Cyber Security – A Top Business Risk….and Opportunity in 2021

Cyber security remains a critical element to any organization as cyber threats continue to become increasingly sophisticated, expensive, and disruptive.  As detailed below, there are many high-profile examples of cyber breaches, however it’s very important to understand that the same risk level applies to every company equally – regardless of size, industry etc.

According to Microsoft’s “The State of Cyber Security in 2020: Five Key Trends,” authored by their CTO Diana Kelley, the average cost of a data breach to a company is pegged at $4 million.  Beyond tangible cost among the major costs of data breaches are a ruined reputation and the loss of clients.

A recent example would be the class-action lawsuit filed against Marriott International Hotel, which may be facing a fine of 99.2 million pounds.

The class-action suit Marriott faces in London’s high court involves over 300 million customers, of whom about 7 million are U.K. residents. Customer personal data, including credit card details, were stolen when the hotel group’s global guest reservation database was hacked. It was found that the breach began in 2014, and it lasted until the discovery of unauthorized access to the hotel systems in 2018.

Other major data breaches in recent years involve Equifax (147 million customers) in 2017, British Airways (500,000 customers) in 2018, Google (millions of Google+ accounts) in 2018, and EasyJet (over 9 million people) in 2020.

However, with some strategic planning, you can actually flip cyber security from solely a major business risk into a force that differentiates you from your competition.

How? By making prudent investments in your cyber security program.

‍

Engage experts to perform cyber risk assessments

Cyber risk assessments are necessary for all businesses that view cyber security as an operational imperative. With this type of assessment, you are set to gain client trust by implementing the following:

• Identify and address system risks and threats.
• Adopt new security requirements that strengthen cyber security from both internal and external factors.
• Ramp up data and network security.
• Educate employees on the importance of cyber security and their role in maintaining it.
• Establish a sense of organization-wide ownership from the bottom up, so everyone becomes keenly aware of and actively participates in safeguarding business cyber security.

Routine audits performed by independent third-party auditors should ideally be conducted on a scheduled routine basis.  Best practice is that certain testing be done monthly or quarterly (ie network vulnerability scans, security awareness training) and other testing be done annually (cyber risk assessment, penetration testing).

While testing is done by independent auditors, collaboration with an organization’s internal IT team and multi-department company leadership is crucial.

‍

Obtain cyber compliance certification

Achieving relevant cyber security compliance certifications also helps increase customer confidence in your business or organization, thereby differentiating an organization its competitors.

Depending on an organization’s industry, customers and vendors, a few examples of these certifications are:

• SOC 2: A brainchild of the American Institute of CPAs (AICPA), SOC 2 is recommended for SaaS, cloud-computing providers, and similar businesses. It specifies certain criteria required for efficiently managing customer data based on the five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
• PCI DSS: The Payment Card Industry Data Security Standard is an information security standard created to tighten controls concerning cardholder data. These controls are meant to reduce the incidence of credit card fraud.
• ISO/IEC 27001: There are several standards belonging to the ISO/IEC 27000 family. However, all certifications aim to equip different types of organizations with the ability to manage and ensure the security of various key vital assets. These include intellectual property, financial information, employee details, and third-party data.
• CMMC: The Cyber security Maturity Model Certification is a certification requirement of the U.S. Department of Defense (DoD) from contractors, sub-contractors, and suppliers who want to become part of the DoD supply chain.
• HIPAA: The Health Insurance Portability and Accountability Act was enacted in 1996. In relation to this, the HIPAA has established stringent privacy requirements that cover the sharing of patient medical records in the U.S. There are different types of HIPAA certification and training your employees can undergo.

There are several other compliance certification programs that can be considered as well, and all are designed not only to enhance an organization’s reputation but also to keep it safe against overall cyber security risk.

‍

Set yourself apart

To distinguish yourself from the rest in terms of Cyber security and make your business more competitive, invest in Cyber security risk assessments and certifications.

Doing so will not only enhance your reputation and help safeguard your data asset. It will also make your business stand out so you outshine your competition.

‍