Is Compliance on Your Radar?
In today’s rapidly evolving digital landscape, cybersecurity is a paramount concern for businesses of all sizes. Vince Fung, founder and CEO of Expera Information Technology, recently delivered a compelling webinar titled “The Hidden Cyber Risk That Nobody’s Talking About.” This blog recaps the key themes and insights from the webinar, providing CFOs with actionable strategies to safeguard their organizations.
Vince began the webinar by emphasizing the critical importance of cybersecurity for modern businesses. He highlighted that while many companies focus on protecting tangible assets like cash and equipment, intellectual property and data are equally valuable and vulnerable to cyber threats. “Your data, trade secrets, and intellectual property are incredibly valuable, and hackers are going after all of these things,” Vince stated.
One of the central themes of the webinar was the identification of hidden cyber risks that are often overlooked. Vince explained that while businesses are aware of threats like ransomware and data breaches, the biggest risk might not come directly from hackers. Instead, it could stem from losing major customers due to cybersecurity vulnerabilities and compliance issues. “What if the biggest risk isn’t directly from the hackers?” Vince asked, urging attendees to consider the broader implications of cybersecurity.
Building Trust with Customers and Maintaining Key Contracts
Vince shared a startling insight: “What if your biggest customers started calling you up one by one and canceling their contracts?”
Over the past few years, Vince noted that cybersecurity questionnaires our clients are receiving from vendors have become increasingly detailed. These questionnaires, sometimes spanning 30-40 pages, assess various security controls and insurance requirements. Vince stressed that failing to meet these standards could result in losing valuable contracts. “The ones that we’re seeing today are sometimes 30-40 pages long, with up to 300-400 questions asking about all kinds of security controls,” Vince explained.
He elaborated that even if a company has not experienced a cyber attack yet, if they can’t prove a high degree of cyber maturity, customers might still perceive it as a risk and choose to sever ties. This underscores the importance of maintaining robust cybersecurity measures and demonstrating compliance to reassure clients. “Customers are probably the most valuable part of your business, and it’s the biggest customers that we’re starting to see doing this,” Vince emphasized.
Case Studies: Real-World Impacts
Vince illustrated why large organizations are increasingly focuses on ensuring security, compliance, and cyber maturity throughout their entire supply chain, through several case studies where major organizations were impacted by an issue with their vendors:
- Home Depot Breach: This breach exposed millions of customer records, including credit card details and addresses. “It was actually Home Depot’s supply chain that allowed the threat actors to get onto their network and launch this attack,” Vince noted.
- SolarWinds Attack: A sophisticated attack where malware was injected into widely-used software. “This allowed threat actors to get into the US Department of Defense and many Fortune 500 companies,” Vince highlighted.
- CrowdStrike Incident: A flaw in CrowdStrike’s code took down companies globally. “A flaw in their code took down airlines, hospitals, and organizations all over the world,” Vince explained.
These examples highlight the interconnected nature of cybersecurity and the importance of securing every link in the supply chain.
Compliance and Security Frameworks
To address these risks, Vince explained several security frameworks:
- Cybersecure Canada: Basic controls that are relatively easy to implement, suitable for organizations looking for a straightforward starting point. “Compared to some of the legislation in the US, to get Cybersecure Canada is actually really easy,” Vince mentioned.
- ISO 27001: Ideal for the manufacturing industry due to its process-heavy nature and extensive documentation requirements. “ISO 27001 is very useful if you’re in the manufacturing industry,” Vince noted.
- NIST 800-53: A robust set of security controls recognized globally, suitable for organizations seeking comprehensive protection. “This set of standards has a lot of policy requirements, procedure requirements, and security control requirements,” Vince explained.
- PCI DSS: Essential for organizations processing credit cards, requiring strict adherence to security controls to prevent data breaches and financial losses. “You have to have all of these controls in place to be PCI DSS compliant,” Vince stressed.
- CIS Version 8.1: A flexible framework with 18 control groups and three implementation groups, allowing organizations to stage the implementation of controls based on their maturity level. “CIS Version 8.1 is actually a pretty good standard to start with,” Vince said.
Consequences of Noncompliance
Vince emphasized the potential consequences of noncompliance with cybersecurity standards:
- Financial Penalties: Noncompliance can lead to substantial fines and financial losses. “If you don’t have the right controls in place, you won’t be able to renew your insurance policies,” Vince warned.
- Legal Consequences: Organizations may face lawsuits and legal actions, consuming time and resources. “You could be in violation of multiple non-disclosure agreements,” Vince noted.
- Increased Risk of Data Breaches: Ignoring compliance standards leaves businesses vulnerable to cyberattacks, compromising customer data and leading to operational disruptions. “If you get hit with a ransomware attack and you’re down for 72 hours, how much would that cost your business?” Vince asked.
- Loss of Customer Trust: As mentioned above, breaches resulting from noncompliance, or even the risk of such a thing happening, can erode customer trust and lead to lost business. “Customers are walking away because the risk is too high,” Vince emphasized.
4 Additional Reasons Why Businesses Should Address Compliance Proactively
“And sometimes the question I ask when I, when I speak to business leaders is, hey, nobody’s asking us to be compliant today. Why don’t we just wait until they tell us to be compliant?” Vince said. Below are 4 reasons, outlined in the webinar, why businesses should address compliance well before their vendors send them a questionnaire or a new law is passed.
