Author Q&A: Former privacy officer urges leaders to prioritize security as part of cloud migration

By Byron V. Acohido

Cyber threats have steadily intensified each year since I began writing about privacy and cybersecurity for USA TODAY in 2004.

A stark reminder of this relentless malaise: the global cyber security market is on a steady path to swell to $376 billion by 2029 up from $ 156 billion in 2022, according to Fortune Business Insights.

Collectively, enterprises spend a king’s ransom many times over on cyber defense. Yet all too many companies and individual employees till lack a full appreciation of the significant risks they, and their organizations, face online. And as a result, many still do not practice essential cyber hygiene.

Perhaps someday in the not-too-distant future that may change. Our hope lies in leveraging machine learning and automation to create very smart and accurate security platforms that can impose resilient protection.

Until we get there – and it may be a decade away — the onus will remain squarely on each organization — and especially on individual employees —  to do the wise thing.

A good start would be to read Mobilizing the C-Suite: Waging War Against Cyberattacks, written by Frank Riccardi, a former privacy and compliance officer from the healthcare sector.

Riccardi engagingly chronicles how company leaders raced down the path of Internet-centric operations, and then cloud-centric operations, paying far too little attention to unintended data security consequences. Here are excerpts of my discussion with Riccardi, edited for clarity and length.

LW: Catastrophic infrastructure and supply chain breaches, not to mention spy balloons and Tik Tok exploits, have grabbed regulators’ attention. How does your main theme of tie in?

Riccardi: My book discusses how the perception of cyberattacks shifted from being mere data breaches to having real-world consequences, especially after high-profile cases in 2021, like Colonial Pipeline and Schreiber Foods.

These attacks sparked public realization that cyber threats can disrupt daily life, leading to anger against corporations, not just cybercriminals, if they failed to implement basic cybersecurity measures. My book emphasizes the heightened responsibility of C-suite leaders, considering the increased public, media, and regulator scrutiny.

LW: You come from the private sector, so you know first-hand how cybersecurity is typically viewed as a cost center and an innovation dampener. Will that have to change?

Riccardi: Absolutely. Cybersecurity shouldn’t be seen as a mere cost but as an existential need. Cyberattacks are increasing, and viewing cybersecurity as a cost center is a dangerous mistake. Companies can leverage cybersecurity as a business enabler and a revenue generator, like Apple and Microsoft.

It’s crucial for companies to perceive cybersecurity as a competitive advantage rather than an innovation dampener.

LW: What must SMBs and mid-market enterprises focus on?

Riccardi:  SMBs face challenges when dealing with cybersecurity implications of software-enabled, cloud-based operations due to financial and skill limitations. Cyber risks from third-party vendors further complicate the situation.

To navigate this, SMBs need to conduct an enterprise risk assessment, implement basic cybersecurity controls, train their workforce, and consider outsourcing cybersecurity to a security-as-a-service provider.

LW: You discuss password management and MFA; how big a bang for the buck is adopting best practices in these areas?

Riccardi:

The law of large numbers favors the bad guys.  A company may have thousands of employees, but it only takes one phished employee for cybercriminals to bring the network to its knees.

Strong passwords can repel a brute force attack, but MFA is the extra layer of protection when a reused password is used in a credential stuffing attack.  And when strong passwords and MFA let you down, encryption can keep sensitive data from being accessed by cybercriminals.

LW: How important is effective cybersecurity awareness training?

Riccardi:

Companies can prevent social engineering attacks by steeping employees in cyber hygiene and warning them about the sneaky ways cybercriminals launch cyberattacks.  Unfortunately, many cybersecurity training initiatives nose-dive because they are too technical for non-geek employees to understand.

Boring check-the-box training leads to poor employee engagement and a workforce asleep at the switch when cybercriminals come knocking.  The way to avoid this is by taking into account the human factor when designing cybersecurity training; this means making training fun and engaging and helping employees understand their roles and responsibilities in cybersecurity.

LW: Given rising compliance, led by President Biden’s cybersecurity initiatives, where do you see things going in the next 2 to 5 years?

Riccardi: In the next 2 to 5 years, I expect strenuous efforts from the Biden administration to partner with private enterprise to beef up cybersecurity across all industries.  I suspect we’ll see a carrot-and-stick approach combining incentives with regulations to cajole SMBs into adopting cyber hygiene best practices, such as MFA.

Executive accountability and liability for cyberattacks will skyrocket as ransomware progresses as a national security threat and front-page news.

SMBs are likely in a jam, as companies without the means and expertise to build a decent cybersecurity program will struggle in this regulatory environment.  However, engaging a SaaS provider may be a cost-effective way for SMBs to obtain a world-class cybersecurity function that meets compliance requirements.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

May 30th, 2023