×
Blogs

Through the GRC Lens: March 2019

blog
3 min read

Introduction

Google runs into trouble yet again with regulators in the EU, the SEC accuses Volkswagen of carrying out “a massive fraud,” and the FTC launches an inquiry into the privacy practices of large internet service providers — see March 2019 through the GRC lens.

Google Is Fined $1.7 Billion in the EU for Antitrust Violations

Google ran into fresh trouble with European regulators over its unfair advertising rules and was fined $1.7 billion in March, bringing the total cost of penalties incurred by the search giant in the continent to over $9 billion.

The latest enforcement action from the European Union (EU) relates to the unfair terms that the Silicon Valley titan imposed on companies that used its search bar on their websites in Europe, reported The New York Times.

According to The Guardian, the terms of the Google contract stopped publishers from placing search ads from the tech giant’s competitors on their results pages, and forced them to reserve the most profitable spaces for Google’s own ads. The contract also required companies to seek a written approval before making changes to how rival ads were displayed.

Volkswagen Is Accused of Large-Scale Fraud by the SEC

The US Securities and Exchange Commission (SEC) filed a lawsuit last month accusing the German carmaker and its former CEO, Martin Winterkorn, of defrauding American investors in the emissions test scandal that engulfed the company four years ago.

The lawsuit alleged that the company made misleading claims about its financial health and the environmental impact of its technology in order to sell securities to investors at inflated prices, reported CNN.

The German carmaker admitted in 2015 to cheating on emission tests with the use of special software in its vehicles and paid a hefty price of $33 billion in fines and other penalties.

The FTC Will Look into the Privacy Practices of Broadband Providers

In a surprise move last month, the Federal Trade Commission (FTC) announced that it would look into the privacy practices of large internet service providers (ISPs) such as AT&T, Verizon, T-Mobile, and others.

According to The Verge, the watchdog has asked broadband providers to share details about the kind of customer data they collect and the reason for doing so. The FTC was also said to be interested in knowing whether the data was shared with third parties, and if consumers could opt out of the data collection. 

The announcement of the inquiry into ISPs comes as privacy advocates raise concerns over the companies’ data collection practices that could lead to a new form of targeted advertising, similar to that of Facebook and Google.

The Perspective

Massive fines and other regulatory actions making headlines every other day only go to show that companies still seem to be floundering in their efforts to cope with heightened regulatory scrutiny targeted at their business practices.

Silicon Valley giants such as Google currently face a reckoning over their anti-trust practices in the EU which has established itself as an aggressive tech watchdog, influencing regulatory polices around the world. Meanwhile, the Volkswagen scandal is another reminder of the far-reaching consequences of compliance violations that could threaten a company’s brand reputation and market capitalization.

As privacy concerns escalate, the FTC’s move against broadband companies is only the beginning of a new era of intensifying scrutiny of data collection practices across industries.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Through the GRC Lens: 2018 — A Year in Review

blog-banner-jan
5 min read

A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices

Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.

Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.

With so much that happened over the past year, here are some of the events and stories that stood out:

1. Marriott’s Colossal Data Breach

The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.

As more details of the incident emerged, original estimates of its impact were revised:  Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.

Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.

Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.

2. Danske Bank’s $227 Billion Money Laundering Scandal

Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.

As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.

The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.

3. Wells Fargo’s Whopping $2.09 Billion Fine

Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.

The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.

Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.

Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”

4. Silicon Valley’s Trial by Fire

In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.

From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.

Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.

Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.

Reflections

Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.

Here’s to a brighter, more compliant 2019.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Through the GRC Lens: November

blog-banner-dec
3 min read

Introduction

Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.

Marriott Discloses One of the Biggest Data Breaches in History

November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — Reuters reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests.

The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal.

In an investigative report from the Journal, security experts weighed in on the data breach  saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems.

Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR.

Nissan’s Chairman Carlos Ghosn Is Arrested in Japan for Under-reporting His Earnings

In a shocking downfall for one of the automotive industry’s most powerful and admired leaders, Nissan’s chairman Carlos Ghosn was arrested in Japan on allegations of under-reporting his earnings for several years. Mr. Ghosn was widely hailed as Nissan’s savior when he rescued the company from near-bankruptcy and created the Renault-Nissan-Mitsubishi alliance, making it effectively the world’s largest carmaker. Reports suggest that Mr. Ghosn may have violated Japanese securities law by deferring compensation.

