The steps every organization should take to improve its cybersecurity and prepare for a digital transformation.
As technological advances continue to affect bottom lines and leadership agendas, senior leaders are grappling with a significant challenge: weighing the risk of fraud against the benefits of digital transformation.
The benefits of digitalization are clear: Research by Capgemini and MIT finds that organizations that embrace digital transformation outperform their competitors in profitability, revenue, and market value. Yet in spite of these benefits, the greatest risk for many organizations may not be losing ground in the market but losing money, invaluable data, and customer trust at the hands of a preventable cyberattack.
According to a pre-pandemic survey by Javelin, more than one-third of organizations stated they were forced to pull the reins in on digital transformation plans due to the risk of fraud. Even after widespread lockdowns forced many organizations to forge ahead, rapid transformations didn’t occur without loss. As many global organizations quickly shifted to remote working arrangements in March of 2020, ransomware attacks increased by 148%. Cybercriminals ramped up their attacks as the pandemic wore on, turning their attention to bigger targets, including major corporations, government organizations, and healthcare groups, according to INTERPOL.
Preparing for Digital Transformation
Research by McKinsey & Company finds that among U.S. companies, the pandemic accelerated the adoption of digital technology for customer interactions, supply chain interactions, and internal operations by three to four years. Meanwhile, consumers are three times likelier now than before the pandemic to say that at least 80% of their customer interactions are digital.
In order to remain competitive in today’s fast-changing world, the adoption of digital technologies is table stakes for many. Unplanned digitalization initiatives bring with them an increased likelihood of fraudulent attacks. Yet organizations can safeguard against cyber risk using several substantive, tried and true ways. Here we outline steps companies can take in the short, medium, and long term to protect themselves before embarking on any large-scale digital transformation.
Short Term: Establish a Strong Foundation
From ransomware attacks to data breaches, the costs associated with cyber events can be steep — averaging over $8 million. Amid continually rising cyberattacks, every organization should develop a solid grasp on cybersecurity basics. Business leaders can take quick, immediate steps to prime their organizations for a cybersecure foundation that will better safeguard against cyber threats.
Reduce risk by building fraud awareness
Prevention starts with awareness. Business leaders should strive to educate themselves and their teams on the most common threats and how these schemes work. At the very least, all members of an organization should understand the basics of identifying and avoiding the following:
Cyberattacks take many forms and target many entry points, but they also evolve at a breakneck pace, putting cybercriminals at an advantage. As such, it’s important for business leaders to generate a comprehensive, companywide understanding of basic and sophisticated threats. Particularly during periods of digital transformation, today’s business leader needs to know which ransomware schemes are the most prevalent, how threat actors are attacking businesses, and what’s on the horizon over the next six months. The FTC frequently updates its website with the latest fraud and cybersecurity threats, making it a reliable resource for up-to-date information.
Establish clear protocol
Even conscientious organizations should frequently revisit their approach and ensure that all employees are following established protocol. Cybersecurity essentials include:
- Ensuring up-to-date software and virus protection on company-issued devices
- Requiring strong, frequently updated passwords
- Enabling multifactor authentication when available
- Educating employees how to safeguard company-issued devices, particularly when working remotely or traveling
Recognize the impact of remote work
Prior to the pandemic, few organizations were prepared for an abrupt shift to remote work, and their current cybersecurity plans reflect these limitations. With 82% of employers committed to making remote work a permanent offering, it’s crucial that business leaders are equipped to address the key cybersecurity challenges associated with a remote workforce.
Medium Term: Take Proactive Measures to Reduce Risk
When organizations undergo rapid transformation, they often become appealing targets for threat actors. As business leaders ramp up their investment in digitizing technologies, they should also be investing heavily in measures designed to mitigate risk of a cyber event and reduce potential loss.
Create a data breach response plan
Research has found that the longer it takes an organization to react to a breach, the worse the collateral and financial damage. The single most valuable asset against a cyberattack is for an organization to develop a data breach response plan — and regularly update it. Likewise, organizational data collection and protection policies should be clearly defined and established for all business units and leaders
Engage a cybersecurity attorney
Any organization that collects or stores customer data — particularly those that possess sensitive data such as personal health information, financial data, Social Security numbers, or biometric data — should consider engaging the assistance of legal counsel with a specialty in cybersecurity. When hiring a cybersecurity attorney, organizations should look for one who is both a fluent technologist and an experienced counselor. Indeed, any organization undergoing digital transformation should consider engaging a cybersecurity attorney to help assess liability, develop a data breach response plan, and take on cybersecurity insurance.
Consider cybersecurity insurance
Before an organization increases its reliance on digital tools, it should first consider investing in a robust cyber insurance policy. Choosing from many plans and providers requires organizations to establish a clear understanding of their data liabilities; engaging cybersecurity counsel can help negotiate cyber insurance coverage.
Long Term: Make Cybersecurity an Ongoing Initiative
Business leaders should strive to build a cybersecure culture, one that is embraced and regularly reinforced throughout the organization — including by all C-suite leaders. The benefits of this approach are overwhelming: 66% of organizations surveyed by ISACA attributed a reduction in incidents to successfully entrenching a culture of cybersecurity.
Foster a top-down cybersecure culture
A cybersecure culture is one in which every employee is trained to identify risks, understands protocol, and feels empowered to speak up when suspicious activity arises. For many organizations, developing an ongoing fraud and cybersecurity employee training program will be an important first step. Championing and rewarding employees who report suspicious activity can help motivate teams to keep cybersecurity top of mind. Finally, it’s crucial to ensure that all leaders within an organization are clearly following protocols. C-suite leaders should consider embedding cybersecurity into their periodic leadership meetings and enthusiastically celebrate successes in this arena.
Treat data like revenue
Every large-scale organization has a finance department dedicated to auditing, supervising, and securely disbursing their revenue. Data should be treated no differently. Rather than regarding data as an asset, business leaders should treat it like revenue by putting similar processes and controls in place. At minimum, a strong data protection plan should:
- Create and maintain a clear record of what data is being collected and stored.
- Define what kind of data is considered sensitive.
- Establish access restrictions on certain types of information, ensuring that no single person or account can access all of the most sensitive information.
- Regularly audit key accounts to verify proper compliance and data hygiene.
These kinds of internal controls will not only protect organizations from outside attacks but can also help to prevent internal fraud.
Ultimately, the most potent and lasting defense to any cyber threat is not expensive equipment, but the right preparation, the right plan, and the right people in place. After all, most cybercrimes emerge not from technology failures, but human error.
Strong cybersecurity relies on strong controls, a clear understanding of risk, and vigilance in addressing them. For additional insights, visit regions.com/fraudprevention.