Practical and Easy Ways to Help Protect Your Business from the Hidden Risks of Cybersecurity Issues, Part II
Cybersecurity should concern everyone in the era of digital assets and big data. In Part I of this article, we had focused on why everyone needs to be involved in protecting digital assets. In Part II, we’ll look at how we can bring structure to implement this. And, we’ll address what could happen if we do not.
Growing Frequency and Costs of Cybersecurity Breaches
Let’s take a look at a few statistics to see why we all need to be involved in the business of cybersecurity. Cybint research confirms that there were 1.6 billion account breaches in 2016 alone. Since 2013, 4 million records are stolen in cyber breaches every day. Indeed, a cyber attack happens every 39 seconds. And, half these attacks targeted small businesses, not only large global businesses. In dollar terms, the average cost of a data breach in 2020 is expected to exceed the large sum of $150 million.
Clearly we need robust cybersecurity measures to counter these growing threats. For the most part, we tend to entrust this into the hands of security and data science specialists. Since the beginning of human history, security has been an overarching concern for everyone in a community. As individuals, we treat our physical valuables accordingly. Who hasn’t given careful thought on how to safeguard our possessions? We do things like get locks, rent or buy a safe, or buy insurance. There shouldn’t be any difference between how we protect assets that are physical versus digital. We all need to be involved in this process by giving it the same level of care and resources.
Balancing Data Protection vs. Privacy Protection
Digital asset protection becomes harder as “big data” gets even bigger, and as more assets become available digitally. At the same time, cyber-intruders are getting smarter, more knowledgeable, and possess greater computing power than ever before. Keeping these attackers at bay is hard enough, but the difficulty is compounded by the need to pay attention to new mandates for privacy protection.
On one hand, data protection is a technical issue of how to secure data against unauthorized access. On the other hand, data privacy is about who has the data and who can have access.
The world is dealing with the emergence of privacy laws from organizations like the European Union, which passed the wide-sweeping General Data Protection Regulation (GDPR). EU regulators are going after all companies, big and small, and hitting them with substantial fines. When we see headlines with penalties imposed on British Airways on the order of $230 million or Marriott to the tune of $124 million, we know they mean business.
Dealing with data protection and privacy protection both at the same time while traversing the digital asset economy is challenging. That’s because the work required to fulfill data protection requirements are not one and the same as that of privacy protection. The former requires more engineering and technical skill sets, and the latter requires more legal and compliance knowledge. We need to make sure that we have both sets of talents and skills.
Applying a Standard Framework is a Good Start, But There’s More Involved
In approaching a complex situation like this, we’d benefit by starting with some guidelines and a working framework. The National Institute of Standards and Technology (NIST) has rolled out a useful framework that can provide a working structure. There’s another upside in starting with an existing standard, that is, we won’t inadvertently leave out something important.
In Part I, we likened working on cyber hygiene as being a lot like working on personal hygiene. This is not where the similarities end. Taking this further, we can see that working on improving a company’s cybersecurity profile can be just like working on one’s personal professional improvement:
1) We often ask ourselves where we want to be in 5 years. We know who we are today. So, with the visual goal in mind of who we want to be in the future, we make plans for how to get there. Improving a corporate profile works the same way. Knowing the company’s risk profile today and identifying where it needs to be in the future are important first steps. We can then develop strategies for how to fill in the gap and work toward that optimal profile.
2) When we seek to pivot our careers, there are certain things we know we must do in order to align us to the new opportunity: Build the network; get appropriate training; identify practical experience; touch up the resume to align with the past experience. Applying NIST’s Framework similarly allows for a holistic approach to improve the company cybersecurity profile. There are five big buckets of functions into which cybersecurity activities are aligned: Identify, Protect, Detect, Respond, and Recover. Within each function, there are several categories. An organization may ultimately need some level of customization for a given review area. But, by creating a checklist based on these buckets, we have a great starting point to assess and strategize.
When we want to grow or change personally, we turn to professional coaches. Organizational change can and should work the same way. There are plenty of third parties whose jobs are to make sure that a company is protected in the virtual space. Their work involves everything from assessment to implementing the appropriate protection.
Given what we know now, we ask again the question we asked in Part I. Why would you leave all of these responsibilities in the hands of a few people within the company because it is called cybersecurity and it requires certain skills as part of developing and deploying a solution?
A Cautionary Tale: Without Good Structure, Bad Things Can Happen, and Get Worse
When there isn’t a well thought-out and implemented cybersecurity protection plan in place, very bad things can happen. Let’s take a look at the case of Equifax.
