In the US, cybersecurity has become a top priority for the board of directors. 2017 was one more in a string of years with increasingly alarming evidence that the organizations we trust with personal data have dropped the ball when it comes to cybersecurity. News of high-profile data breaches at Equifax, Uber, Yahoo, and the US SEC topped the headlines in what seemed like a year when no organization was safe from hacking, and any hope of privacy for consumers around the world has become a foolish naiveté.
Meanwhile, in just 4 months, this coming May, the highly anticipated EU General Data Protection Regulations (GDPR) take effect. With fines as high as 4% of global revenue and extra-territorial enforcement, US organizations with customers in the EU are anxiously working on compliance plans that impact people, process, and technology, to avoid a violation.
The hard costs for a breach today are high and about to get much getting higher. It should come as no surprise that understanding cybersecurity is a top priority for boards in 2018. Whether your organization is currently making investments in digital transformation or not, there has never been a better time to think carefully about your strategy around cybersecurity and implement change as required.
Here are a few of the most common initiatives we at Luminos Labs are assisting our eCommerce clients with.
1) Accelerate the replacement of outdated technology
One of the most frequent and glaring issues I have encountered while assessing digital commerce tech ecosystems for mid-market and enterprise clients is cybersecurity risk created by excessive technical debt.
Whether your organization is handling eCommerce with a mesh of homegrown applications or an old vendor platform, the cost and complexity of maintaining these systems can often be overwhelming.
In 2017, the average cost of a data breach in North America was $1.3 million for enterprises and $117,000 for small and medium-sized businesses, according to a report from Kaspersky Lab. Meanwhile, the average annualized cost of cybersecurity has reached $11.7 million according to a report developed by Accenture. Now that cybersecurity is on the tip of every board member’s tongue, it’s an easy win to include the reduction of these costs and risks in a business case for new technology.
Organizations making investments in digital commerce are exceptionally well positioned to make meaningful, positive change in their cybersecurity profile. When considering changes to the technology underpinning the customer experience on the path-to-purchase, include cybersecurity requirements. These decision gates should be part of the process of selecting technology and ensure it’s a high priority capability for your digital commerce solution partner.
2) GDPR compliance is more secure
The cost of violating the GDPR are clearly driving much attention. Interestingly, a violation incurred as a result of technology that is outside of compliance is still the responsibility of the business leveraging the technology, whether it is on premise or, as noted above, a cloud-based platform.
A strategy that includes compliance with GDPR provisions such as privacy by design puts the organization in a better position for success in the short and long term.
It’s important to point out that all of the costs we’ve identified here are to the businesses, but personal data breaches also cost the most important people in any market: Our customers.
Besides all the legal considerations, protecting customers’ data is obviously just the right thing to do. It’s nothing less than what we expect for ourselves and our friends and families. There is much to do, but it’s incredibly valuable effort.
3) Ensure cybersecurity leaders understand the business
IT/Security must be in service of higher-order business goals and objectives, not an obstacle to them. Unfortunately, many organizations have fallen into the trap of allowing IT leaders within the organization to become reactive roadblocks to progress as opposed to proactive enablers of success. Although this damaging negativism can seriously impact the development of operations and products, it is reasonably easy to turn around. Above all else, it should not be acceptable for IT to stymie an initiative based solely on security concerns rooted in the current way of operating.
On the other hand, it’s critically important for IT/Security to be part of every conversation about the adoption of new technology. Under the GDPR, companies are accountable for a personal data breach, even when it’s information stolen from a cloud-based vendor platform.
Ideally, IT/security executives work best when they are included in the conversation in much the same manner as a CFO: Early and often.
They should attend board meetings when security is on the agenda and be given the opportunity to present a strategy to support the organization’s priorities. Conversations rooted in the possible should be encouraged. Conversations that sound like: “We can’t accomplish A because of B security risks,” should be replaced with: “It will take X to accomplish Y with appropriate attention to the relevant cybersecurity risks.”
If cybersecurity is part of the discussion of all new products and services it will naturally follow that the relevant personnel are included in the conversation when there’s enough time to plan accordingly.
4) Engender a culture of cybersecurity
Keeping vital data assets safe demands much more than merely installing antivirus software and hardening networks. Social engineering cost businesses $1.6 billion between 2013 and 2016 and phishing attacks cost the average large company $3.6 million a year. Create and nurture a culture of security to reduce these costs and risks.
To do so, continually communicate the importance of security. Educate teams on the evolving nature of the threat and hold contests to normalize and incentivize best practices. Empower frontline ownership of security while putting the top-down guardrails in place to keep colleagues safe.
A culture of cybersecurity will not be surprised or confused about routine security assessments and necessary updates. Teams should participate in upfront planning for incidents and have identified and defined roles during a crisis. Conduct exercises to simulate the causes and conditions of a breach and practice the response.