategy. In this decade as the cyber threats become more AI enabled, our ability to respond will need to be congruent. As technology threats change the way we defend against them will need to change. As a c-level executive, do you know how AI and machine learning are being utilized in your company’s cybersecurity program? The Capgemini Reinventing Cybersecurity and Artificial Intelligence Report states that 69% of enterprises believe AI will be necessary to respond to cyber-attacks. Additionally, 64% of enterprises say that AI lowers the cost to detect and respond to breaches and reduces the overall time taken to detect threats and breaches by up to 12%. The amount of time threat actors remains undetected drops by 11% with the use of AI (Forbes).
  4. Unaware of vulnerabilities from IT teams or managed service providers. Ignoring, or failing to mitigate, risk from those who have access to our environment can be “business ending” in this decade. Managed service providers are increasingly targeted by cyber criminals. Building a zero-trust technology environment is only one a way to address this. Having consistent follow up with third party technology vendors and checks and balances with the IT team, internally, is a trifecta approach to this risk.
  5. Underestimating the impact of 5G on your business. This will severely impact IoT devices in your business and your home. As a c-level executive, are you thinking about the impact of 5G to your company infrastructure and cybersecurity program? Once 5G networks are rolled out to the larger public, devices (IoT) will be connected from a variety of mediums increasing vulnerability from attackers (Malwarebytes). The NotPeyta attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks didn’t exist at the time, of course, but the attack illustrates the high cost of such incursions (Brookings).
  6. Playing the “waiting game” on privacy. Compliance overall will impact a company’s profitability if there is a breach AND a lack of adherence to a regulation resulting in fines. Privacy and cybersecurity regulations are increasing annually. As a C-level leader, are you reviewing the type of data you collect, what you do with it, and how you protect it? The Global Data Protection Regulation, GDPR (privacy regulation in Europe), and the California Consumer Privacy Act, CCPA (effective January 1, 2020), indicate maintaining reasonable data security is no longer enough. If operating in regulated areas, you must determine how to align your business goals with privacy rights of individuals around the world. Adherence to GDPR (which applies to all businesses, large and small, that collect data on European residents), CCPA or PIPEDA (Personal Information Protection and Documents Act in Canada) is a must as well as understanding how it impacts the roles and responsibilities of the security and technical teams. The European Data Protection Board’s recap of GDPR activities between May 2018 and May 2019 states 144,376 complaints or queries were lodged with EU data protection authorities during that year (The Legal Intelligence).
  7. Believing it’s impossible to defend against cyber threats. This is the defeatist mentality. It’s amazing how many people I meet that say, “Is there really anything you can do about hackers anyway?” Or “We’re too small.” If you don’t impact this way of thinking it will impact your business in the next decade. If fact, you may no longer have a business. In the 2020s, doing nothing in regards to cybersecurity in your business will not be an option. It’s now part of the cost of doing business.

Jessica Robinson is CEO of PurePoint International and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. You can reach her at jessica@purepoint-international.com.

 

Are You Doing the Simple Things: The Top 5 Habits to Protect Your Information

iStock_000013337219Large

 

Are You Doing the Simple Things: The Top 5 Habits to Protect Your Information

I often tell people we are in the new normal. The way we think about information and privacy is not the same as we thought about it even ten years ago. If we are using email, various websites or consistently saving files, getting into the routine of changing our passwords, updating our antivirus and becoming familiar with using cloud software is becoming more of an imperative. Below are the top five things people are not doing to protect their information. Some of it may seem very simple, but I continue to run into people that are not practicing these habits on a consistent basis. My guess is you know someone who isn’t as well.

1. Changing passwords every 4-6 weeks: This may seem rudimentary, but ask yourself when was the last time you updated your email, LinkedIn, Facebook, or banking passwords? Nowadays, there is a passcode for everything and I know it seems almost labor intensive to go through and update every single one. Mainly email accounts and website passwords (if you have a website) should be updated most frequently. Then continue with the websites you use most frequently and rotate that password every three to five months. TIPP: There are different apps that can add additional layer of security. Look at PassKey or Keeper for your phone or tablet. Passkey uses fingerprint technology for login on frequently used sites.

2. Updating the antivirus software when it expires: We get the 30 day reminder, then the 29 day reminder, then the 28 day reminder….It’s worth it to update your antivirus software when it expires. Remember why you paid for it the first time. Think about it as oil for your computer, similar to how oil is needed for a car. It’s a necessary tool to help make sure your computer is running well consistently.

3. For entrepreneurs, or solopreneurs – invest in secure email exchanges:  There are many ways for a small teams to invest in a secure email exchange at a low cost. It’s easy to not invest and to use your personal emails until someone’s email is compromised. If you are growing the size of your team, the one thing you will want to do for all aspects of your business is set the right culture from the beginning. In many cases, this will mean the onboarding process and having the right training. As part of that training, set expectations for data privacy of company and client information, and how emails should be used. Establishing the right culture early on will help tremendously in creating a preventative culture on data security.

4. Using the cloud: I know there are a lot of people still very resistant to the cloud.  If you have an external hard drive that’s great, but odds are you do not have it with you all the time. Then, of course, to have access to the cloud you need internet access. There are pros and cons to having the cloud or not having the cloud, and as I talk to people I find they are still hesitant to use it. However, generally, it is safer than email and can be safer than an external hard drive. You will want to know what layers of security are in place to protect your cloud, but that is something you would want to know for your email and computer as well. Google, Apple, and Microsoft are all reasonable places to start when thinking of using the cloud.

5. Do not respond quickly when email is hacked: You know its happening. Your friends contact you because they received an email from you stating you were in an overseas location, in danger, and needed $5000 immediately. How about when your computer is starting to run slow, are you are still hesitant to act? Don’t be! You could be seriously affecting your computer files, email, cloud, or external hard drive. Respond quickly to warning signs and if you think your email is compromised. Immediately change the password and if you think your computer was compromised with malware, run an anti-virus scan. That’s right, this would be the time you will be happy you renewed your anti-virus plan.

It’s all about prevention! These are the routine habits you can do at home or work to have a safe and empowered workplace and to lead a consciously secure life at home.

Jessica Robinson is Founder & CEO of PurePoint International, a firm disrupting the security market by providing affordable outsourced Chief Security Officer (CSO) consulting services for startups, international non-profits, and mid-size commercial businesses. She completes training and assessments for businesses in physical and cyber security and risk mitigation/business continuity. We help you create a safe and empowered workplace.
Click Here to Subscribe