The Top 7 Cybersecurity Threats for C-Level Leaders in 2020
In looking at the future we must first look to the past. Without a doubt, there will be key cybersecurity focuses from the past five years that will continue into 2020 and beyond. This includes mitigating phishing and ransomware attacks, IoT vulnerabilities, mobile security threats, as well as increasing secure dev ops, and continued migration to the cloud. This is probably not a surprise and something many C-level leaders are aware of whether, or not, their company has fully invested in these areas.
However, in addressing cybersecurity concerns that will impact businesses over the next 10 years they are just as complex, more deeply rooted, and in some cases harder to change. In this article I am not referring to something like quantum computing. I am referring to the challenges that have already plagued us the past few years, and can no longer be allowed to continue over the next ten years if you want to have a thriving business in the next decade and beyond. I am referencing the reality of living in a video streaming world, but still using DVDs players (or beta players) to watch movies. These threats don’t always evolve around technology. It’s a mindset that requires behavior change. It can be hard to understand, and often require us as leaders to look at ourselves and ask the hard questions.
For C-level executives, here are 7 cybersecurity threats of 2020 that will impact your business this decade if not addressed.
Uninformed executives continue to be the #1 cybersecurity risk for a company. I know this is a bold statement, but can you really think of anything scarier in a company today than an uninformed C-level executive making decisions that impact not only the cybersecurity program of an organization but the alignment of security and business objectives, including the cybersecurity budget, the organization’s approach to vendor risk, and the overall impact to clients? The ultimate accountability of the cybersecurity program lies with the management team of a business and a true lack of understanding of risks by C-level executives is what will cause a business to not survive in 2020 and beyond. I am not just referring to the impact of one breach. I am talking about on the consistent and ongoing lack of engagement by an executive, or executive team, on the topic of cybersecurity and then making decisions that impacts clients, employees and other stakeholders. Demonstrating cybersecurity understanding and awareness, in the next five years will be critical for all members of executive teams and board members regardless of your role. It will be a qualifying piece in the price of admission. Globally, 40% of companies cited their executives, including the CEOs, as their highest security risk (Information Age/Prescient, 2019). In many cases, executives can be the target of a malicious hacking scheme, and in other cases, an executive can fall prey to an attacker via social media, when traveling, or when accessing email.
Thinking global politics and security trends won’t impact your business. In 2016 we saw how the election impacted the public but also Facebook. Economic espionage by countries, particularly China, is well known and continues to be a persistent threat to business and universities in the United States. Nation-state hacking does not appear to be slowing down and potential war with Iran only increases the likelihood of a cyber war impacting businesses. A cyber war puts all businesses, including small business, on the front lines of a war.
Dismissing AI as part of your company’s detection and response strategy. In this decade as the cyber threats become more AI enabled, our ability to respond will need to be congruent. As technology threats change the way we defend against them will need to change. As a c-level executive, do you know how AI and machine learning are being utilized in your company’s cybersecurity program? The Capgemini Reinventing Cybersecurity and Artificial Intelligence Report states that 69% of enterprises believe AI will be necessary to respond to cyber-attacks. Additionally, 64% of enterprises say that AI lowers the cost to detect and respond to breaches and reduces the overall time taken to detect threats and breaches by up to 12%. The amount of time threat actors remains undetected drops by 11% with the use of AI (Forbes).
Unaware of vulnerabilities from IT teams or managed service providers. Ignoring, or failing to mitigate, risk from those who have access to our environment can be “business ending” in this decade. Managed service providers are increasingly targeted by cyber criminals. Building a zero-trust technology environment is only one a way to address this. Having consistent follow up with third party technology vendors and checks and balances with the IT team, internally, is a trifecta approach to this risk.
Underestimating the impact of 5G on your business. This will severely impact IoT devices in your business and your home. As a c-level executive, are you thinking about the impact of 5G to your company infrastructure and cybersecurity program? Once 5G networks are rolled out to the larger public, devices (IoT) will be connected from a variety of mediums increasing vulnerability from attackers (Malwarebytes). The NotPeyta attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks didn’t exist at the time, of course, but the attack illustrates the high cost of such incursions (Brookings).
Playing the “waiting game” on privacy. Compliance overall will impact a company’s profitability if there is a breach AND a lack of adherence to a regulation resulting in fines. Privacy and cybersecurity regulations are increasing annually. As a C-level leader, are you reviewing the type of data you collect, what you do with it, and how you protect it? The Global Data Protection Regulation, GDPR (privacy regulation in Europe), and the California Consumer Privacy Act, CCPA (effective January 1, 2020), indicate maintaining reasonable data security is no longer enough. If operating in regulated areas, you must determine how to align your business goals with privacy rights of individuals around the world. Adherence to GDPR (which applies to all businesses, large and small, that collect data on European residents), CCPA or PIPEDA (Personal Information Protection and Documents Act in Canada) is a must as well as understanding how it impacts the roles and responsibilities of the security and technical teams. The European Data Protection Board’s recap of GDPR activities between May 2018 and May 2019 states 144,376 complaints or queries were lodged with EU data protection authorities during that year (The Legal Intelligence).
Believing it’s impossible to defend against cyber threats. This is the defeatist mentality. It’s amazing how many people I meet that say, “Is there really anything you can do about hackers anyway?” Or “We’re too small.” If you don’t impact this way of thinking it will impact your business in the next decade. If fact, you may no longer have a business. In the 2020s, doing nothing in regards to cybersecurity in your business will not be an option. It’s now part of the cost of doing business.
Jessica Robinson is CEO of PurePoint International and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. You can reach her at jessica@purepoint-international.com.