In particular, billions of connected IoT devices and equipment represent a dangerous new wave of cybersecurity risks. The most serious IoT incident to date was a 2016 distributed denial of service (DDoS) assault on Dyn, a DNS provider. Hackers used the Mirai botnet to marshal an army of botnets that invaded connected IoT devices to take down major websites around the globe.

Last year, a similar botnet attack on a university harnessed 5,000 IoT devices to take down systems across the campus.

As more businesses embrace digital transformation, they digitize more critical processes, applications, and assets. In tandem, they are implementing new technologies like artificial intelligence, the Internet of Things (IoT), data analytics tools, and blockchain, to name a few. Beyond technology, many are revising business processes and altering corporate culture to streamline the transformation to digital and comply with privacy regulations.

Together, these trends represent a seismic shift that will inevitably expand the attack surface and make the organization vulnerable to new risks like ransomware, while continuing to prevent ongoing threats that plague companies like phishing campaigns. Yet just over half (53%) of North American respondents to a Nexia Global Cybersecurity Report consider cybersecurity a top concern, and just 46% say they have a cybersecurity program. This is, at best, a lukewarm response to a risk that continues to rise alongside the transformation of business, exponential increases in the number of internet-connected devices, and escalating technical prowess of cybercriminals.

Survey responses also suggest an anemic and often incomplete commitment to treating cybersecurity as an enterprise-wide risk. In a digitally transformed ecosystem, managing risk is no longer the sole purview of the chief information security officer (CISO) and CIO; it’s the responsibility of multiple stakeholders including the CEO and the Board. That’s a profound cultural change that will require a holistic cross-functional awareness program and collaboration to protect your data assets, intellectual property, brand, and customers.

Increasingly covert and damaging new cyberattack techniques demand a proactive, collaborative culture that is shared by employees, managers, and executives alike. Cybersecurity and privacy programs should address both internal and external threats, as well as the array of digital devices and platforms (social media, for instance) that now have access to data assets.

To address these rising risks, forward-thinking companies are embracing artificial intelligence (AI) and data analytics. Combined, AI and analytics can aggregate and analyze massive volumes of data to reveal activities and patterns, and then create new threat indicators for anomalies that are not typically identified by traditional detection tools. As AI learns patterns of activities, it can begin to predict threats and their potential impacts – before they occur. And if an intrusion is detected, AI can help prioritize incident responses and automate remediation tasks.

Data breaches get personal

Safeguarding corporate data assets has been the traditional thrust of most cybersecurity programs. But as consumers use the internet to digitize almost every aspect of day-to-day life – entertainment, banking, healthcare, home security, and shopping, among others – the importance of protecting sensitive personal data has never been so top of mind. It’s difficult to ignore the rash of high-profile breaches of consumer data across industries that have resulted in financial and reputational damages, as well as loss of customers.

As with data assets, risks to the privacy of personal data increases as more consumer data is digitized and shared. In response, governments are implementing new data-privacy regulations that stipulate stringent measures for companies that collect, store, process, and share personal information. In particular, the EU’s General Data Protection Regulation (GDPR) sets forth demanding technical processes and requirements for any business that processes the personal data of EU citizens. It also establishes complex, and often very technical, requirements for mandatory breach notifications, consumer access to data, the right to be forgotten, and data portability, all of which are enforced by fines up to 4 percent of annual global revenue.

CohnReznick’s risk-based approach to security and privacy