For Insurability Purposes
Vince highlighted the critical role of cyber insurance in mitigating the financial impact of cyber incidents, but it is essential that businesses complete their applications truthfully, and have the correct security and compliance measures in place. He shared an example where an organization faced a breach and their insurance, but due to a failure to follow cybersecurity best practices required by their policy, their insurer revoked the payment and retroactively terminated their policy due to noncompliance with security controls. “They discovered that multi-factor authentication wasn’t turned on for all users, and the insurance company wanted their $1.2 million back,” Vince explained. This underscores the importance of having the right insurance coverage and ensuring compliance with policy requirements.
To Minimize Risk and Liability
To emphasize this point, Vince provided the example of an airline: while no one is verifying that each flight crew completes the safety checklists before takeoff, they are essential in maintaining ongoing safety, and if an accident happened, one of the first things to be investigated would be whether the team had followed the safety checklist. Even if the issue turned out to have no relation to the checklist, a failure to be able to produce this evidence and demonstrate compliance with safety practices would reveal serious negligence.
“…even though some of these things might seem like they’re they’re redundant or very simple or can be easily overlooked and don’t really matter, compliance matters when something actually bad happens,” elaborated Vince, “And the thing that business leaders need to think about is (…) it’s actually liability that you’re actually considering. Like, how do you actually minimize liability if and when something bad happens? Because as, as you’ve probably heard from many security professionals, it’s not a matter of if but when something bad is going to happen. And if you have need to make an insurance claim or, you cause damage to, one of your clients, or you disrupt the supply chain, they’re going to come back and they’re going to say, well, show us that you weren’t actually being negligent.”
To Be Fully Prepared
The landscape is clearly shifting, with customers increasingly placing emphasis on compliance, and it’s better to get ahead of it than be caught behind if your customers or regulations move faster than what you expected. “The tricky thing about, compliance is it’s not something that you can get overnight,” Vince noted. “If if one of your clients actually said, hey, I want you to get SOC2 type 2, by next week. If you don’t, we’re going to cancel your contracts. That is simply not possible. Like the whole process of actually getting soc2 already having audit. That’s typically it’s it’s at least a 12 to 18 month process to get through that because compliance actually requires putting in place things like policies, putting things in place like procedures and security controls and tools to ensure that your policies and procedures can actually be followed and that you actually have that and compliance, more most importantly, isn’t just about having that stuff in place, but it’s about proving that that stuff is in place over a period of time.”
To Stay Competitive
“Most organizations today are not actually meeting hardly any of these compliance requirements,” says Vince. “So this is actually a competitive edge that you could actually have for your organization.” Vince continued, addressing the scenario above, where a customer requires their vendors to get SOC2 type 2 compliance on short notice. If that customer’s existing vendor can’t meet those requirements, the organization who does have it will be ahead of the game. “So having a SOC2 type 2 report actually puts you at the forefront because you can actually showcase a very high level of security maturity compared to some of your your competitors who don’t have the money to invest in actually getting that type of, of security compliance.
5 Practical Steps for Business Leaders
In the rest of the webinar, Vince explained concrete steps that businesses could take in the process of getting compliant. One thing we do want our readers to note is that required steps and advice can vary heavily from business to business and region to region, and while the info outlined here is a guide, you should work with experts when rolling out any sort of compliance initiative to ensure everything is correctly addressed.
Conduct Regular Risk Assessments
Vince stressed the importance of regular risk assessments to identify and prioritize potential threats. He explained that risk assessments help businesses understand which risks are the highest and require immediate attention, and which can be deferred or accepted as part of doing business. “Risk assessment is a critical component of what you actually do as a business,” Vince noted.
Implement Incident Response Plans
An incident response plan is crucial for minimizing disruption during a cyber incident. Vince highlighted that these plans should be comprehensive and include specific actions for different scenarios. He emphasized the importance of practicing these plans through tabletop exercises to ensure everyone knows their roles and responsibilities. “The worst time to figure out what you need to do is actually when an incident happens,” Vince warned.
Perform Pen Testing
Pen Testing is essential for identifying vulnerabilities in your systems. Vince noted conducting these tests annually to ensure your defenses are robust and up-to-date. He noted that penetration testing is often required by insurance policies and security standards. “Penetration testing is a key aspect of being compliant with different security frameworks,” Vince explained.
Maintain Evidence of Compliance
Vince explained that maintaining evidence of compliance is critical for passing audits and insurance claims. He highlighted that collecting regular reports and evidence to demonstrate that security controls are in place and functioning correctly. This proactive approach simplifies the audit process and ensures you can prove compliance when needed. “Collecting evidence on a regular basis may seem cumbersome, but it’s essential for passing audits,” Vince emphasized.
Consider Role of a Chief Security Officer
Vince discussed the role of a Chief Security Officer (CSO) in maintaining cybersecurity standards. He explained that while a full-time CSO might not be necessary for smaller organizations, a fractional CSO (often called a Virtual Chief Security officer, or vCSO) service can provide the expertise and oversight needed to stay compliant and secure. “A chief security officer is all about meeting compliance requirements, keeping you secure, and staying on top of the latest threats,” Vince stated.
Take The Next Steps.
Cybersecurity is a complex and ever-evolving field, but with the right strategies and frameworks, businesses can protect their assets and maintain customer trust. We hope that our webinar provides an effective roadmap for CFOs looking to navigate the hidden cyber risks and ensure their organizations are secure and compliant.
1. Get a quick snapshot of what is required to keep your business is protected with our Cybersecurity Checklist. Download now and take proactive steps to safeguard your organization.
2. If you’re looking for a more in-depth look at your security posture, including what a hacker would have access to in the event of a breach, book a risk assessment with our team.
Get in touch with our team to gain deeper understanding of the hidden cyber risks facing your business.
