More often than not, the privacy, data protection, and cybersecurity warnings that come our way are about password protection, phishing attempts, and the dangers of browsing unprotected in the public Wi-Fi jungle.
And while all are important measures for building resilience against cyber threats, there are other equally critical threats that we fail to mention. A recent Travelers Risk Index survey revealed some vulnerabilities that I believe should be top of mind in the enterprise world.
Confidence in the ability to mitigate a cyber attack was sky-high among respondents (at 93%), but the percentage of companies that had taken specific prevention measures was less impressive: 64% do not have endpoint detection and response in place. 59% haven’t conducted cyber assessments for vendors. And 53% do not have a response plan.
So, let’s talk about three areas where companies need to exercise greater control and caution.
1. Supply chain
Some of the most well-known examples are from the automotive industry, where attackers attempt to uncover trade secrets from automakers through their supply chains. From Toyota to BMW, cyber-attack incidents have been rising in recent years, and chief among the vulnerabilities is the information stored on public clouds. There’s no denying that threat actors see suppliers as a means of accessing classified corporate information, and more resilience is sorely needed in this area.
To step up on supply chain risk mitigation, companies need to identify potential vulnerabilities across their vendor spectrum. This can be done through regular cyber assessments and even an audit occasionally. It’s also time to evaluate a zero-trust approach and whether you expect that from your suppliers. This requires continuous validation at each digital interaction, assuming no one is exempt from authentication.
My advice: Be clear on the privacy and data protection requirements you have for your suppliers and follow up with them regularly.
2. Your business continuity plan
Most companies believe that a cyber-attack is inevitable. And we know that most unprepared companies fail in the wake of a cyber-attack (Deloitte 2020). So, if we know it’s coming, why not plan for it? Your best bet for recovering after an attack is to plan ahead of time. It’s a plan that should cover your vulnerabilities (yes, across your supply chain, too), your response tactics, and the backup solutions you have in place should you have a critical network or infrastructure failure. It may not be a pleasant exercise, but it will be worthwhile.
My advice: Invest the time and effort in planning your response to a cyber attack now so that you have a better chance at quicker recovery when it happens.
3. Control over your data
Do you know where your data is being stored? And do you know where it’s traveling? Regarding data security, most of us think about preventing all our work-related files from cyber-attack. But there’s so much more at risk. During the average workday, there are countless emails, chats, and video calls generating loads of data, data that is being stored, and data that is being sent, all of which should be protected from unauthorized access.
In my experience, companies today are moving to bring that data closer to home, moving out of the public clouds to comply with increasingly tight local regulations related to privacy and security. There are stringent requirements in Europe now, thanks to GDPR, which means that you have to know where your data is located and where it is going, and you also need to take measures to ensure that you are compliant.
My advice: Assess the digital solutions span in your company and evaluate the data security controls in place (for data at rest and data on the move) from the various vendors providing services to your company.
- Financial services
- Meet & collaborate securely
- Business continuity