Emerging and evolving cyber security risks are consistently rated as a top concern among business leaders, and it’s easy to see why: the global cost of cybercrime is projected to rise to US$6 trillion a year by the end of 2021 — and this was before the COVID-19 pandemic provided hackers with a whole new world of opportunities. Most recent projections estimate enterprise computers and networks are now being targeted at a rate of once every 39 seconds.
Business leaders — and especially boards of directors — need to give up on the question of whether cyber criminals will attempt to hack their organization; they will. The important question is when will they attack and what’s their likelihood of success?
Breaches don’t just affect an organization’s ability to conduct business. A well-targeted attack can compromise intellectual property, employee and customer information, and even physical locations. In such cases, the financial, legal, and reputational damages can be difficult to shake and are likely to dwarf the cost and time required to bring systems back online.
Cyber attackers are getting bolder and more knowledgeable, too, which ups the stakes significantly. With every thwarted attack or vulnerability, two or more consistently seem to spring up in its place. There is no end point for cyber maturity; organizations must constantly monitor their systems, threat landscape, and allocation of resources just to keep pace.
Security and privacy are fundamental operational and governance concerns regardless of an organization’s size. Even the largest, seemingly most sophisticated and technologically advanced enterprises are falling prey to breaches. Consider the recent case of an electric vehicle owner who managed to access data and ultimately gain control over an entire vehicle fleet. Thankfully this individual had noble intentions and reported their findings to the organization. However, things could just as easily have turned out much worse.
If a company currently eyeing a $1 trillion market capitalization can fall prey to such an attack, what does that say for organizations with a fraction of the resources?
Remember, though, it’s not just the frequency or sophistication of cyber attacks that’s noteworthy — but the rapidly growing number of potential entry points. The widespread proliferation of smart systems and internet of things (IoT) devices in cars, buildings, homes, organizations, and utilities, provides hackers with a veritable cornucopia of entry points.
As we’ve already seen, modern vehicles — with their vast array of onboard computers, wi-fi hotspots, Bluetooth, diagnostic tools, etc. — are more susceptible than ever to cyber threats. The U.S. Postal Service (USPS) recently announced plans to procure advanced delivery vehicles, which will undoubtedly come with increased cyber risks. There may be obvious benefits for client service and efficiency, but these will only be proportionate to the steps senior leaders take to head off the vulnerabilities.
Even seemingly innocuous devices like key fobs and building heating, ventilation and air conditioning (HVAC) systems, elevators, are becoming more exposed. These internet-connected and Bluetooth systems, which typically prioritize functionality and experience, often treat cyber security as an add on. This leaves many vulnerable entry points for hackers, who can often piggyback on these systems to penetrate deeper into the network — whether to steal data or hold systems for ransom. One casino discovered this the hard way, as the compromise of a simple internet-connected aquarium thermometer gave hackers a direct pipeline to the high-roller database.
Even security systems, which by their very nature are supposed to provide early threat detection and unparalleled peace of mind, can become an Achilles heel without the right oversight and controls. Case in point, a group of hackers recently gained access to 150,000 live security camera feeds at hospitals, businesses, police departments, prisons, schools, and major organizations. The long supply and operations chain of these and other devices make it difficult to pinpoint the weak link, which can come from within the organization, via third-, or fourth, or fifth-party vendors.
Consumers are becoming increasingly worried of how organizations are collecting and using their personal data — especially as data collection becomes more commonplace and breaches continue to make headlines. Regulators are catching up, too. While this increased attention can make leaders feel like they’re constantly under the microscope, it’s also worthwhile to consider the potential competitive advantages a strong privacy posture can offer.
Consumers are better informed and more digitally sophisticated than ever and privacy is fast becoming a leading driver in their purchasing and brand loyalty decisions. What data an organization collects is critical. Equally important is how they collect, use, and secure this data. Strong and transparent data protection policies and rigorous governance are rapidly reaching parity with price, quality, and customer service as competitive value propositions.
Apple Inc. offers an intriguing case study as a large technology company advocating for and actively taking steps to protect user privacy. Even as many of their competitors are shirking demands for greater disclosures and user control over their data, Apple is taking a different tack by vocally championing the concerns and priorities of its loyal user base.
No doubt, there are several up-front costs to building an authentic, rigorous, and outspoken privacy culture. But the opportunities and long-term rewards will more than make up for it.
The days of seeing privacy and security as purely a technology concern are long past. We’ve already seen the outsized role of culture, brand, and policy in mitigating risk and preventing an attack. Senior leaders (and especially directors) therefore must embrace the challenge of creating a culture and policy framework that effectively manages and mitigates cyber and privacy risks. Everyone in the organization has a role to play in preventing, reporting, and responding to an incident. But it begins at the boardroom table.
As board members continue to lead from the front, these mindsets can help set the tone by guiding decisions, informing priorities, and influencing discussions.
Board members are also in a unique position to influence and re-shape an organization’s culture from the top down. As the seven principles above can go a long way in shaping the attitudes and objectives of the board itself, the following six steps can similarly set the stage for an enduring and cyber resilient culture.
The COVID-19 pandemic has seen a glut of scams, frauds and misleading claims from malicious and opportunistic actors. The Canadian Government reported the cumulative volume of coronavirus-related emails and threats is possibly the largest ever collection of attacks exploiting a single theme. The pandemic has created a perfect storm of fear, uncertainty, doubt, and chaos — and the bad guys have stepped up to the occasion. Organizations, and especially boards, must do the same.
It would be foolhardy to perceive the current crisis as a blip in the radar and expect a return to the status quo once the broader issues subside. A return to normalcy will bring new challenges as organizations adapt to hybrid operating models, a growing divide between people working in the office and from home, and reinvest in digital initiatives that may have temporarily been shelved in favour of more pressing concerns.
Concerns and vulnerabilities around the pandemic have been especially salient over the past 12 months, which has a drawback for criminals as much as a benefit. Sure, there are vulnerabilities to exploit, but people can become wise to the tactics. Will you be ready when the hackers change their modus operandi?
It’s happened before and it will happen again. A top-down approach for risk management and resilience is the only way you can answer that question with any degree of confidence.
To learn more, or to request a free consultation, contact Danny Timmins.
Danny Timmins, CISSP, is MNP’s Cyber Security National Leader. Danny and his team have extensive experience advising business leaders and boards of directors on cyber security risks, trends and opportunities and have helped many Canadian organizations improve their resilience to attacks.