A single cyber security incident can have an enormous impact, even if the number of compromised records don’t reach into the thousands, or heavens forbid the millions. It can still take years for company to completely recover from the devastating reputation damage caused by a relatively small data breach and get back to normal operations.

New School Builds on Georgia Tech’s Commitment to Advancing Cybersecurity and Privacy Education – Georgia Tech News Center (news.gatech.edu)

Summary:

  • Georgia Tech is building a new School of Cybersecurity and Privacy  – “It will bring together Georgia Tech’s expertise across disciplines to advance technology and find new solutions to protect our personal privacy and support our national security.
  • “Cybersecurity is not just a personal issue our credit cards or identities quickly come to mind but it has an even larger impact on national security, financial markets, even power grids,” Steve McLaughlin, dean of Georgia Tech’s College of Engineering said.
  • “Financial technology companies leverage technology and data to fuel innovation, which makes cybersecurity and privacy vital to their success”, said Ryan Graciano (B.S. Computer Science ’04), co-founder and chief technology officer of Credit Karma.
  • “The creation of a new School of Cybersecurity and Privacy will help the Atlanta tech ecosystem build on two of its greatest strengths: internet security and payment processing,” Taetle said.
  • Every one of these innovations must be accompanied by new cybersecurity technologies and policies in order to keep both corporations and consumers safe,” said Tony Spinelli, chief information officer for Urban One, Inc. and former chief information officer for Capital One.

Does Your Board Really Understand Your Cyber Risks? – Harvard Business Review (hbr.org)

Summary:

  • What it does mean is that they need to be able to establish their company’s tolerance for cyber risk, define the outcomes that are most important in guiding cybersecurity investment, and be able to foster a culture of cybersecurity and resilience.
  • While technical assessments may be sufficient for a CISO’s needs, they do not offer what the board really needs: a risk-oriented, holistic, and validated view of the company that considers the financial and business impacts of cybersecurity (or cyber insecurity) in a given company.
  • Moreover, technical reports don’t adequately capture attributes such as governance, culture, decision-making practices, or wider treatment of a company’s cyber risk profile and appetite, all of which board directors and business executives need to understand if they expect to make informed decisions about whether to allocate capital to improve cyber defenses instead of investing in other areas of the business.
  • Rather than accepting a score at face value, or even a qualitative assessment from the company’s technical managers or auditors, directors should ask for a comprehensive assessment: one that moves beyond the technical details and that includes both an outside and inside perspective.
  • Likewise, boards and business leaders need to calibrate their expectations by determining their appetite for risk and making investments in cybersecurity that are commensurate with their industry profiles.
  • As the market for cybersecurity assessments further evolves into holistic cyber-security ratings, directors and business leaders need to pay careful attention to ensuring that underlying measurements provide a true comparative benchmark, adequately consider a balance between inside and outside measures, and fully examine the technical, governance, and cultural aspects of an organization.
  • Corporate governance in COVID-19: Cybersecurity and technology considerations – Journal of Accountancy (journalofaccountancy.com)

    Summary:

    • Cybersecurity oversight is a key fiduciary responsibility for a board of directors and was a significant concern for companies even before the COVID-19 pandemic forced so many organizations to suddenly shift to remote work.
    • With a cyber breach considered by most experts to be inevitable, cyber risk must be part of the board’s overall risk oversight.
    • Amid the pandemic, the board has an enhanced responsibility to provide advice based on past experiences, across industries, and based on current experiences, across organizations.