The incident has sent shockwaves rippling through an industry that is facing an economic downturn, a global trade war, and the shift to electric cars. Mr. Ghosn’s arrest also comes at a time when executive pay is being questioned by the public and regulators.

CEO of Walmart’s Big Bet in India Resigns Over Allegations of Sexual Misconduct

The chief executive of Flipkart, Walmart’s latest acquisition, stepped down in November following an internal probe into allegations of “serious personal misconduct”.

Coming along the heels of the departure of Flipkart’s other founder, Sachin Bansal, from the company, the news of Binny Bansal’s exit took many by surprise.  The Wall Street Journal reported that Walmart opened an investigation into Mr. Bansal’s conduct after a former employee came forward with claims that he had sexually assaulted her in 2016.

The incident was also apparently not disclosed by Mr. Bansal during the negotiations to sell Flipkart to Walmart. Though Walmart’s internal investigation did not find any evidence to corroborate the complaint against Mr. Bansal, it is said to have revealed poor judgement calls from the former CEO that included the hiring of two private security firms at the end of 2016, “to make this matter go away.”

November’s Takeaways

Despite scandals such as Facebook’s Cambridge Analytica, organizations seem to be left wanting in their detection and response time to data privacy issues. The Marriott incident is the latest in a spate of cyberattacks to hit businesses after the British Airways hack and goes to show that no industry is safe from bad actors looking to steal personal information.

The Carlos Ghosn incident highlights the need for thorough due diligence and compliance programs that can help ensure both adequate awareness of local laws and regulations, as well as adherence to them.

And in the light of movements such as #MeToo and Time’s Up, Walmart’s episode with Flipkart’s CEO is another reminder that for corporate leaders, the line between their private and professional lives is often blurry, and they can be held accountable for their actions in both.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Through the GRC Lens: October

blog-october
3 min read

Introduction

Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines.

Google Fails to Disclose a Data Breach

At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network.

Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue.

But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was disclosed.

Following the revelation, Google announced a host of privacy reforms which also involved the shutdown of the consumer version of Google+.

Though Google said that it found no evidence that users’ personal data was misused in the Google+ glitch, even going into details in its blog post, the incident raises questions about how transparent the tech giant was in handling the entire episode.

California Forges Ahead with Tough New Laws on Corporate Governance and Net Neutrality

In a seeming reversal of the trend of deregulation, California signed two new bills into law on corporate governance and net neutrality, setting an important precedent for the country.

According to The New York Times, the new law on corporate governance requires all publicly held companies headquartered in California to have at least one woman on their boards by the end of 2019 and a minimum of two or three women (depending on the size of their boards) by 2021. The Los Angeles Times reported that companies that fail to comply will face fines of $100,000 for a first violation and $300,000 for a second or subsequent violation.

The law on net neutrality affecting the telecom industry requires internet providers to maintain a level playing field, and bans the practice of prioritizing some sites and services over others. However, a recent report in The Washington Post suggests that this law may be temporarily on hold.

The new laws come after the Golden State adopted another law on data privacy, keeping up with the European Union’s (EU’s) tough new data protection regulation, GDPR.

Silicon Valley Grapples with #MeToo

Fresh on the heels of its data breach, Google found itself in the midst of another controversy. An article appeared in The New York Times detailing how the tech giant protected male senior executives against claims of sexual harassment while paying them millions in exit packages and keeping quiet about the allegations. One of these executives was Andy Rubin, the creator of the now famous Android software.

Unsurprisingly, the news did not sit well with Google employees who staged coordinated walk-outs from Google offices around the world to protest the company’s perceived leniency towards sexual harassment, igniting an internal #MeToo movement.

Speaking at The New York Times DealBook conference, Google’s CEO, Sundar Pichai, apologized, saying that “moments like this show we didn’t always do it right.”

Meanwhile, Reuters reported that Uber’s top deal maker, Cameron Poetzscher, resigned after allegations of prior sexual misconduct against him were revealed, sparking a fresh debate on how Silicon Valley giants handle sexual harassment allegations from women.

