When attending cybersecurity conferences, you expect to learn a lot of interesting things surrounding data security, but my experience is that there is always one tidbit, one piece of information, that jumps out at you and makes you think.
At this year’s CPX360 conference, that piece of information came during the keynote address by Jeff Schwartz, vice president of U.S. Engineering at Check Point, titled “The Cyber-Risk Paradox.” Our increased reliance on technology also increases our risk, he said, even when that technology seems innocent at face value. For example, your company installs a new vending machine that accepts credit cards in the break room. You think it’s a great perk for your employees because it adds convenience—they don’t have to search for loose change to purchase snacks—and you can provide higher-end, healthier items. But because your new vending machine accepts credit cards, it needs to follow PCI compliance. And this, Schwartz told me during a post-keynote conversation, is a risk that leadership doesn’t think about.
Hidden Security Risks
That was the point of Schwartz’s talk. The cyber-risk paradox is that while technology is advancing at lightning speed (or so it seems) and companies are doing everything to stay current in their digital transformations, security still lags. For every new piece of technology we introduce into an organization, we add a new attack vector that requires protection. The convenience of new technologies, especially in IoT devices, adds a layer of often-hidden security risks.
It isn’t just individual devices such as the vending machine that raises concern. Schwartz provided another example: In hospitals, doctors are able to use in-room TVs to access sensitive patient information such as MRI results. These same televisions can be used by the patients to access their Netflix accounts. Again, what looks like a convenience to all can end up in disaster if there is a vulnerability in one of these accounts. Shared resources and shared infrastructure, Schwartz pointed out, creates more opportunity to lose data.
And we’re losing a lot of data. More than 8 billion accounts have been compromised—a number that is greater than the global population. Statistically, every person in the world has had personal data stolen, lost or compromised.
Data Breach Fatigue
Organizations need to keep up with technological advances to stay competitive. Cybercriminals understand that, too. They also know that while their costs of launching an attack are low, the costs to defend a network and data are very high. The bad guys have the upper hand here.
But there lies another hidden risk in this paradox. When you invest in technology but not in cybersecurity, you may end up chasing customers away. Consumers are becoming more savvy about data privacy. They are also dealing with data breach fatigue. They want more to be done to protect their data, but at the same time, they are growing numb to the constant barrage of news regarding data breaches and changing passwords. We are beginning to see consumers make their purchasing decisions based on how data is used and collected. They will move on to a company that uses technology in a way that aligns with what they want from a user experience, while expecting shared data will be kept safe. If it is not, they’ll move on. You can’t stay competitive if your customers search elsewhere for data privacy and security.
3 Factors to Address Hidden Security Risks
Schwartz said there are three questions every organization should be able to answer confidently, and these factors will help to balance the introduction of technology with the introduction of security risks:
- How quickly can I adapt with business partners? You want to be a good steward of data consumption and lower security costs by working closely with your business partners. The way one company uses and secures its technology, Schwartz reminded, impacts every one of their business partners as well.
- How effective are your security defenses at blocking attacks? We tend to measure effectiveness by the number of attacks we stop, Schwartz said, but we should look at the things we can measure: levels of confidentiality, availability and integrity of data and functionality. The aim should be at 100 percent in defending those areas, and worry less about the number of attacks blocked.
- How quickly can I respond to an attack? Again, this is measurable in terms of knowing all of your potential attack vectors and compliance-related risks—you can’t respond to an attack if you don’t know an attack is possible.
We all love technology, but every piece of technology opens a new potential security risk, whether it is more data collection, expanded attack vectors or additional layers of vulnerabilities. The convenience of technology can improve your business or your customer relationships, but before you add, take a moment to recognize the potential hidden risk. Is a credit card option in your new vending machine worth the risk?