Cyber Security: Why Business Leaders Need to Wakeup

img blog Why Cyber Security Awareness Training is Essential for SMBs r1

In an increasingly digital landscape, where data flows seamlessly across interconnected networks and information is the currency of the modern economy, one critical truth has emerged: cybersecurity is no longer an optional safeguard, but an absolute necessity. 

The technological advancements that have revolutionized the way businesses operate have also given rise to new and sophisticated threats, leaving organizations vulnerable to cyberattacks that can disrupt operations, compromise sensitive data, and inflict severe financial and reputational damage.

Amidst this evolving threat landscape, it has become glaringly evident that business leaders must not only acknowledge the significance of cybersecurity but fully embrace it as a core pillar of their strategic vision. From startups to multinational corporations, the call to action is clear: It’s time to wake up to the urgency of cybersecurity preparedness. 

This article delves into the compelling reasons why business leaders must shed any complacency and take proactive steps to fortify their organizations against the relentless and evolving tide of cyber threats. As the digital realm continues to expand its influence, the business world must rise to the challenge, or risk being swept away by the repercussions of inaction.

The End of “Groundhog Day” for the Security in the Boardroom Discussion?

In an article by SecurityWeek, they wrote, “As the SEC (The Securities and Exchange Commission for the United States) cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table. It’s the next logical step to be able to comply with the disclosure and oversight requirements as the new guidelines detail.

The positives of SEC involvement

Feedback from industry professionals highlights the pros and cons of the new SEC rules. But since the new rules are inevitable and disclosure reports are due beginning December 2023, the time has come to focus on the positives for the industry that the SEC is stepping in. ***Usually, Canada mirrors the U.S. protocols

Having some standardization of terminology, for example, the definition of an incident and what is material and thus disclosure-worthy will enable executive leadership to focus on exactly what is needed in the boardroom. This should save organizations from spending cycles setting their own policies, procedures, and reporting practices. The other positive is that the initiative will likely drive investments in security technology, which is a good thing for security professionals and organizations as they will be more protected.

The implications to board composition

At the same time, the guidelines plainly state that organizations will be required to “describe the board of directors’ oversight or risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cyber threats.” This is incredibly difficult to do given the dearth of security expertise on boards. 

Brian Krebs recently updated research he did back in 2018 on Fortune 100 companies that list a CSO or CISO in executive leadership positions on their websites. At the time, only five of the Fortune 100 did. Using the latest available list (2022), he found there are still only five! 

Organizations, including IANS and Heidrick & Struggles, have conducted studies of their own that also reveal security leaders have little representation at executive levels.

We all know that most companies employ a CISO or CSO these days, and that cybersecurity is a topic on the board’s agenda. But if that individual is not actively sitting on the board, how confidently can that company state they have cyber risk oversight capabilities and management expertise in the boardroom?  

A tangible win-win

There’s also an interesting dynamic at play from the CISO perspective. Salt Security’s State of the CISO 2023 report found that topping the list of personal challenges CISOs face are concerns that a security breach in their organization may result in personal litigation and liability. The fear is so acute that some CISOs are opting for roles below the CISO level or requesting indemnification. Given legal proceedings against the CISO of SolarWinds and the former CSO of Uber, this reaction comes as no surprise and will fuel further concern.

However, at a time when organizations need their experienced CISOs more than ever, the SEC ruling can help turn this challenge into an opportunity. Executive leadership can stem the tide of CISOs looking to step back to reduce their own personal risk by offering a board seat that extends director’s and officer’s insurance to them and helps allay some of their legal concerns. 

Elevating CISOs to the board also demonstrates in no uncertain terms that the board is prioritizing cybersecurity. Invitations to present to the board at select times and investment reviews only during budgeting season will become a thing of the past. The stage is set for collaborative assessment of the people, processes, and technologies in place to protect the business and continuous review of the dynamic threat landscape and the investments needed to mitigate risk.

SEC involvement is the catalyst we need to get security representation in the boardroom – at long last! As security professionals, we should welcome the opportunity as it means the responsibility of protecting the business is finally recognized as a key enabler of business strategy and treated as such.”

Chronic Security Issues

In excerpts from an article by Cyber Security Dive, they wrote, “Digital risks confronting organizations remain the same year after year, and the threat and potential damage awaiting unsuspecting victims is abundantly clear. Yet, many organizations still struggle to address the fundamentals required to take cybersecurity seriously.