    Wargaming Cyber Security – War on the Rocks (warontherocks.com)

    Summary:

    • Like all wargames, cyber wargames can serve several different purposes chiefly research and analysis, and education.
    • The U.S. Naval War College’s 2017 Navy-Private Sector Critical Infrastructure Wargame , for example, was a research wargame about cyber.
    • Along with private sector participants, it investigated the threshold at which cyber attacks against U.S. critical infrastructure become a national security incident and the role of government in such a crisis.
    • Alternatively, the Atlantic Council’s Cyber 9/12 Strategy Challenge is an educational wargame series, wherein students around the world develop competing policy responses to fictional but realistic cyber incidents.
    • While cyberspace may consist of interconnected networks, information about these networks is nevertheless segmented and distributed across a wide range of different public and private entities.
    • A variety of contractors, consultants, and specialists offer bespoke cyber wargames, support services, and wargaming tools.

    Justifying your 2021 cybersecurity budget – Help Net Security (helpnetsecurity.com)

    Summary:

    • However, in the same way that agile organizations leverage cloud-based business applications, security teams can leverage rapid deployment of cloud-based security solutions.
    • The second value that SaaS security solutions offer is YoY savings.
    • Subscription models offer budget conscious organizations several distinct value propositions.
    • First, the organization can reduce hardware maintenance costs, including operational costs, upgrade costs, software costs, and servicing costs.
    • Aligning purchase KPIs with specific reduced operational costs can help gain buy-in for the solution.

    Cybersecurity Bounces Back, but Talent Still Absent – Dark Reading.[3]

    Summary:

    • Companies need to have the infrastructure in place to support these new remote workers logging in from their home ISPs while also ensuring the security of sensitive data and intellectual property.
    • Whether you believe that developers need to acquire security experience or security practitioners need to learn to write code, most organizations have made a direct effort to infuse cybersecurity best practices into each stage of the software development life cycle (SDLC), rather than after the finished product is released..
    • Given almost every action and activity in business today takes place over a network or technology system, knowledge of cybersecurity is imperative to appropriately apply it to the decision-making process.
    • Healthcare Professionals and Medical Device Professionals Healthcare organizations employ large numbers of employees that manage or have access to sensitive data and medical devices on a day-to-day basis.
    • It’s important to create, tailor, and deliver upskilling solutions to employers based on their unique workforce requirements and roles.

    Businesses Need to Rethink Cyber Risks for Work-from-Home Employees – Insurance Journal [2]

    Summary:

    • If these devices are compromised, they can provide hackers with an open door into a corporate’s network and data which can be accessed and exploited without IT even noticing.
    • If employees continue to work from home and rely on personal devices for the foreseeable future, then more robust BYOD policies need to be put in place.
    • The need to provide training and communicate with employees over potential security threats is therefore even greater when employees are out of the office.

     

The number of known cybersecurity incidents rose by 48 percent last year, and cyberattacks targeted against SMBs have become more prevalent. [1]

According to one study, 60 percent of all targeted cyberattacks last year struck SMBs. [1]

In fact, approximately 75 percent of all spear-phishing scams in June were directed at SMBs, with the very smallest companies those with 250 employees or fewer bearing the majority of those attacks. [1]

Moreover, these attacks have become far more costly, as the losses from phishing scams increased from $525 million in 2012 to $800 million last year, an increase of more than 50 percent. [1]

For example, the survey found that the cost of the average attack rose from $8,699 in 2013 to $20,752 last year an increase of almost 140 percent in only one year. [1]

According to the survey, half of all SMBs surveyed reported being the targets of a cyberattack, a 14 percent increase over the prior year. [1]

The rate of the increase was even more pronounced for firms whose bank accounts were hacked, as the average cost of those attacks rose by almost 187 percent. [1]

According to one source, the number of such attacks more than doubled last year, and ransomware programs can now target more than 230 different types of computer files, up from only 70 in 2013.[1]

The number of firms reporting that it took them at least three days to recover from an attack rose to 33 percent last year, up from only 20 percent the year before. [1]

 

Resources:

[1] https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html
[2] https://www.insurancejournal.com/news/national/2020/09/17/582888.htm
[3] https://www.darkreading.com/careers-and-people/cybersecurity-bounces-back-but-talent-still-absent/a/d-id/1338852