What CEOs Need to Know About Cybersecurity in 2019
Understanding the threat landscape is a crucial part of a CEOs job as you attempt to protect your organization now and in the future. The cybersecurity and compliance landscape is changing rapidly, and it can be difficult to keep up with the various challenges your business is facing — from ransomware to phishing schemes, not to mention global and domestic privacy act compliance. While compliance and cybersecurity may not feel like exactly the same topic, understanding how all the moving pieces work together can help you synthesize strategies that will protect your business. See how these fast-moving fields continue to morph and how you can manage the risk inherent in today’s digital businesses.
The Digital Landscape is Rapidly Changing
Just a few years ago, CEOs were vision-casting how all these great new technologies would work together: customer data driving targeted marketing, operations becoming more efficient due to the use of connected devices and augmented reality forming the basis for your selling strategies for physical goods. As these advanced technologies become more mature, CEOs are finding that each interconnected system provides yet another point for failure. Each mobile phone that is tied into your network infrastructure could be the cause of a data breach. Cybercriminals are becoming more crafty with their messaging to your teams by mimicking vendor email addresses in requests for funds. Augmented reality and next-level marketing techniques are causing consumers to become more concerned than ever before with how much data is being tracked by companies — and how that information is being used.
Intense Focus on Privacy Requires Unified Compliance Strategy
CEOs are no longer able to assume that individual business units understand the full implications of privacy policies and are acting upon them. Instead, a unified compliance strategy is a crucial step that businesses must take in order to stay within the aggressive privacy policies that are being put into place in Europe and now in the US. California is the first state to create consumer data privacy laws that are very similar to those already enacted in May 2018 by the European Union’s GDPR (General Data Protection Regulation). The California Consumer Privacy Act (CCPA) takes compliance a step further and mandates strict consequences for organizations that refuse to comply or cannot show that they are moving towards compliance. The complexity of these laws is such that attempting to manage data at a business unit level is no longer feasible, requiring what may be expensive consolidation of disparate databases, IT infrastructure and reporting.
Determining Acceptable Risk
When it comes to cybersecurity and compliance, it’s important to determine the acceptable risk for your organization. There are no guarantees that your systems cannot be infiltrated even if you invest in the most sophisticated system in the world. The unfortunate fact is that a significant percentage of data breaches are caused by users by poor password habits, inadvertent interactions with malware or even improper access levels to sensitive data. Mitigating each of these risks is not a reasonable ask to your IT department, making it vital that you work with your executive team to identify the most likely risks and how they can be discovered so remediation can begin quickly. Cybersecurity is a key consideration simply because it’s rarely a matter of “if” your organization will be affected — but “when” and to what extent the incident will occur. If you are able to achieve true resiliency for your organization, the combination of disaster recovery and business continuity plans that combine monitoring, detection and response services may help you reduce the overall costs of an attack or breach.
Elevating the Conversation
When CEOs step into the battlefield of cybersecurity, it raises the importance of the conversation and helps ensure that there is a continued focus on protecting the organization from these digital perils. Everything from convincing business units to work together to gather and store data to approving additional spending on security and monitoring software becomes easier, as the CEO is able to lend their global view to the conversation. Cyberattacks can cause losses in unexpected places, such as the loss of consumer confidence or vendor relationships. Quantifying these risks can be a challenge, but organizations are now estimating that a single attack may cost their business as much as $1.67 million. Cybersecurity aside, non-compliance with state and federal data privacy regulations can also be a pricey proposition, with new legislation in place in California that has severe civil penalties and even includes the potential for statutory damages.
Cybersecurity Isn’t a One-Time Resolution to a Problem
As technical and troubling a problem such as cybersecurity is, there is no one-time resolution to this thorny problem. While hackers are the cause of a significant portion of the cyberattacks, it’s every bit as likely — if not a bit more so — that your cyber risk is accidentally caused by employees or contractors who simply made a bad decision. That means ongoing education and continual system monitoring will need to become part of the landscape of your organization if you hope to reduce your overall cybersecurity risk. Active monitoring solutions can help identify any immediate threats, but continued diligence on the part of the executive team will help ensure that cybersecurity and compliance remain top-of-mind for the organization.
All organizations are vulnerable to risk in different ways, but it’s crucial that the organization’s top executive is part of the conversation and solution to the problem. Without this top-down focus on digital risk, businesses are much less likely to put the infrastructure, processes and procedures in place that will protect their data and business operations.