The chief information security officer (CISO) is a relatively new role and more and more companies are considering adding the position or increasing the influence of their existing CISO. The urgency stems from an increasing number of reported breaches, many involving hundreds of millions of records and requiring millions and even billions of dollars in fines and damage repair. In fact, Cybersecurity Ventures estimates that cybercrime will be a $6 trillion business by 2021.
A robust cybersecurity strategy is essential for every business, and a CISO leader is crucial to that strategy.
A word of caution: If you feel your company is too small to afford a CISO or your existing organizational structure doesn’t currently support another C-level role, please do not stop reading. Your need is just as urgent: Verizon's “2019 Data Breach Investigations Report” found that 43% of cyberattack victims are small businesses. Investing in cybersecurity still is essential, and there are ways to protect your business without the enterprise price tag.
Attacks Are Surging
As evidenced by the nightly news, trying to implement cybersecurity strategy after a breach or other incident can prove disastrous. A look at the big picture underscores the need to be proactive. Smart systems, artificial intelligence, cloud-based solutions, the internet of things — many are calling it the Industry 4.0 revolution. Data and technology are at the heart of it all, and the digital landscape is expanding exponentially. But just as it is creating new avenues of growth and revenue, it also is creating new points of vulnerability for business, and the number and scope of cyberattacks is surging.
More and more business leaders are realizing that cybersecurity is no longer just the purview of IT, but requires a comprehensive strategy that extends to all aspects of the business, from the customer service call center to the boardroom. The National Association of Corporate Directors' annual “Public Company Governance Survey” has, for several years, revealed that board members rank cybersecurity as a top concern. In the 2017-2018 report, only 37% of board members agreed with the statement, “I am confident that our company is properly secured against a cyberattack.” This showed a 5% decrease in confidence from the previous year.
The Risks
An effective cybersecurity strategy is critical, and it needs to address a complex and growing array of risks. You probably have risk management strategies for disasters like fire, earthquake or major power surges. With cybercrime, the risk can be even greater.
• Loss of data can lead to significant financial loss in multiple ways. Criminals can make data simply disappear, or they can use it for personal gain, such as insider trading. Using ransomware, they can encrypt your business-critical files and demand payment to release it. Research has pointed out good reason to believe that intellectual property (IP) is increasingly tied to wealth, and in digital format, IP is vulnerable to cyberattacks.
• Exposure of sensitive data is one of the biggest concerns in the high-profile news stories, and for good reason. If criminals have access to things like login credentials and passwords, routing numbers, credit card numbers and Social Security numbers, you can imagine the consequences. Even in the absence of bad actors, sensitive data can be exposed if security is lax. This can undermine the confidence of your customers and business partners and hit your bottom line — hard.
• A particularly unsettling risk is unauthorized control of physical environments. With increasing use of smart devices and automation, criminals or even terrorists can gain control of manufacturing, communication, transportation and other systems. Thieves could disable alarms and other physical security systems, and terrorists could cause catastrophes like sending a nuclear plant to critical mass, causing trains to crash or taking power grids offline.
• Other risks include malware attacks in the form of viruses, worms, Trojan horses, spyware and other software designed to cause havoc of one form or another. Phishing, in which the criminal poses as a legitimate player in order to access sensitive information, also can put your business at risk.
The consequences of a cyberattack can include damage to brand reputation, as well as the reputations of business owners, senior executives and board members. In several high-profile cases, CIOs or CEOs were forced to resign following major breaches at companies like Target, Equifax and others.
No matter your business or its size, cybersecurity strategy must be a high priority. In the next installment of this series, we'll uncover why it is critical that your strategy include a CISO or security leader.