The Low-Down

Ever since Facebook’s Cambridge Analytica scandal, companies around the world have been wary of intense scrutiny around data privacy issues. Google’s handling of the incident with its social network, and the resulting reputational impact show that being proactive and transparent with customers and regulators is a better road for businesses to take when faced with a security incident.

Silicon Valley’s #MeToo movement also shines an uncomfortable spotlight on the governance practices of tech giants. It shows how legacy corporate governance practices such as “handling things quietly” will be called into question as the cultural zeitgeist shifts towards more ethical business practices.

And while regulations will continue to drive corporate governance to a large extent, employee and customer activism will become an equally important driver of change.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Growing Data Privacy Concerns, Continued Cyber-Attacks, and the Failure of Audits to Detect Frauds: Q1 of 2018 Ends on a Less-Than-Savory Note

blog
3 min read

Introduction

With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018.

The Data Privacy Conundrum: Facebook and Cambridge Analytica

Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections.

The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal.

With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.”

Atlanta Cybersecurity Incident: Cyber-Attacks Continue to Grow More Potent

After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of Atlanta in the US that was the victim. The attackers, who reportedly hobbled several internal and public services, demanded a ransom payment in bitcoins in exchange for unlocking systems. The incident was serious enough for the FBI to get involved in the investigation.

According to a New York Times report, the attack has unnerved security experts. One security intelligence analyst noted that attackers are constantly learning from their mistakes, and evolving their code before launching the next assault. With growing concerns around these issues, it isn’t surprising that the US has devoted $380 million of its spending bill to election cybersecurity.

$2 Billion Punjab National Bank Fraud in India

The news of how one of India’s richest men, who until recently was on Forbes’ billionaire list, defrauded the country’s second largest state-run bank of over $2 billion, sent shockwaves across the Indian banking sector. Nirav Modi, a diamond jeweler, and his uncle, Mehul Choksi, reportedly colluded with Punjab National Bank (PNB) officials to get credit through fraudulently issued papers. But how did one of the largest frauds in recent banking history in India go undetected for over 6 years?

As the story unfolded, reports emerged of how auditors failed to detect the scam for a long time with multiple audits failing to raise an alarm. The fall-out of the scam has led to the creation of the National Financial Reporting Authority (NFRA), a new watchdog for the auditing profession with sweeping powers to act against erring auditors or auditing firms.

What Do They Mean for GRC?

A massive breach of trust at one of the biggest names in Silicon Valley, also a reputed social media giant, has led to public outrage, and highlighted yet again the importance of better controls for data privacy and data protection. As concerns grow over the use of personal data by companies, there are calls for more extensive data privacy laws. Europe appears to be leading the way with the General Data Protection Regulation (GDPR), but it remains to be seen if the US will follow suit.

With cyber-attacks continuing to exploit system vulnerabilities, holding governments ransom, and threatening to override democracy, there will be a renewed focus on cybersecurity and the protection of critical systems.

Meanwhile, in emerging Asian markets such as India, recently plagued by scandals and scams, we are likely to see the beginning a new era of not just regulations, but also of increased scrutiny and enforcement.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

The vicious cyclone of emerging risks – My big ‘aha!’ from OpRisk North America

Blog Image
3 min read

Introduction

The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks.

Cyber risks and cyber compliance

In almost every session presenters and the audience have cyber risks as the dominant operational risks.  While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning.  Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies.

Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management.  From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators.  Almost all U.S. states have data breach notification laws.  The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers.  Maryland requires notification if even just one customer is affected.  The U.S. SEC was an early mover, requiring that public companies report material cybersecurity incidents.

These new rules at federal and state levels have led to greater transparency of cybersecurity.  Now, broader, more encompassing state-level cybersecurity laws are rolling out.  New York was the first mover in 2017 with the Department of Financial Services Cybersecurity Regulation, and in 2018 many more states are passing legislation to codify the National Association of Insurance Commissioner’s new Model Data Security Law.

