CDSA

Since the 1990s, computers have become a requirement to enable a business to grow and be more effective and efficient business. Since the early 2000s, organizations NEEDED a website to drive growth. From 2010 on,social media drove growth in organizations and those that ignored it failed.

Fast forward to today where the average cost of a breach is roughly $9 million in the U.S. Security is quickly changing from an expense to the bottom line to the enablement of growth for the future to, security is now becoming a core function to maintain trust in the modern business world.

The modern business needs to plan for security on two fronts: the consumer side and the business to business (B2B) side. Although it can be argued that today’s consumer might be less security savvy given the sheer amount of spam opened, malicious apps installed, and the success of phishing efforts, they still do look for certain indications of security when buying online.

Consumers identify retailers they feel they can trust and reuse them.

Consumer trust is a combination of pricing/value, security of information, and confidence that if there are any issues the retailer will take care of them. These are the same things that B2B relationships are looking for: value for the money, security of any information, and confidence that any security issues will be handled quickly and properly.

Failure to build the right trust or a violation of one of these three items breaks that trust and impacts the revenue of the business in question.

Take the highly publicized breaches by Lapsu$. The entry point for these attacks was often through a trusted third-party vendor.

Both the vendor and the target missed the compromise of a user account which allowed for the Lapsu$ hacking group to gain access to company data.

The data in question may or may not have been used for follow-on operations against other companies, but it was almost always publicly talked about by the Lapsu$ group impacting trust for all involved.

These situations were made possible by not having the proper security tools, controls, and policies in place to detect and quickly resolve an account compromise.

The Lapsu$ attacks are a great example of how a lack of proper security can have a cascading effect on a business. It also highlights a shift in the need for security awareness to security culture. The typical internal phishing campaigns and annual security awareness trainings are just not enough anymore.

This process has lost its luster as many employees just view it as a waste of their time and tend to get little to no value out of it.

Instead, the concept of security needs to be ingrained not only as part of the business culture but also normal day to day activities.

Remember, you are also having to get rid of bad personal habits now. Most people have their own personal computer, smart devices etc. where security is approached with a view of “it won’t happen to me.” How they use those devices will translate to what they do at work; especially when it comes to mobile devices (the largest ignored BYOD segment).

Getting them start questioning why an app needs the permissions it is asking for, why they would be getting a particular email (and looking for what is out or place) and knowing what to do when they get a multi-factor authentication request, they did not generate has to become a reflex and not just something they answer properly on a test once a year.

Having this type of culture is not easy and it takes buy-in from the top down; everyone must be involved.

Security tools and the proper security culture, once implemented, can be marketed in the same way safety features are on a vehicle or business certifications are.

They build a level of consumer trust (whether B2C or B2B) that can give you an edge over your competitors. This is not to say that there is a need for a new certification or audit program to get another stamp on your website.

This is more of a holistic approach. Once you build security into the basic framework of your business it can be leveraged as a tool to garner trust and increase your revenue (regardless of what you are securing).

It is one of those items that can be brought up during new client communications and you would expect to find in the “about us” section of your website and the methodology portion of any proposals you put together.

It lives there, because it is part of who you as a company are, and how you function as a business.

The overall effect of properly implemented and maintained security, when combined with a core security culture is significant. You end up not only reducing risks to your organization (and your customers), but also increasing market trust and your ability to not only sell your services, but the safety and confidence in their adoption.

* By Michael Nouguier, Chief Information Security Officer, Director, Cybersecurity Services, Richey May *

=============================================

Click here to download the complete .PDF version of this article
Click here to download the entire Winter 2022 M&E Journal