Tag Archives: John Bruno

How Safe Is Your Data?

Overview

Your data might not be as safe as you think it is — and it could cost you dearly.

Part of the threat comes, unwittingly, from your employees — and, possibly, even yourself. A significant proportion of cyber breaches (as many as 30%)­ are caused by “negligence or mistakes,” caused by individuals failing to act responsibly or follow procedure.

Two decades after the launch of the web, digital has become so ingrained in our lives that it’s easy to assume you know the best security practices to keep you and your organization safe from a data breach. But as technology continues to drive changes in the way we live and work and as the Internet of Things becomes more omnipresent, the digital risks we all face are only going to increase as more and more devices share data around the world.

Read on for some simple steps you can take to help keep your data more secure.

In-Depth

A growing threat, but an inadequate response

The number and potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014; the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before — and the total expected to reach 50 billion by 2020 — there are more potential targets for attackers, as well as more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So how do you keep your organization’s data — and that of your clients and customers — safe?

According to Aon cyber insurance expert Stephanie Snyder Tomlinson, it’s not just a matter of investing in better technology and more robust systems.

“A lot of companies find that the weakest link is their employees,” Snyder Tomlinson says. “You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-it note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Brad Bryant, Aon’s global chief privacy officer. But with cyber threats increasing, it’s more important than ever to be aware of the seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators— Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare— If you give out details about your personal life, hackers may be able to use the data to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information— A surprising amount of information can be retained by devices even after wiping hard drives or performing factory resets. To be certain your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data— Keeping your software up-to-date and password protecting your devices may not be enough to stop hackers should those devices fall into the wrong hands. The more security the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your and your customers’ and clients’ information, investing in better cyber security is only one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations should pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness— Educate employees on what social engineering fraud is, especially in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious— Always verify the authenticity of requests for changes in money-related instructions and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin or destination.
  • Be organized— Develop a list of pre-approved vendors, and ensure employees are aware. Review and customize crime insurance. When it comes to coverage or denial, the devil is in the details.
  • Develop a system— Institute a password procedure to verify the authenticity of any wire transfer requests and always verify the validity of an incoming email/phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new — but the scale of the threat is increasing, making following it more important than ever.

“Social engineering fraud is one of the greatest security threats companies can encounter today,” Fitzgerald warns. “This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious as courts and regulators are focusing on this issue globally.

The EU is considering a data protection directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on protection of customer data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and the U.S.

“Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction,” Bryant warns. “Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

It’s not just changing E.U. rules that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

“Given the large scope and impact of the various changes in data protection law, coupled with the drastic increase in fines, becoming educated on how to protect our data is more business-critical now than ever before,” Bryant says.

Talking Points

“The average cost per user of a data breach is now $240… The costs are costly, but the current model of privacy will not make sense going forward.… The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there.” – Lawrence Lessig, Roy L. Furman Professor of Law, Harvard Law School

“A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously.” – Tanguy Van Overstraeten, Linklaters

“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.” – Andrus Ansip, Vice President for the E.U. Digital Single Market

Further Reading

How Technology Breaks Down Silos

Overview

New digital technologies and the data they are producing have forced collaboration among senior business leaders across all levels of all organizations. To obtain insights from data to drive decision-making and embed a data-driven approach within a company’s culture, it is critical for the C-suite to lead the way.

It’s easy to talk about collaboration, but much harder to act. Analyzing information, deriving insights and responding with effective strategies requires an understanding of the analytical tools themselves, as well as collaboration. As technologies get smarter and various functional groups collaborate, simply moving to single systems can give broader teams greater visibility to inefficiencies and broken processes.

But how does a business get to such a place? What tools and strategies bring about successful coordination of activities in such dynamic situations? And what are the challenges of working together that C-Suite executives should anticipate?

In Depth

Just about every functional group within an organization can now collect, connect and analyze data. But big data – from keyword searches, social sites, wearables, mobile devices, customer feedback and so on – presents challenges as well as opportunities for business leaders. One of the biggest is how to maximize the potential of this data by transcending organizational silos to unlock its true potential.