Disruptive technology and conduct risks

More privacy regulations should be expected as well.  Political abuse of user behavioral and profile information gathered by the new tech giants like Facebook goes back at least to the 2012 election cycle in the US, and has been brought into the limelight with the Cambridge Analytica scandal. The new European General Data Protection Regulation (GDPR) was already slated to go into effect in May 2018.  No doubt, now, European authorities will be analyzing GDPR to see if it adequately addresses the abusive practices of Cambridge Analytica, and in the US, the Federal Trade Commission is investigating.  Notably the scandal opens up a whole new front on the challenges of third party information risks, that is, customer risks — ensuring that buyers of information analytical services are not abusing those services.

All of these recent regulatory developments, political intrigues, and corporate scandals must have been in the minds of attendees and speakers at OpRisk when they were polled on their top emerging risks.  Disruptive technology tied with cyber risks for the number one position at 47% each.  All other emerging risks paled in comparison.

My big ‘aha!’Chief risk officers are sensing a vicious cyclone of disruptive technology, conduct risks, and cyber risks.  Disruptive technology is being adopted at a faster than sustainable rate — it’s being pushed into service before the lessons from early adopters can be shared with other enterprises.  Advanced automation also requires fewer people, but these people are also enabled through disruptive technology that when abused either intentionally or through ignorance or negligence, can wreak tremendous havoc.  The technology is also being pushed out at such a pace that the cyber vulnerabilities are not fully known and addressed — presenting all kinds of opportunities for malicious actors to act at scales never before possible.  Inevitably there are going to be problems, and it’s up to CEOs and CROs to act together to ensure that their organizations are not caught up in this vicious cyclone.

Jump to Topic
Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

How IT Can Leverage AI to Prevent Major Cybersecurity Incidents

cyber-incident
3 min read

Introduction

The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly.  As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools.

At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings.  For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized.  Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets.

A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a link between a control and an IT asset, an analyst now can evaluate the relationships between IT assets, risks and controls and business objectives.  Over time, through machine learning, a GRC system leveraging AI could begin to distinguish these relationships on its own, and thereby augment the discovery of linkages between data objects and make suggestions to human end users of the system. Further, rather than waiting for a human analyst to evaluate the relationships and trends, an AI-backed GRC solution could utilize cognitive computing to continuously analyze the data objects for any changes that could lead to greater risks or control failures – any detected threats to the ability to achieve business objectives would automatically alert human analysts for deeper evaluation.

Within an IT GRC context, the need for AI is growing quickly.  As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools.  In response to this, vendors have begun augmenting threat-monitoring tools with AI; the potential for discovering patterns of security vulnerabilities and IT asset performance can be significantly enhanced by the incorporation of this technology. However, AI still requires human analysis of the reports from those assets. Applying machine learning, GRC solutions can learn from the human analysis and then continuously monitor for the emergence of high-risk vulnerabilities, thus catching them and, through cognitive computing, orchestrate corrective action that can prevent a major incident or failure.

How far is the GRC industry from deploying solutions augmented by AI?  Perhaps not that far.  According to a recent survey conducted by GARP, a risk professionals association, 15 percent of their risk management organizations are already using AI. However, just 4.6 percent say that it plays a significant role in risk management.  Certainly, if compliance and audit professionals were surveyed, the numbers would be even smaller.  Still, with new tools emerging from industry giants like Microsoft that enable developers to incorporate AI capabilities into Excel-based solutions, there will be a lot of experimentation over the next two to three years, and GRC solutions that incorporate AI will play a major role in the industry in the near future.

Corporate Compliance Insights is a wholly owned subsidiary of Conselium Executive Search, the global leader in compliance search.

This article was originally published by Corporate Compliance Insights and can be read here: Can AI Be the Next Step in GRC’s Evolution?

Jump to Topic
Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blogs

Mitigating Cyberattacks: The Prevention and Handling

shutterstock
4 min read

Mitigating Cyberattacks

New tools and technologies help companies in their drive to improve performance, cut costs and grow their businesses but as companies adopt cloud services in greater numbers and refine internal processes for development and operations, security considerations must be front and center.

As companies rapidly adopt Cloud with a DevOps approach to rapid response to business they must revisit security plans to confirm they are still effective in preventing and handling cyberattacks, making adjustments where needed. In certain industry segments this situation becomes more acute with Internet of Things (IoT) due to the nature of how these are operated and traditionally secured. To succeed at this, companies need to create the right environment for a cybersecurity culture and utilize automation technologies to protect and preserve data, operations and applications.

