Warren Buffett calls cybercrime the No. 1 problem with mankind.
At his 2017 Berkshire Hathaway annual meeting, the billionaire businessman said cyberattacks are a bigger threat to humanity than nuclear weapons.
In December 2020, the United States was hit with one of the most consequential cyberattacks of all time, purported to be carried out by Russian hackers. Victims included the U.S. Treasury, the U.S. National Telecommunications and Information Administration, the National Institutes of Health, the Cybersecurity and Infrastructure Agency, the Department of Homeland Security, the U.S. Department of State, the National Nuclear Security Administration, the U.S. Department of Energy, multiple state governments and cities, Microsoft and other private companies in the U.S., Canada, Mexico, United Kingdom and more. This attack requires ongoing investigation and response.
Many business leaders are unprepared to address cyberthreats and many companies lack cybersecurity expertise on their leadership teams and boards. If cybercrime is the greatest risk facing most companies today, and I believe it is, the lack of security expertise is concerning.
Craig Willard, chief operating officer at SimplifIT and a 15-year IT executive at a Fortune 100 health-care organization, believes that “all business decisions should be inspected through a cybersecurity lens to ensure that business decisions do not introduce vulnerabilities that can be exposed by internal and/or external bad actors.”
The government is now demanding more transparency from companies regarding cyber risk. The Cybersecurity Disclosure Act of 2017 is designed “to promote transparency in the oversight of cybersecurity risks at publicly traded companies.” Europe’s 2018 General Data Protection Regulation and other new regulations are quickly becoming normative around the world: 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation.
Interestingly, the U.S. isn’t governed by a national data privacy standard. Instead, states are adopting their own regulations that hold companies accountable for protecting individuals’ data. At least 38 states, Washington, D.C., and Puerto Rico have introduced bills or resolutions that deal with cybersecurity, according to the National Conference of State Legislatures.
Areas seeing the most legislative activity include measures to: require government agencies to implement training and security policies; increase penalties for computer crime; regulate cybersecurity within the insurance industry; create task forces to study cybersecurity; and support programs for training and education.
President Joe Biden recently proposed a $10 billion funding injection to shore up the United States’ cybersecurity capabilities. The plan will provide emergency funding to upgrade federal information technology infrastructure and address the recent breaches of federal government data systems.
In 2020, the U.S. House of Representatives passed legislation sought by state IT leaders to create a federal grant program supporting state and local government cybersecurity efforts. It lacked companion legislation and stalled. The U.S. Senate passed a similar bill in 2019. It also stalled.
The U.S. Department of Defense (DoD) will begin to roll out the new Cybersecurity Maturity Model Certification framework that eventually will require all DoD contractors, subcontractors and suppliers to receive cybersecurity assessments from third-party assessment organizations.
A data breach will always harm your organization. That’s why every organization needs some form of cybersecurity expertise on its side. If not, they are exposing their stakeholders to cyber breaches with the potential to cause major business disruptions, losses and erode stakeholder value.
For most organizations, expedited digital transformation, an expanded remote workforce, and the ability to manage cybersecurity risk has now become a requirement for survival. Those who have a well-rounded leadership team, including an expert who can speak to the importance of cybersecurity and risk management, are emerging stronger.