Technology is also transforming how businesses develop and deliver goods and services and is placing enormous new demands on those responsible for strategies to navigate the challenges. These are the people who need to apply institutional knowledge, implement changes and allocate resources toward new ways of working on a day-to-day basis.

Paul Mang, Global CEO of Analytics and leader of the Aon Center for Innovation and Analytics in Singapore, says there are two types of data analysis that can be leveraged to accomplish this: business analytics and enterprise analytics. Business analytics focus on the use of established tools and capabilities, while enterprise analytics “create new product or value propositions for existing clients or new client segments altogether.”  Short-term, enterprise analytics can lead to disruptive innovation while quickly contributing to improved long-term performance.

“Business and enterprise analytics should work side-by-side and complement each other” to support decision making, Mang says.

The Changing Role of the CIO

The need to become an effective data-driven organization has dramatically increased the importance of the chief information officer (CIO), a role that John Bruno, chief information officer at Aon, says is that of “an integrator – someone who works across the entire organization to embed data within the business.”  He sees the value that information technology (IT) brings, and notes that “IT is less about bits and bytes of data, but more about bringing them together to extract specific insights.”

The need to centralize and mine big data for market opportunities and to parse out weaknesses is also prompting some firms to create a C-suite level position of chief data officer (CDO). This role would be responsible for working with business managers to identify both internal and external data sets that they may not even realize exist, as well as continually looking for new ways to experiment and apply that data.

Equally critical to communicating changes in customer preferences and behaviors, and for their ability to leverage insights from customer purchase patterns into developing new products and services, is the chief marketing officer (CMO). Like the CMO, the effective CIO needs an intimate understanding of how current technology can increase the company’s sales.

However, Bruno says, “in any large organization, there are multiple leaders in different parts of the organization who address different elements of the same challenges. It’s the CEO who can see the whole view and works to have teams bring forward integrated solutions to distributed problems.” He sees the role of the CEO as one who looks beyond short-term disruptions and organizational adjustments to seize opportunities that ensure long-term growth.

This is why, increasingly, the role of the CIO/CDO is about balancing business needs against an incoming stream of opportunities – and risks. This broad cross-business knowledge can only come from constant and deliberate collaboration with the rest of the C-level executive suite. Above all, the CIO has to be able to effectively show how technology and the subsequent data it brings are assets rather than cost centers. For CIOs to really succeed, this means informing C-level colleagues about technology and the opportunities it can create.

Making Collaboration Count: Finance and HR

The role of the CFO is increasingly about analyzing data to give it meaning and partnering across the organization to make the information actionable. One area that is seeing CFOs use data to drive real results is in collaboration with the chief human resources officer (CHRO).

Eddie Short, Aon Hewitt’s managing director, Global Data & Analytics, says that in most organizations the C-Suite has not been getting sufficient insight into people-related business issues, typically owned by human resources (HR) teams. Today, with the CIO’s help, digital tools are increasingly being used by leading organizations to measure employee performance, reduce attrition and cultivate talent through a better understanding of the data about their workforce that they can gather and analyze.

“People analytics,” as this emerging field is known, attempts to bridge the gap between HR and the rest of the organization by providing specific insights into an organization’s talent. “People analytics is all about connecting the value of your people to the strategic goals and objectives of the business,” Short says. “This approach represents a major opportunity for HR and finance leaders to take a road centered on the greatest asset that organizations have – their people – and start to shape the value-add they will create for the business over the next five to 10 years using predictive analytics.”

With skills shortages an increasingly pressing issue for many organizations around the world, gaining this kind of insight can help a business to identify and meet its future talent needs.

Aligning for Agility

As technology continues to disrupt, CEOs and the C-Suite in general must accept that there may not be a set playbook to follow to adapt and evolve. Flexibility is paramount, and often organizations must invent and reinvent as they move forward. Intelligently applying analytics tools to derive value from big data can help them navigate this new terrain.

“Today, CXOs want predictive insights,” Short says. “They want answers to the predictive ‘what could I do?’ questions as well as prescriptive – ‘what should I do?’ — questions.” Yet most tools and programs currently available are merely descriptive – to derive true insight needs additional interpretations from people who really understand the business.

