Cyber Security – Understand the impact. Now take action.
Almost as soon as computers were invented, some people relished the challenge of subverting them and using the technology for nefarious purposes. Fast forward to 2023 and cybercrime is a worldwide, multi-billion pound industry. With half of UK businesses having a security incident every year, it is essential to understand the threat, the potential impact on your business and what you should do to protect it.
Even the most well-funded organisations with the smartest technology have been victimized by cyber attacks. This is means that no technology will keep your mid-market business 100% safe. Freeman Clarke co-founder and CEO Graeme Freeman explains the particular security issues that mid-market businesses face and how to go about creating a truly secure environment.
When the global movers and shakers gathered at the World Economic Forum earlier this year, they got a unpleasant surprise — in the form of its Global Cybersecurity Outlook.
During the press conference, WEF Managing Director Jeremy Jurgens related that “93 percent of cyber leaders and 86% of cyber business leaders believe that a catastrophic cyber event is likely in the next two years.”
Jurgens was in part referring to malefactors like Russia and China making cyberwar on their enemies, whether real or perceived. But the threat is growing as well for businesses, big, small, and medium.
For example, recent ransomware attacks (criminals stealing data and then attempting to “ransom” it) temporarily shut down Canada’s largest bookstore chain and the UK’s Royal Mail.
These organizations have impressive security budgets and all the latest security tools and tech. If they can be victimized, how can a mid-market business keep itself safe?
The answer is more straightforward than you may think: it’s expert leadership in the C-suite.
As a CEO, you can’t be responsible for all the technical details. But you can, and must, be able to ask the right questions of the people responsible for security—and stay on top of them.
Most attacks use simple methods. The reason they’re successful is because companies have forgotten to get the basics right. So we urge you to ask your IT team or suppliers six simple questions:
Who is accountable for our security and risk strategy?
When was the last time we reviewed and tested our security?
Are security systems up to date? How do we know they’re up to date?
Do we have assessments or accreditations?
Are employees—including the CEO—regularly trained in cybersecurity and social engineering? Have we ever tested that training?
If we do end up in trouble, who’s in charge, and what’s the plan?
If your IT team can’t provide satisfying answers to all these questions, and quickly, then it may be time to consider IT leadership in the form of a fractional CIO, CTO, or CISO.
If you have any questions about cybersecurity or IT, feel free to get in touch. Unlike cyber criminals, we’re always up for a no-strings, no-pressure conversation.
For a more detailed guide to mailing down the basics, see our 13 key steps to cyber security comprehensive list of questions for non-technical board leaders.
Graeme Freeman, Co-founder and President of Freeman Clarke recently spoke with one of our Directors in NYC, James Sharp, about the NY Shield Act and what it means to mid-market CEOs.
This summary of their conversation forms a simple FAQ about the Act and its implications for ambitious CEOs.
What is the NY Shield Act?
Graeme Freeman: Jim, can you please start by giving a simple summary of the NY Shield Act?
James Sharp: Very simply, the law expands data security and breach notification requirements to cover any business that collects private employee and customer data of New York residents. The law requires businesses to implement and maintain reasonable safeguards to protect the security and integrity of private information.
Graeme: So, just to clarify, the law applies to any company in any state that stores data about residents of New York State.
Jim: That’s correct. It’s a law that exposes you to heavy fines regardless of where your business is based.
Graeme: And this law has been passed?
Jim: Yes, it’s live. All businesses needed to be compliant by March of 2020.
Graeme: So what are the key points about the new law, and what does the CEO of a mid-market business need to do?
Jim: Well the key points are very simple. You need to take reasonable steps to protect private information and to report any breaches; this is not complicated. But the CEO isn’t going to configure the firewall, install the software and write the password policy. So the business question is: what steps should the CEO take to ensure his or her business doesn’t end up with a fine?
“The business question is: what leadership steps should the CEO take to ensure his or her business doesn’t end up with a ruined reputation and a disastrous fine?”
James Sharp, Regional Director, Freeman Clarke
What leadership steps should the CEO take?
Graeme: Right, so what are the CEO’s actions to get compliant with the NY Shield Act?
Jim: The first action is very simple: start by ensuring that roles are clear. At the very top, a single member of the Executive Team needs to have overall accountability and the senior leaders need to meet regularly, perhaps every quarter, to discuss corporate data security. If you don’t have the expertise in the organization to lead such a committee, then you need to get it.
Graeme: OK, that’s where we come in.
Graeme: If the exec team haven’t really bought into this, how can the CEO galvanize them into action?
Jim: Well one good way to start is to get the team together to workshop scenarios. How might a security breach occur? How are we mitigating this? How would we respond? Most likely you will surface of lot of unanswered questions and a lot of “head in the sand management”.
Graeme: When you say “head in the sand management” you mean leaders in the business who don’t really understand this area so ignore it?
Jim: Yes! The members of the exec team are busy, under pressure, and they stick to what they know. Cybersecurity must be someone else’s problem.
Is this just a lot of paperwork to keep the lawyers happy?
Graeme: Once the roles are clear, what happens next?
Jim: To comply with the law you need to have a security plan consisting of corporate data policies and procedures regularly updated and published to the employees? And you need a comprehensive training program in place to support the knowledge transfer of the policy?
Graeme: Is this just a lot of paperwork to keep the lawyers happy?
Jim: If you just create a lot of paperwork, you’re doing it wrong, and you still won’t be secure. Time and time again CEOs believe their organization has a data security plan in place, but in reality the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously. Most breaches happen as a result of basic ignorance or people not caring.
“Time and time again CEO’s believe their organization has a data security plan in place but in realty the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously.”
James Sharp, Regional Director, Freeman Clarke
How to make cybersecurity planning genuinely valuable
Graeme: So how do you make this genuinely valuable rather than box ticking?
