Cybersecurity: 10 Factors for Business Leaders to Consider | Automation.com

Cybersecurity: 10 Factors for Business Leaders to Consider

Cybersecurity: 10 Factors for Business Leaders to Consider

By Marc Petock, VP Marketing, Lynxspring

Talk about cyber security these days often focuses on technology. As with many things, there are multiple sides that should be discussed. When it comes to cyber security, the business side may be most crucial.

From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures and procedures to increase the cyber security posture of your systems, far outweigh the risk of not making them secure.

From the business side there are several points you need to be aware of and should be concerned about. Below I have listed the factors which are central to today’s cyber security environment, regardless of industry.

1. Business Ramifications

  • Interruption of business and operations
  • Exposure and compromise of intellectual property and sensitive information
  • Introduction of malicious files, viruses to the corporate IT network
  • Negative publicity, loss of customers and customer confidence
  • Brand damage
  • Financial
  • Litigation
  • Occupant harm, loss of life

2. Compliance

Data privacy laws, regulations, and industry best practices are growing stricter and, in some cases, more complex as they catch up with the variety of technologies now in widespread use in the enterprise.

3. Liability and Legality

  • Cyber security is a growing area of litigation
  • The number of class-action lawsuits resulting from cyber incidents is increasing
  • Companies that fail to protect user data can now feel the wrath of the Federal Trade Commission (FTC)
    • A panel of judges for the Third U.S. Circuit Court of Appeals unanimously recently ruled the FTC have the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures
  • The Securities and Exchange Commission pursued a company that allegedly failed to properly protect its clients’ data in what might be a first-of-its-kind enforcement action
  • Wendy’s is facing a class-action lawsuit alleging breach of implied contract, negligence, and violations of Florida's Unfair and Deceptive Trade Practices Act due to a cyber incident.

The suit alleges Wendy's acknowledged the cyber weakness and could have prevented the data breach by adopting technology that helps make transactions more secure.

4. U.S. Cyber Security Act and EU Cyber Directives and General Data Protection Regulations

  • United States--The Cyber Security Act of 2015 creates a framework for  sharing of cyber threat information between private entities and the federal government
  • Europe--Cyber security obligations for service operators and providers
    • European General Data Protection Regulation (GDPR) was given final approval
    • The new law, when it comes into force in 2018, will hold companies fully accountable for implementing technical and organizational measures as part of a comprehensive data governance policy.
    • Requirements include a data protection officer, investment in new technologies, significantly more documentation and regular assessments.
    • Companies will also be legally required to disclose personal data breaches within 72 hours.
    • Businesses that don't do the work and are found to be in breach of the GDPR will face tough penalties, including fines of up to 4% of a company's total global annual turnover. It’s safe to say this new regulation will have significant implications for companies of all sizes around the world

5. State Cyber Laws

  • Each state has their own
  • Almost all laws have provisions requiring notification within certain period after detection
  • Most appear to make no distinction between losses caused by an entity and losses caused by an entity’s vendor
  • Penalties are being assigned to instances---In Florida-up to $500,000 in civil penalties per breach for failure to notify timely (Florida); In Louisiana there is a $5,000 per violation if notification is not received within 10 days and additional penalties for every subsequent day.

6. Moody’s Ratings

  • Cyber threats treated as event risks and are being taken into account for the  Moody’s Ratings evaluation
  • Looking at credit implications associated with good cyber measures-cyber defense, detection, prevention and response

7. Insurance

Insurance companies are beginning to evaluate and rate a company’s cyber health and insure
(or not) and charge accordingly

8. Cybersecurity Threat Assessment Rating (CSTAR)

  • Industry’s first cyber security preparedness score for businesses
  • FICO-like score that allows businesses to measurably understand the risk of data breaches, outages and software vulnerabilities
  • Assess risk and compliance profiles

9. Financial Institutions

For financial institutions The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws

10. Questions Business Owners and Operators Need to Be Asking to Themselves

  • Are we secure?
  • How do we know we’re not compromised today?
  • How would we know?
  • What would we do about it if we were?
  • Are we prepared to face the threat?
  • Do we have a cyber security statement?  
  • How about the companies in our supply chain? Are they secure?

Cyber security can no longer be thought of as a “nice to have”. The operational, financial and reputational impact to a business is tremendous. Security must be considered a fundamental requirement for both the IT, as well as for the operational infrastructure, and all the systems that make it up. When it comes to cyber security, the business case is equally as important as the technology side. Businesses face a litany of existential threats such as unpredictable customer behavior and market fluctuations — all deeply familiar risks that leaders have carefully planned for and assessed over decades. Yet these same leaders are often alarmingly unprepared for the most potentially damaging threat — a massive cyber incident that could mean the loss of everything … all in a matter of seconds.

Back to top
Posted in:
Article
Related Portals:
Cybersecurity

MORE ARTICLES

VIEW ALL

RELATED