Alvin Mills

Alvin Mills
VP of Information, Technology & Security

Treat cybersecurity as a business decision

After years of heavy investment in cybersecurity, more and more boards and executives are starting to ask the tough questions: “What have we achieved with our investment, are we any more secure than we were, how much more are we going to spend?”

This may explain why before the pandemic we were seeing a slowdown in cybersecurity spending. I did not say stop, I said slowdown. Even that is questionable. One report you will read says IT spending is down, but security spending is up. Another article says spending on cybersecurity is flat. Maybe it all depends on the industry? Maybe the pandemic has bought us some time to answer these questions, as it should. But sooner or later we need to address them.

As expected, 87% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types. Thanks a lot, COVID! Companies have gone from very few staff working remotely to 100% almost overnight. Mobile devices and the identities they represent are the new security perimeter for every organization today.

There is a cost to make staff function remotely but let us not lose sight of the fact that it costs money to secure a mobile workforce as well. I am amazed by how well our community bankers have addressed both. We are functioning and we are secure. Throw a virtual hug or fist bump to our IT and security teams.

There has been a 667% increase in spear-phishing email attacks related to COVID-19 since the end of February. Microsoft stops billions of phishing attempts a year on Office 365 alone by relying on heuristics, detonation and machine learning, strengthened by Microsoft Threat Protection Services. But this is not a free service; there are some costs.

I remember last year around the middle of March thinking, do I really need the advanced threat protection, and do I really need to protect SharePoint, OneDrive, Exchange and our Windows 10 endpoints?

Boy, I am glad that was an easy sell to the executives. And I am also glad we spent a little more on our security awareness program. Cybercriminals have moved away from complicated, time-consuming technical exploits to concentrate on end-users, a large and frequently vulnerable attack surface.

According to Security Magazine, small or large, nearly every attack now begins in the same way: by relentlessly targeting people through email, social networks and/or cloud and mobile applications.  

Are we 100% secure? Are you sure?

So, to circle back to my original comment, IT and security teams will be asked the tough questions more and more: “Why did we spend so much on security in 2020? How many incidents did we have?” Be prepared to show them the statistics; you will have the numbers. But also let them know how appreciative you are of them for supporting you and your team.

Use this as an example to plan and budget for future requirements. I’ve gone from hardly ever being a part of board meetings to not missing many. I was fortunate to be a part of organizations that just got it. Not sure how else to describe it.

I will never forget the time, in another career stop, I was in a board meeting delivering my cybersecurity presentation. I was showing them the statistics, how many incidents we had, etc., when the chairman stopped me and asked two very direct but fair questions: “What will this organization do if we are hit by electromagnetic pulse waves? How is our data center protected?”

I am thinking, oh man, it sure would be nice right now if I could just ask Alexa a question without anyone knowing. I had no choice, I told him that I would research and get back to him. A peer of mine sent me a text during the meeting, “Faraday cage.” I sent back the text, “What the heck is that?”

To be continued in next month’s issue.