On Sept. 7, 2017, Equifax announced that they’d had a cybersecurity incident. It turned out to be one of the largest in history. The personal digital records of 143 million people were stolen. Equifax wasn’t just breached. In fact, the records were stolen, gone, and never to be recovered. The incidents happened from mid-May through July 2017. The breach itself was only discovered on July 29, 2017. The personally identifiable information (PII) accessed included full names, social security numbers, birth dates, and addresses. In some cases, driver’s license numbers were also included. If this were yours, the knowledge that any one of these sensitive bits of personal information was stolen would leave you feeling ill at ease.
In today’s day and age, data breaches have become such everyday occurrences that we remain desensitized unless it affects us personally. In fact, we don’t even find out about all the breaches that do happen because not every single one of them makes headline news anymore. However, if a company that was breached doesn’t have an appropriate response, it can still make headlines.
Applying the NIST Framework in the Equifax Case
The Identify and Protect buckets of the NIST Framework are what allow the organization to go as incident free as possible. If an unfortunate situation does occur and gets Detected, the Respond and Recover buckets should prepare the organization in the instance of a panicked realization for what to do to address the incident. Odds are, any organization is a likely candidate for a cyber attack.
How an organization addresses a cybersecurity incident can help a company preserve its reputation, which took years to build. In the case of Equifax, in addition to the incident being an unprecedented scale of breach, the company followed with the worst possible response.
Let’s break it down:
- Equifax took a while to report the breach. Sometimes it takes time to learn what happened before a company can make a public announcement. But, in this case, taking more than a month is likely on the long end.
- The company promised upfront that they’d provide answers. They didn’t deliver.
- Equifax requested social security numbers from people who were trying to log into the website to find out if their account was breached or not.
- The company posted language on their website that prohibited people from participating in class action lawsuits.
- Equifax’s call center response was less than adequate.
- Some executives and employees sold their company shares after the incident, but before it was publicly reported. Two people were since charged with insider trading. Shares sold by other executives were considered “not related to the incident and a small portion of their entire ownership”.
It’s hard to know the extent to which any cyber security breach protocols existed prior to the incident. And if they existed, whether or not they were even adequate or good protections to begin with. Whatever existed, the Equifax incident has remained in people’s memories although there have been a number of large-scale incidents since.
Given that several people sold company shares immediately after the incident, there may not have been upfront education or even post-incident communication advising employees that such a breach was “material information” and that they were prohibited from acting on it.
Further, based on this observation, it wouldn’t be a stretch to guess what else may have been missing from their education, procedures, and governance policies. Who at Equifax was actually involved in setting them up? Or, who was responsible for the lack thereof?
Everyone Needs to Recognize They’re Already Involved
What makes cybersecurity just a bit more complicated is third-party risk. It’s a hidden risk we addressed in Part I mainly from the angle of ransomware. What’s key is that we’re dealing with assets that we can’t lock up physically in a house or a safe, and that we have risk coming in via third party organizations. As such, businesses need to tighten up their third party risk controls. That means that in addition to a full governance team and experts or consultants assembled to plan, develop, and implement or roll out the cybersecurity solution, a vendor management team must also be a part of this ecosystem.
Knowing this, who can still believe that this is the business of just a small group of security experts, where you can leave yourself out of the picture, regardless of your work function?
From the beginning of time, people protected things of value to them with all available means. In this digital economy era, “valuables” no longer consist solely of physical things that can be protected in heavy vaults. They now also include digital assets that need a new discipline to protect them. Regardless of what we are protecting, what remains the same is that the level of protection is only as strong as the weakest link. Physical or digital, each person has a certain responsibility to protect these assets. For starters, each employee has to protect physical devices — like a laptop — as they’re gateways with access to digital assets. A laptop should be locked up or stored away in a desk. An executive’s office should remain shut when unoccupied. Cabinet doors should stay locked unless something needs to be retrieved. We all need to play our parts in digital asset security, both as an individual securing one’s own area and as a professional providing expertise to the cybersecurity solution team.
Indeed, in order for this to become the practicing norm, cybersecurity has to be part of corporate strategy and get budgeted accordingly. Then an organization, whether big or small, can get a good handle on the cybersecurity issues and risks that loom on the horizon of an expansive digital economy.
If you found value in this article, please “clap” (up to 50 times).
This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day.
Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our LinkedIn page, Facebook page and our Instagram account are there for you as well.
