Ep. 40 Cybersecurity: Too much or too little?

Security: Too much or too little

In today’s episode, we will discuss a relevant issue affecting all organizations: the implications of having either a lax or conservative cybersecurity policy in relationship with Customer Experience and business exposure.

As always, this will be simple and concise but accurate. Click on Subscribe if you want to be informed of new episodes.

Disclaimer – this can be a polarizing topic at times.

Stakeholders’ perception of Cybersecurity

  • If you are a security leader, you often think you are doing ok because you review and improve the security approach every 12 months.
  • Suppose you are a client like me that travels constantly. In that case, you feel it’s a little invasive to notify your banking institution where you will be to avoid your cards being blocked due to any antifraud policy taking geography as a filter.
  • If you are a client whose identity got stolen, there is no way to describe your dissatisfaction with being hacked and replacing all your documents.

But there is a reason behind each case:

Case One: Cybersecurity is never good enough (CISO)

The new trend in creating value for customers is adopting critical third-party applications. These composable applications constantly produce new features delivered over the cloud as a subscription. These composable applications share information with other core client solutions via special “clean, sanitized, data tunnels, called Application Program Interfaces, or API.”

Gartner expects many of these composable applications will mature into SuperApps, providing critical functionalities and enriching the customer experience, intending to fulfill Metaverse needs.

What happens if the API has a vulnerability or is not safe enough?

Many recent cybersecurity breaches come from exploiting unsafe APIs.  You may think this only happens to organizations without proper Cybersecurity resources, technology, or governance. Nope! Building a safe API is a must.

This has happened to Crypto Assets organizations, like Coincheck (Jan 2018m valued USD$534M), decentralized Finance (DeFi) platforms, such as Poly Networks, and even US Capitol.  

What happens if a secure API is no longer clean due to new technologies used by hackers?

The point is that you don’t know what you don’t know.

One thing is sure: Hackers understand the technology and the benefit of using disruptive technologies (AI, IoT, ML) to find vulnerabilities.

If you read the cases mentioned above carefully, these are not mom-and-pop businesses; these are mature organizations with plenty of budgets, resources, and processes in place: no one is -entirely- safe. This affects incumbents (US Capitol) and digital-born organizations (Crypto, DeFi).

The annual exposure is calculated in billions of dollars.

Experts are working on documenting API vulnerabilities, and new vulnerabilities are posted periodically.

But this information works both ways: Hackers create bots using these exploits to check your business vulnerabilities.

Fair enough? I don’t want this Episode to become a “little house of terror” movie.

Case 2: The Customer is not happy with the excess cybersecurity

While everybody sympathizes with securing their assets, a false positive case may create many discomforts.

Imagine this: you are on a business trip and find out you need to make a payment or money transfer while on the trip. You use your e-banking application, and suddenly, an alarm is triggered because your location is new for the system: the transaction is voided, your e-card and account are frozen, and you need to call your bank to clear the transaction.

Funny, no? This happened to me last week while I was out of town. A couple of international calls with no success, a call from home last Friday, and the need for a final call next Tuesday. What a nightmare!

How to avoid false positive alarms with antifraud systems?

Here comes the problematic piece: some people don’t want to inform in advance of their travel plans, sometimes people travel with no time to call in advance, or many times people are very concerned with their privacy.

There is no good answer, but everybody knows the importance of protecting and securing their assets.

Case 3: The Customer was hacked, and assets were exposed

If you are in this situation, you will find no reasonable explanation for why your service provider didn’t protect you better.

But we talked about one case, API security, and there are other exploits.

This is one of many, even though it affects many customers.

A complete solution includes reviewing and analyzing the Attack Surface and mitigating all new and existing vulnerabilities. (Attack Surface Management, or ASM)

My point is that security has become an issue of periodic review and improvement. It affects brick-and-mortar and digital-born organizations—private, public, and governmental organizations.

A positive closing message:

To Customers:

At the end of the day, your services provider’s goal is to provide good service protecting your assets and personal information. Be mindful of that during the false positive event and help them improve by sharing your experience with them.

If you see something say something.

Use the following FBI guideline: If you see something, say something.

To Business:

There is a reason why the best organizations have changed their security policy from “best in class” or “best we can afford” to “continuous improvement, continuous delivery.”

Building a mindset of becoming a learning organization in security issues and making everybody aware of their role in protecting IT and business assets seems to pay greatly.

In addition, great solution providers are willing to help you by assessing your current cybersecurity approach and building and continuous improvement cycle.

Let me know if you are interested in learning more about this exciting topic. I am happy to attend.

Good enough?

I hope you find this Episode valuable and entertaining.

Section Bar

What do you think about the subjects raised in this edition of the Digital Acceleration Newsletter?

I would love your feedback on the Newsletter’s value and alternatives I can explore to bring additional value to you.

You are welcome and encouraged to share your thoughts with the audience or via DM; I am happy to help.