Cyberattacks are increasing in number and sophistication. For many security professionals and heads of business it is no longer a case of if something will happen, but when. In fact, according to Alert Logic and Crowd Research Partners, over half of cybersecurity professionals expect there to be successful cyberattacks on their organization in the next year.

Consequently, a third intend to increase security spend on cloud infrastructure and over a quarter on cloud applications. With 40 percent citing a lack of security awareness among employees as an obstacle to stronger cybersecurity, it’s little wonder that 23 percent plan to up their spend on training and education.

Prevention: A Two-Pronged Approach

Cyberattack prevention will continue to be a two-pronged approach – top-down and bottom-up. Top-down, compliance mechanisms must be implemented, including rigorous security level classification of data and applications and governance to secure certifications. Bottom-up, appropriate tools and technologies for intrusion detection must be in place.

Internal processes are changing. Cloud services and DevOps are converging to bring about the rapid release of value to the business. Previously, companies sourced storage and information-sharing infrastructure and had to add software and applications. Now, services come loaded with pre-built components and applications such as database solutions.

This is convenient, often cost-effective and efficient but what does it mean for security? Companies have to rethink InfoSec, questioning whether the mechanics of yesteryear are still relevant or if they need to be refined.

As companies make their adjustments we can expect to see an increased focus on building ‘zero trust’ systems with more segmentation within the model and access security even within the network perimeter. In addition, the zero trust way of thinking will be added to Secure Software Development Lifecycle (SSDLC).

When the correct application of security protocols is left to individual users, the security of business data and applications depends on staff knowledge and training being up to date. Checks and balances, for example around taking appropriate action according to a data set’s security classification are largely people dependent and this is a potential weak spot for all organizations.

Wherever dependencies such as these exist, assumptions should never be made. This goes for the responsibilities of cloud service provision as much as for internal training practices. All too often assumptions are made over security when contracting for cloud services and this is contrary to InfoSec due diligence.

Cure: Effective Planning and Automation

With the number and regularity of high profile data breaches we see, it would perhaps be forgivable to think that companies simply cannot prevent the most persistent of hackers from getting in. That they should instead focus efforts on containing intrusions, so that they can’t progress beyond the entry point to access, copy, destroy or otherwise compromise data.

In this, there is some comfort that detection intelligence is improving. According to PwC, 42 percent of those that detected a security incident in 2008 didn’t know the source of it; this has now fallen to below ten percent.

Effective handling of a cyberattack depends on effective planning. This means having in place a method for quickly identifying that an attack has occurred and a plan that can be swiftly put into action to isolate the issue and prevent further spread.

With the risk of cyberattacks being so high, there can be no excuse at all for not having thorough, and tested, disaster recovery and business continuity management plans. These must include a strategy for crisis communications to minimize reputational and brand damage.

Technologies that constantly scan for network vulnerabilities support swift action in the event of data or infrastructure compromise. Understanding what is needed, and the optimal level of investment it will take to protect valuable assets comes down to knowing the system’s architecture and thoroughly assessing risk levels.

Automation of as much InfoSec as possible makes detection, system shut-down and plan instigation more rapid and effective. With attacks increasing, and becoming more sophisticated, organizations need to invest in their disaster recovery and threat intelligence systems.

Evolution in how businesses deliver their services externally keeps raising the bar on cyberattack mitigation. The IoT, which is steadily creeping into many areas of our lives, is a case in point. This is a growth area, with the number of connected homes in the US experiencing a 31 percent compound annual growth rate according to McKinsey, and 29 million connected homes forecast in 2017.

The depth of connectivity we are now becoming used to introduces security considerations into areas where they haven’t existed before, including utilities provision and the operation and maintenance of private vehicles.

As companies take advantage of technology and process advances to change the way they design, deliver and operate, and as they incorporate connectivity into more services delivered to customers, they must be extra vigilant over cybersecurity.

To prevent cyberattacks and handle them should they occur, they must plan well, understand their system’s architecture and take advantage of the tools and technologies that support damage limitation. Companies that fail to do this may well fail to protect their brand and reputation and consequently their short-term performance levels and long-term future.

The original article was published by CloudTweaks here.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources