Managing Enterprise Risks and Privacy As Your Technology Ecosystem Grows
As more businesses embrace digital transformation, they digitize more critical processes, applications, and assets. In tandem, they are implementing new technologies like artificial intelligence, the Internet of Things (IoT), data analytics tools, and blockchain, to name a few. Beyond technology, many are revising business processes and altering corporate culture to streamline the transformation to digital and comply with privacy regulations.
Together, these trends represent a seismic shift that will inevitably expand the attack surface and make the organization vulnerable to new risks like ransomware, while continuing to prevent ongoing threats that plague companies like phishing campaigns. Yet just over half (53%) of North American respondents to Nexia’s Global Cybersecurity Report 2017 consider cybersecurity a top concern, and just 46% say they have a cybersecurity program. This is, at best, a lukewarm response to a risk that continues to rise alongside the transformation of business, exponential increases in the number of internet-connected devices, and escalating technical prowess of cybercriminals.
Survey responses also suggest an anemic and often incomplete commitment to treating cybersecurity as an enterprise-wide risk. In a digitally transformed ecosystem, managing risk is no longer the sole purview of the chief information security officer (CISO) and CIO; it’s the responsibility of multiple stakeholders including the CEO and the Board. That’s a profound cultural change that will require a holistic cross-functional awareness program and collaboration to protect your data assets, intellectual property, brand, and customers.
Increasingly covert and damaging new cyberattack techniques demand a proactive, collaborative culture that is shared by employees, managers, and executives alike. Cybersecurity and privacy programs should address both internal and external threats, as well as the array of digital devices and platforms (social media, for instance) that now have access to data assets.
In particular, billions of connected IoT devices and equipment represent a dangerous new wave of cybersecurity risks. The most serious IoT incident to date was a 2016 distributed denial of service (DDoS) assault on Dyn, a DNS provider. Hackers used the Mirai botnet to marshal an army of botnets that invaded connected IoT devices to take down major websites around the globe. Last year, a similar botnet attack on a university harnessed 5,000 IoT devices to take down systems across the campus.
To address these rising risks, forward-thinking companies are embracing artificial intelligence (AI) and data analytics. Combined, AI and analytics can aggregate and analyze massive volumes of data to reveal activities and patterns, and then create new threat indicators for anomalies that are not typically identified by traditional detection tools. As AI learns patterns of activities, it can begin to predict threats and their potential impacts—before they occur. And if an intrusion is detected, AI can help prioritize incident responses and automate remediation tasks.
Data breaches get personal
Safeguarding corporate data assets has been the traditional thrust of most cybersecurity programs. But as consumers use the internet to digitize almost every aspect of day-to-day life—entertainment, banking, healthcare, home security, and shopping, among others—the importance of protecting sensitive personal data has never been so top of mind. It’s difficult to ignore the rash of high-profile breaches of consumer data across industries that have resulted in financial and reputational damages, as well as loss of customers.
As with data assets, risks to the privacy of personal data increases as more consumer data is digitized and shared. In response, governments are implementing new data-privacy regulations that stipulate stringent measures for companies that collect, store, process, and share personal information. In particular, the EU’s General Data Protection Regulation (GDPR) sets forth demanding technical processes and requirements for any business that processes the personal data of EU citizens. It also establishes complex, and often very technical, requirements for mandatory breach notifications, consumer access to data, the right to be forgotten, and data portability, all of which are enforced by fines up to 4% of annual global revenue.
Similarly, California recently enacted a regulation designed to protect the state’s citizens. The California Consumer Privacy Act (CCPA) of 2018, effective January 1, 2020, will require that businesses have the ability to disclose what personal information is collected and whether (and to whom) personal data is sold, stop sale of data, provide collected personal data when requested by consumers, and erase personal data on request. Companies that do business in California will need to develop processes to map data to understand how it collected and shared, respond to customer data requests, and revise the technical capabilities of information systems to handle these requirements.
For many organizations, compliance with the GDPR and CCPA will be an arduous, intricate initiative. To navigate today’s challenges and regulations, companies should develop a data-privacy program that can help implement the technology, processes, and people skills to comply with these new regulations and safeguard against cyberthreats.
CohnReznick’s risk-based approach to security and privacy
We work with businesses to help them understand new types cybersecurity and privacy risks, identify gaps in their cybersecurity capabilities, and assess data-governance programs. CohnReznick goes further: We can help you proactively and continuously monitor cyber-risks, identify and protect against malicious traffic, and quickly respond to incidents. In addition, we help design and instill a company-wide culture of risk and data privacy that is essential to create and sustain a culture of trust—an increasingly critical business capability.
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Business of Baseball
Managing for Success
InsightOptimize Business Performance with a Data CultureIn today’s competitive market, business success and innovation are fueled by data. Organizations are harnessing the power of advanced analytics to stoke productivity, boost efficiencies, parse customer preferences, and keep pace with market evolutions.
InsightWhy Artificial Intelligence and Blockchain Are the Smart Approach to Innovation and GrowthAmong today’s leading-edge technologies, none packs the disruptive potential of artificial intelligence (AI) and blockchain to transform business models and redefine the future of work. It’s a powerful force that early-adopting companies are embracing to buttress innovation, growth, and analytics.