Jim: The policies need to be practical, the training needs to be engaging, and there needs to be a genuine leadership commitment to making this work. If people know the basics and take this seriously then you will very likely not have a breach – it’s as simple as that. Most hacking is not very sophisticated. If you get the basics right you will probably be OK. The thing is that most companies don’t.
Graeme: What are the basics?
Jim: You need visibility into how your company’s private data is being accessed, modified, moved and deleted as well as understanding who in the organization has access to it. These actions combined with a real time security system that allows the company to generate reports and notifies the appropriate people in the event of a breach are important actions to gain compliance to the Shield Act.
What are the 5 practical action steps a CEO needs their IT team to take to insure compliance to the NY Shield Act?
Graeme: What are the five practical action steps a CEO should take tomorrow to insure compliance to the NY Shield Act?
Jim: Step 1 is Data discovery and classification. An organization can only protect their private data if they know what private data they have and where it is located. There are a number of commercial tools that will automatically discover and classify a wide range of personally identifiable information (PII), including social security numbers, driver’s license numbers, bank account details, passport numbers, and more.
Step 2 is Implement a data retention policy. Only collect and store private data if it is absolutely necessary. Organizations must ensure that they have a data retention policy in place which details what data they will collect, how, and for how long they will keep it. The policy should also include details about how data should be disposed of when it is no longer required.
Step 3 is Implement an access control policy. Organizations must have an access control policy in place, which determines who should have access to what data and why, and they will need to keep an up-to-date inventory of all access controls that are assigned.
Step 4 is Adopt a real time alerting platform.In addition to monitoring changes to access controls to protect against “privilege escalation”, organizations must also monitor all access to private data and make certain they have a notification alert system in place. If a user account is accessing private data in a way that is not typical for that particular user, a real-time alert should be sent to the relevant staff for immediate review.
Step 5 is Use an advanced reporting console.Most data security platforms provide an advanced reporting console, which enables administrators to quickly and effortlessly generate reports that can be sent to the supervisory authorities, as and when required. Most solutions provide a wide range of pre-defined reports that are customized to satisfy the relevant compliance requirements.
Cultural Change and Training
Graeme: How does the CEO make this important to the organization to ensure it actually happens?
Jim: Very simply, the CEO and all the senior leaders need to show by their own actions that this matters and to demonstrate compliance and good practice themselves. There needs to be training for everyone and they need to be seen to be committed and serious about this.
Graeme: And how does the CEO get independent assurance that this has all been done correctly?
Jim: The plan needs to include regular, perhaps annual, testing and assessment by independent professionals. And independent means not your existing MSP or the people who setup your security!
”Freeman Clarke Principals bring real life experience and leadership talent to help mid –market companies’ establish a strategy and insure it is executed properly”
James Sharp, Regional Director, Freeman Clarke
Midmarket Business Cybersecurity Crisis Planning
Graeme: And what does the CEO need to do about crisis planning?
Jim: You need a simple, flexible crisis management plan that is actually useful in the unlikely event it’s ever needed. The plan should focus on clarity about authority, escalation paths and the technical, legal, public relations and investor relations teams required for true crisis management.
The 3 Key Ways to Transform Your Business with technology
The lockdown created an urgent need for many businesses to switch to home offices. It wasn’t easy, but it was doable: getting people connected and working from home didn’t hurt so much.
But for many mid-market business leaders, the rush to telecommuting exposed troubling strategicchallenges:
Broken processes, including unresolved issues about which teams and individuals have ownership of which responsibilities
Over-reliance on individual experts and paper-based ways of working that waste manpower and don’t scale up
System-wide bottlenecks, including wasted effort and delays in management reporting
For nearly every mid-market business, security issues became even more acute. The lockdown quickly exposed weak and out-dated security and authorization processes. The result? Companies are falling prey to cyberattacks. Or at best they will struggle to demonstrate regulatory compliance.
These issues call for transformational changes. And although they won’t be easy, they’re not as hard as you might think.
Transformation 1: Using IT infrastructure to add value
Companies need to ensure that their IT infrastructure matches their business strategy.
For example, we often recommend outsourcing basic IT support of cloud services. This frees up in-house people to focus on value-adding activities. Depending on your own company strategy, it may be better to in-source strategic software development, business process improvement, back-office systems configuration or data analysis.
Transformation 2: Integrated systems, processes and controls
It can feel daunting to move away from legacy ways of working. But simple, well-structured processes and systems cost less, improve customer service, and allow for compliance and business continuity planning.
If your systems and data are rationalized, you can integrate with external services, so as we mentioned above, outsourcing can become part of your strategy.
And, for many business service providers, your ability to integrate with your clients’ systems provides a point of difference and creates a barrier to exit.
Finally, this transformation creates a platform for adoption of AI/ML and for creating new online channels.
Transformation 3: Innovation and digital initiatives
Both consumers and business clients expect almost all products and services to be online. Most innovations now have digital at their heart, and digital experiences are now practically inseparable from your customers’ experience of your brand.
This technology is much more than a necessary evil. To create a high-value and agile business, CEOs must embrace technology as part of their strategy.
These are uncertain times. But many CEOs see opportunities to restructure their business, to enter new markets, and to scale up. The above three transformations offer an approach to plan for your own breakthrough.
Need help? Many CEOs work with Freeman Clarke because we take on uncomfortable changes and challenges with reassurance and guidance. Transformational change requires experienced and expert IT leadership.
We are the largest and most experienced team of IT leaders. If you want to know more about how we can help, then get in touch.
These days perhaps half of all companies face a cyber attack. The usual response is to insist that it’s the IT team’s problem. But in our experience, the buck stops with the CEO. This short video explains how you can quickly educate yourself about cyber security and how Freeman Clarke can help.