This is where C-Suite collaboration becomes so vital. Organizations thrive when there are diverse and complementary personnel and systems working together. Sharing insights from the analysis of big data across the C-suite and across functions can position businesses to draw valuable insights from this data, harmonize planning around it, align their actions and understand the full value this brings both to their own divisions and the organization as a whole. And the more that data is shared, the more leading businesses discover that they can find answers to today’s – and tomorrow’s – questions.

With the measurable business benefits this data sharing can bring, the business case for breaking down silos within organizations is stronger than ever. Where this may have once been a C-Suite aspiration, the make-or-break implications of insights drawn from this data has made it a business imperative.

Talking Points

“In every industry, our analysis and our work with clients would suggest technology at a minimum is going to be a tremendous accelerant. So if you have a a business model, the opportunity to scale it more effectively, grow it more effectively gets… amplified.” – Greg Case, CEO, Aon

“The way that big data pervades most organizations today creates a dynamic environment for C-level executives to explore how it can and should be used strategically to add business value.” –  Economist Intelligence Unit

Further Reading

Cyber and Physical Threats Are Colliding

Overview

A quarter of a century after the Worldwide Web began to transform the Internet into the indispensable tool we all rely on today, we’re entering a new digital revolution. Over the next four years, the number of connected devices is expected to grow to as many as 50 billion, according to the 2015 Ponemon Global Cyber Impact Report sponsored by Aon. Business is expected to make up a far larger percentage of Internet of Things (IoT) usage than the consumer — IoT is more about smart factories and computer-controlled office systems than shiny gadgets like smart watches and fitness trackers.

The risks are becoming physical. Some of these new devices could cause serious real-world damage. We’ve already seen manufacturing plants seriously damaged by cyber attacks and electricity grids and automobiles shut down by hackers. It’s only a matter of time before such threats become more common and more physically dangerous to both people and property.

With the rise of new technology comes fresh opportunity for business — but also new risk. In the workplace, every new connected device represents a new link in the IT chain. With the age of the Internet of Things upon us, what are the new risks and what do business leaders need to know to be prepared?

Projected growth of Internet-connected devices, 2013-2020

Source: 2015 Ponemon Global Cyber Impact Report, sponsored by Aon

In-Depth

New Technology, Big Opportunities 

The benefits of Internet connections are hard to overstate. For businesses, the Internet of Things offers the promise of quantified everything. Employers will be able to track productivity and leverage metrics to uncover new efficiencies. With connected sensors underpinning every square inch of an organization’s footprint — once-siloed data sets can be integrated, correlated and cross-referenced — it will become easier to identify new efficiencies and deliver new value.

See Also: Cyber Threats to Watch This Year

The benefits are immense – but so, potentially, are the risks.

“As we move into having smart workplaces and offices, you’re really talking about a technology backbone that’s driving an organization,” says Stephanie Snyder Tomlinson, a cyber insurance expert at Aon. “What impact can that have on a business? What are the potential losses to an organization if you have a network security breach that results in property damage or bodily injury?”

Digital Threats Turn Physical

An unfortunate side effect to some of the highest-profile recent cyber breaches is that many people have come to regard cybercrime as solely a privacy issue. It can be far more complex than that.

“If there is a failure of network security or systems,” Snyder Tomlinson warns, “there could be a resultant business income loss. It could be intangible loss in terms of loss of data information assets or, especially as we move into relying more heavily on technology and the Internet of Things, it could be tangible loss, as well.”

You don’t need to look very far to get a sense of the potential risks to property and other physical assets when the Internet of Things begins to help run a workplace. As organizations grow increasingly dependent on technology to run their businesses and offices, the attack surface for cybercriminals increases dramatically. Each new device represents an additional access point for hackers.