For the things that do go wrong, there’s a good chance the initial point of intrusion or attack will sound like a broken record. Phishing, unpatched vulnerabilities, and generally lackadaisical processes come up time and again.

To shake the industry into action, a cataclysmic event may be required.

“Maybe we need another Snowden moment,” Chester Wisniewski, field CTO of applied research at Sophos, told Cybersecurity Dive last week at the annual industry gathering.

When Edward Snowden, a former intelligence consultant and whistleblower, leaked highly classified information from the National Security Agency in 2013, it created a revelatory moment in technology.

“Suddenly, we went, ‘Oh, geez, we kind of have to encrypt the internet.’ And look, it took us 10 years, but the whole internet’s encrypted now,” Wisniewski said.

Many cybersecurity experts, Wisniewski included, were lecturing the industry to fully encrypt the internet starting two decades ago. The repeated warnings finally reached a rallying point after Snowden’s revelations hit.

Persistent prodding from the threat intelligence community is making an impact. More organizations have been roused into taking security more seriously.

“Here we are in 2023, find a website that’s not encrypted. You can’t find one, but it took a Snowden moment to get everybody to go and do it,” Wisniewski said.

Repetition will spur action …  eventually

Fear is a powerful motivator, but repetition — such as threat intelligence from researchers and analysts about supply chain attacks, exploited vulnerabilities, and ransomware — might be what’s required to push more organizations into action.

“There’s a lot of gamblers out there,” said John Shier, field CTO of commercial at Sophos.

Repetition plays an important role for cybersecurity professionals, precisely because it can eventually hammer the preventable dangers home for business leaders that need to hear their message the most.

John Dwyer has watched best practices go unfollowed his entire 15-year career.

“Overextension of privileges, overextension of connectivity, and overextension of access have been prevalent for a long time,” Dwyer, the head of research at IBM Security X-Force, told Cybersecurity Dive.

“Since I started in my career, people have been saying take away local administrative rights,” and it’s still a common problem today, Dwyer said.

Despite the recurrence of long-ignored threats, Dwyer said he’s seen a change during the last five years, marked by more organizations willing to invest in security and apply best practices.

“On the outside, it may seem like no one’s actually taking any of this stuff to heart,” Dwyer said. “People have been talking about the same thing forever, and you’ve had the same kind of vendors saying the same thing. What changed is that the threat landscape changed so that every organization on the planet is now actually targeted, more or less.”

More organizations are assessing ways to reduce risk through security controls, better architecture, and zero-trust models that limit privilege and access, but acquiring the investment needed to achieve those goals remains a hurdle for some companies, according to Dwyer.

Same old problems beat the alternative

Hearing about and sharing the same threats year after year might be tiring on some level for cybersecurity professionals, but for organizations under attack, it’s probably better than the alternative.

Companies can patch vulnerabilities in hardware or software before a threat actor exploits them, strictly monitor supply chains, and limit the impact of phishing attacks.

“Phishing is still king, and how long have we been talking about phishing?” Dwyer said.

“Just because someone gets phished doesn’t necessarily mean that your organization is going to burn to the ground. There’s a whole bunch of stuff that happens in between that,” Dwyer said. “I think we just need to move to assume you’re going to get phished, assume that you’re going to get exploited. You still have a lot of opportunities to prevent a crisis, even if that happens.”

Much like the long slog the industry endured before encryption became standard and universally adopted, strengthened defense practices and infrastructure might percolate through businesses from the top down.

“Early on,” Wisniewski said, “it was just the richest, biggest companies that understood the problem.”

Why Are So Many Execs Sleeping On Cybersecurity?

In excerpts from an article by Forbes, they wrote, “Cybersecurity is like fire prevention: Sure, your house is probably not going to catch on fire this year, but you install smoke detectors and pay your insurance premiums anyway. In fact, these days, it’s much more likely you’ll wake up to find your business has been shut down by hackers than arriving home to a pile of smoldering embers where your house used to be.

And yet, I still encounter many business leaders who are resistant to investing in systems and training to protect against cyberattacks. There are all kinds of justifications, from “We’re too small to be a target” to “We spent a lot of money on this a few years ago and haven’t been hacked yet.” Lots of CEOs and CIOs I talk to think they’re safe because they don’t have anything worth stealing.

They’re wrong. And the risks they’re taking are growing by the minute. The reality for any business leader is (and this is where the comparison to a house fire departs) that a cyberattack isn’t a possibility — it’s an eventuality. You may never have enough money to prevent an attack, and there aren’t enough systems or humans in the world to detect them all. Therefore, you need to invest just as much time and energy in being able to respond and recover.

We know of one company that got hit with a ransomware attack where the hackers demanded $100,000 worth of Bitcoin to release the company’s data. The company didn’t pay, and rightfully so, but fixing the breach left the firm unable to do business for two weeks and ultimately cost it over $1 million to recover. And this particular company was lucky: A lot of companies simply couldn’t survive being dead in the water for two weeks without a functioning website, online ordering system, or email.

Your business is not immune. Hackers cast a wide net in their search for vulnerable targets. Whether your company generates $10 million or $10 billion, chances are hackers have identified your point in the financial value chain and are trying to penetrate your defenses right now.

We think of cybersecurity as having four main components:

• Prevention: The combination of systems and procedures designed to keep cybercriminals from accessing your networks. Think of it like the hazmat suits workers wear to protect themselves against biohazards. They are very effective at keeping out dangerous bugs but are far from foolproof.

• Detection: The last line of protection — or, what your organization does to quickly identify when something or someone has penetrated your defenses.

• Response: A well-rehearsed and carefully coordinated action that takes preparation.

• Recovery: The ability to resume normal operations. The speed at which you can recover is what determines the business impact.

Some security measures are easy to install and nearly invisible, such as next-generation firewalls and intrusion prevention systems. They work in the background and block phishing attempts from sketchy IP addresses, malware, and hackers who probe your networks looking for a way in.

Prevention technology can be purchased, of course, but you also can’t neglect the people and processes that are part of the equation — intrusion detection, response, and recovery. That requires training, including tabletop exercises, to drill into employees exactly how to respond when there is an attack. And I’m not talking about the IT team sitting around running simulations by themselves. The CEO has to be involved in the exercise — after all, there are few events that can cost an executive’s job faster than a debilitating cyberattack.

It’s also important to secure participation from all stakeholders in cybersecurity — before an event occurs. That means human resources, legal, corporate communications, and outside partners like IT vendors and public relations firms. Specific responsibilities for each group must be established from the beginning, as well as setting up lines of communication with outside entities like regulators, customers, and the media.

Rolling the dice on a cyberattack creates an enormous financial risk for your business. But the stakes are much higher than that. Doing so is also, in effect, gambling on the livelihoods of all of your employees and the data security of your customers. As a leader, you have a duty to protect them all.

So ask yourself: If one of your employees opens a phishing email tomorrow, what technology, people, or processes do you have in place to protect that hacker from burrowing into your company’s business? And if they do find a way in, what’s the plan for the next 24 hours and beyond? If you can’t answer both of those questions in detail, you’re sleeping while your house is on fire.”

As the digital landscape evolves and cyber threats become increasingly sophisticated, the imperative for business leaders to awaken to the critical importance of cybersecurity has never been more urgent. The examples provided here underscore the reality that cybersecurity is not just a technical concern but a fundamental business necessity. The wake-up call has arrived, prompting us to recognize that cyber incidents are not a matter of if, but when.

The SEC’s involvement in mandating cyber incident disclosure underscores the gravity of the issue and propels cybersecurity to the forefront of boardroom discussions. The integration of security leaders into executive leadership will not only provide the necessary expertise but also demonstrate an unequivocal commitment to safeguarding the organization’s interests. The trajectory of the industry is shifting, driven by repetition, regulation, and the stark reality that cyber threats pose a risk to businesses of all sizes.

In this journey towards fortified cyber resilience, business leaders must invest not only in preventative technologies but also in cultivating a culture of cybersecurity awareness throughout their organizations. By prioritizing cybersecurity and preparing comprehensive response and recovery strategies, leaders can ensure that their organizations are not only equipped to withstand inevitable cyber incidents but can emerge stronger from these challenges.

In this ever-evolving digital frontier, business leaders stand at a crossroads. They can either continue to sleep on cybersecurity, exposing their organizations to irreparable harm, or they can heed the wake-up call, embarking on a path that secures their future and safeguards the trust of customers, partners, and stakeholders alike. The choice is clear: Tomorrow’s success is dependent on securing today’s business against the relentless tide of cyber threats.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives