More often than not, the privacy, data protection and cybersecurity warnings that come our way are about password protection, phishing attempts and the dangers of browsing unprotected in the public Wi-Fi jungle.
And while all are important measures for building resilience against cyber threats, there are other, equally critical threats that we fail to mention. A recent Travelers Risk Index survey revealed some of the vulnerabilities that I believe should be more top of mind in the enterprise world.
Confidence in the ability to mitigate a cyber attack was sky high among respondents (at 93%) but the percentage of companies that had actually taken specific prevention measures was less impressive: 64% do not have endpoint detection and response in place. 59% haven’t conducted cyber assessment for vendors. And 53% do not have a response plan.
So, let’s talk about three areas where companies need to exercise greater control and caution.
1. Supply chain
Some of the most well-known examples of this are from the automotive industry, where attackers attempt to uncover trade secrets from the automakers through their supply chains. From Toyota to BMW, incidents of cyber-attack are rising in recent years, and chief among the vulnerabilities is the information stored on public clouds.There’s no denying that threat actors see suppliers as a means of accessing classified corporate information, and more resilience is sorely needed in this area.
To step up on supply chain risk mitigation, companies need to invest the time in identifying the potential vulnerabilities across their vendor spectrum. This can be done through cyber assessments conducted regularly and even an audit from time-to-time. It’s also time to evaluate a zero trust approach and whether you expect that from your suppliers. This requires continuous validation at each digital interaction - assuming that there’s no one who is exempt from authentication.
My advice: Be clear on the privacy and data protection requirements you have for your suppliers and follow-up with them regularly.
2. Your business continuity plan
Most companies believe that a cyber attack is inevitable. And we know that most of the unprepared companies fail in the wake of a cyber-attack (Deloitte 2020). So, if we know it’s coming, why not plan for it? Your best bet for recovering after an attack is to have a plan in place ahead of time. It’s a plan that should cover your vulnerabilities (yes, across your supply chain, too), your response tactics, as well as the back-up solutions you have in place, should you have a critical network or infrastructure failure. It may not be a pleasant exercise to go through, but it’s one that will be well worth your while.
My advice: Invest the time and effort in planning your response to a cyber attack now, so that when it happens you have a better chance at quicker recovery.
3. Control over your data
Do you know where your data is being stored? And do you know where it’s traveling? When it comes to data security, most of us think about preventing all our work-related files from cyber-attack. But there’s so much more at risk. During the average workday, there are countless emails, chats and video calls generating loads of data, data that is being stored and data that is being sent, all of which should be protected from unauthorized access.
In my experience, companies today are making moves to bring that data closer to home, moving out of the public clouds to comply with increasingly tight local regulations related to privacy and security. There are stringent requirements in Europe now thanks to GDPR, which means that not only do you have to know where your data is located and where it is going, you also need to take measures to ensure that you are compliant.
My advice: Assess the span of digital solutions in use in your company and evaluate the data security controls in place (for data at rest and data on the move) from the various vendors providing services to your company.