The scenarios that could result can sound like something out of a science fiction film:

  • Does your building have computerized entry or elevator systems, with smartcard keys for access? Hackers could take control and lock down your building, trapping employees and visitors inside.
  • Computer-controlled electricity or water supplies can be shut down, rendering working impossible.
  • Connected thermostats are becoming increasingly common and could be taken over — shutting off heating in winter or air conditioning in summer, driving temperatures to unbearable levels and making your office unusable.
  • Logistics servers managing orders and deliveries could be hacked, with real orders canceled, false orders placed or essential supplies redirected to the wrong locations, disrupting your supply chain.
  • Factory robots could be set to destroy rather than create your products.
  • HVAC systems in a company data center could be overridden, causing a rise in temperature that could render network servers inoperable.
  • Fire alarm systems could be turned off just as real-world arsonists attack.

These may sound far-fetched, but are already reality. A cyber attack on a German steel mill in late 2014 caused immense physical damage after hackers installed malware on the network.

“It caused the blast furnace to be unable to be shut down, leading to massive property loss,” Snyder Tomlinson says. “The property loss arose from a network security breach. It’s a perfect example of the potential risks when you have companies that are relying on technology to run their business.”

Understanding the level of risk

“There’s always going to be some type of access point into a network, in one way, shape or form,” Snyder Tomlinson says. “You can have the best network security possible, but as everybody says, ‘It’s not if, it’s when.’”

Consequently, many companies are revisiting their approach to cyber security. Organizations previously concerned only with safeguarding client privacy and personally identifiable information are suddenly contemplating a broader loss spectrum.

“We’re seeing more interest in cyber insurance from manufacturers and critical infrastructure companies, because they recognize that their exposure isn’t necessarily just about private information or the liability arising out of a breach,” Snyder Tomlinson says. “We’re going to continue to see growth in the breadth of cyber coverage over the next several years, where we’re getting into the true property space, because there is the potential to have a property loss arising out of a network security breach or a systems failure.”

Snyder Tomlinson says this is why businesses need to take a holistic view of their cyber vulnerability — “Cyber risk flows through an entire organization.” A good cyber risk management framework has three key elements, she says:

  1. Preparation – Identify and quantify your cyber risk exposures. Develop a breach response plan and business continuity plan. Consider taking out a cyber insurance policy, which can assist with the potential balance sheet impact of a breach.
  1. Practice – Speed of response can be vital to limit damage in the event of a breach. Identify the key stakeholders within the organization and perform a tabletop scenario exercise to ensure everyone knows the role they need to play should an incident occur.
  1. Execution – Engaging with appropriate vendors is critical to successful execution. An organization should have relationships with defense lawyers, a public relations firm and a computer forensics firm so that a firm can work with it to mitigate loss in the event of a breach.

With the rise of the Internet of Things, cyber crime is no longer simply about loss of information. Increasingly, you need to consider the possibility that cyber could be just as physically disruptive to your business as a natural disaster or a terrorist incident. This is no longer simply a data issue — today, property and, potentially, lives could be at stake.

Are You Prepared for Cyber Attacks?

It’s no secret that cyber attacks have the potential to cause massive business disruption – affecting both financial performance and corporate reputations. But when it comes to C-suite preparedness for cyber attacks, organizational silos are preventing businesses from taking a comprehensive approach. Cybersecurity is a threat that affects the entire C-suite, and managing this emerging risk requires an integrated mindset.

Many senior executives lack full knowledge about how cyber attacks could affect their organization and how to make cybersecurity a C-suite priority. Moreover, across organizations different leaders are addressing different parts of the cybersecurity challenge: where the chief  information officer (CIO) and chief information security officer (CISO) are focused on physical and virtual data security, the CFO is concerned about ensuring financial stability in case of an attack. The chief legal officer may be concerned with the potential litigation effect, while the chief marketing officer (CMO) is responsible for mitigating bad PR and preserving the brand. In sophisticated organizations, the chief human resources officer (CHRO) is developing cyber training and awareness programs for employees to address threats that can originate within the company. Cybersecurity is clearly a distributed problem that requires integration across the entire C-suite.

Aon’s latest findings reveal that more than half of companies do not plan to buy cyber insurance even though there is an increased threat of attack. This disconnect exists primarily at the board level — the C-suite knows cybersecurity is an issue, but struggles to define its effect on financial performance. As cyber attacks become more prevalent, organizations will need to take an integrated approach toward preparedness.

AON_cyber_attacks_V6_4_effective_cyber_response