If you haven’t noticed lately, risk management is going through a global transformation wherever you look!
The COSO ERM framework is being revised with a new tagline, Enterprise Risk Management – Aligning Risk with Strategy and Performance. Dennis Chelsey, PwC’s Global Risk Consulting leader and lead partner for the COSO ERM effort recently stated, “Enterprise risk management has evolved significantly since 2004 and stands at the verge of providing significant value as organizations pursue value in a complex and uncertain environment.” Chelsey goes on to state, “This update establishes the relationship between risk and strategy, positions risk in the context of an organization’s performance and helps organizations anticipate so they can get ahead of risk and embrace a mindset of resilience.”
Additionally, the ISO 31000:2009 risk framework is being revised. “The revision of ISO 31000:2009, Risk Management – Principles and Guidelines, has moved one step further to Draft International Standard (DIS) stage, where the draft is now available for public comment,” according to the International Organization of Standardization’s website. As explained by Jason Brown, Chair of ISO’s technical committee ISO/TC 262, Risk Management, “The message our group would like to pass on to the reader of the Draft International Standard is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries. It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic International Standard.”
This post is short and sweet, but very important. Most of us are drawn to new tech toys, but at the same time, we resist change. We want the latest and greatest, and yet a part of us resists the added security responsibility that comes with new technology. This is something we need to be very aware of in the cybersecurity sphere.
The shiny, new rules are basic: If you installed it, update it. Keep your software up-to-date to ensure vulnerabilities that have been patched by the vendor are patched in your environment.
If you did not specifically search a topic online and the topic is presented to you, ignore it. Cyber criminals create targeted topics to lure you down a path to malware.
If it’s too old for the owner/manufacturer to update it, it’s too old for you.
Use the principle of shiny and new to your advantage; update and change your passwords, security questions and other features of identity-proofing frequently.
Interested in learning more? Download our new brief The Common Sense Approach to Cybersecurity.
If you’ve been following my research, you know I like to divide the business world into three categories of company:
- Digital Predators successfully use emerging digital technologies to gain market share and/or displace traditional incumbent companies (e.g., Amazon, Lyft, Priceline, Airbnb, Netflix).
- Digital Transformers evolve a traditional business to take advantage of emerging technologies, creating new sources of value for customers and opening up new competitive strategies (e.g., Burberry, Nestlé, L’Oréal, Unilever, USAA, Ford, Delta).
- Digital Dinosaurs struggle to leave behind their old business model. These companies are typically slow to change because they must defend large P&Ls, or they have a near monopoly position, or they simply don’t see the opportunity/threat (e.g., many retailers, taxi companies, manufacturing firms, legal firms, recruiters, construction firms).
Cloud services are becoming the main part of the infrastructure for many companies. Enterprises should pay maximum attention to security issues, moving away from typical approaches used in physical infrastructures, which are often insufficient in an atmosphere of constantly changing business requirements. Although cloud providers do all they can to guarantee infrastructure reliability, some of them limit their services to standard security measures, which can and should be significantly expanded.
Typical Cloud Information Security Threats
According to the Cloud Security Alliance the list of the main cloud security threats includes the following:
Ransomware has experienced a meteoric rise over the last two years, and I contend that it is due for a meteoric fall. Here’s why: As unlikely as it may seem, Ransomware relies solely upon trust.
Many of the criminals behind ransomware appear to have an “honor among thieves” mindset. There have been countless “successful” transactions where an organization or individual has paid the ransom and been given the private key to unlock captured their data. I have even read of situations where the group that created the ransomware had an informal helpdesk that walked victims through the process of paying the ransom, primarily through Bitcoins. Bitcoin is the preferred method of payment because it is a digital-only currency and is nearly untraceable, since it does not link to a bank account. After getting paid, this criminal helpdesk then assisted their victims with decrypting their data. Unheard of, right? This is where the idea of ransomware gets a little crazy: A victim must place their trust in a criminal, and in many cases, that trust pays off. Often, after paying the ransom, data is restored and each party goes their separate ways.
So here you have this perfect criminal balancing act. Someone’s data gets encrypted, they pay a fee, their data gets decrypted. As long as the victim upholds their end of the bargain (namely giving a criminal a Bitcoin), then the criminal gives the victim a private key to unlock their files. Easy money for a criminal, right? Because it appears to be that easy, many are jumping on the band wagon. This misguided perception of easy money will prove to be the beginning of the end for ransomware.