Ransomware and a direct infiltration are not the only cybersecurity concerns for directors trying to keep their organizations safe.
The front lines of business are more dangerous than ever before, but ransomware and hackers are not the only concern for today’s directors. Everything from connected industrial devices to the business risks associated with noncompliance with government requirements could have a significantly negative impact on your organization. What’s worse is that not only do you have to be concerned about the quality of your organization’s security, but each data connection to an external entity is a potential avenue for attack. Intense scrutiny is required to ensure that your business stays safe from the complex cybersecurity risks facing today’s organizations.
Compunet, a Vancouver IT Solutions company shares five privacy and cybersecurity themes that represent some of the hidden or unexpected threats that you need to keep in mind.
1. IoT and Operational Technology
The manufacturing world has been turned upside down with the rise of automation in the past decade, but the biggest challenges are not maintaining the automation or robotics on the production floor. These connected devices provide a higher risk level for businesses, simply because they are often attached directly to core business systems to monitor throughput and maintain a high level of efficiency. Retail organizations are feeling the same pressure in their shipping and warehouse facilities. It can be challenging to define a clear line of oversight for these connected devices and business machines, with split responsibilities between engineering and technology. These critical operational technologies (OT) devices must be certified and adequately maintained, inventoried and proactively updated as soon as software and hardware updates are available.
2. Disclosure Requirements After a Breach
Each state has different requirements in terms of data breach notification. In general, any breach that involves greater than 1,000 records requires a broad consumer notification strategy within a proscribed timeline or businesses can be held at a higher level of liability and face government compliance fines as well as consumer litigation. Forming a cross-functional immediate response at your organization that includes individuals from all departments from human resources and operations to public relations helps ensure that you are prepared to quickly manage any situation.
3. Third-Party Risk
Creating a high level of security for your organization includes reviewing the security procedures of organizations whose data and business systems intersect with yours. Attackers are learning that larger businesses are investing in cybersecurity, making them more difficult to attack directly. Instead, these crafty criminals are looking for a smaller vendor whose information feeds into a range of businesses — and that may not have the same aggressive cybersecurity posture of a larger business. There are also liability considerations when one of your partners is attacked, especially if that attack negatively impacted your customers. Who bears the responsibility (and the cost!) of notifications and how can you actively monitor the engagement of your business systems with your partners to identify potential attacks as soon as possible?
4. Communicating Risk to Executive Leadership and Your Board
Presenting extremely detailed cybersecurity timelines and strategies to your board probably aren’t going to provide you with any traction on getting funding for your necessary projects. Instead, focus on the high-level potential risks and the steps that you propose taking to reduce them. The complexity of data structures, vendor connections and compliance issues will likely be lost in the short period of time you have to explain them to board members. It is important to encourage your board to have at least one individual with a deep knowledge of cybersecurity, so they are able to respond to questions or help point out areas where the conversation needs to go in the future.
5. Convergence of Cybersecurity and Privacy
Privacy and cybersecurity are more tightly married than ever before, and this convergence may need to be reflected in the governance of the teams supporting the initiatives. One difficulty for organizations is that privacy laws are often the realm of legal or HR departments, while cybersecurity generally reflects the language of more technical folk. Pulling these disparate groups together is a vital piece of your cyber risk reduction, specifically in terms of global data. The EU’s GDPR (General Data Protection Regulation) and individual laws for many states in America are causing data management teams to sit up and take notice — specifically due to the detailed requirements for compliance and the high potential cost of non-compliance.
This is by no means a comprehensive list of threats that are facing today’s businesses, but rather an aggregate of a few unexpected twists that could impact your organization. One of the reasons there’s an influx of organizations hiring for security positions is due to the increasing complexity of the threat landscape with potential infiltrations and risks coming from all directions. While some businesses are hiring for a CSO (Chief Security Officer) role, many others are looking to strong technical partners to help identify and remediate their risks while taking steps to reduce the dangers associated with cybersecurity in the future.