Cyber Threats: How Finance Directors Should Prepare

Cyber Threats: How Finance Directors Should Prepare

What are the differences in cyber-threats facing public and private companies, and what responsibilities do their CFOs have in terms of disclosure?

By Andrew Douthwaite, VP Managed Services, VirtualArmour
Cyber attacks spiked 164%in the first half of 2017, compared to the same period in 2016, entailing 918 disclosed breaches-according reports on broadcaster CNBC. Threats vary from sector to sector. Healthcare, for example, is more susceptible to crypto-locker ransomware like the infamous WannaCry.
Internet-connected consumer devices often fall prey to malware that shackles them to remotely controlled botnets such as Mirai. Varied though the threat may be, and staggering though these numbers are, the word disclosed highlights a central paradox: While transparency contributes to the overall fortification of cyber-security protocols and procedures, battening down the hatches presumably mitigates further financial risk.
Sure, a disclosure is immensely beneficial in terms of buttressing industrial safeguards, national and global security, and customer protection – not to mention mitigating the longer-term repercussions of an attack – but so too can disclosure exact lasting damage on a bottom line.

Fighting back

The nature, intent, and consequences of an attack notwithstanding, the way companies have responded to breaches is closely related to their designation: public or private. CFOs at public and private companies face different risks and pressures when it comes to cyber-security and disclosure, and exhibit divergent perspectives when it comes to preparation.
Broadly speaking, public company CFOs are more likely to outsource cyber-security to third-party firms, while private CFOs tend to invest in in-house IT teams. Regardless of who secures a company’s network, breaches are often known by CFOs before they are made public. By disclosing a breach, CFOs of publicly traded companies might trigger investor panic and sell-off, whereas private company CFOs risk irreparable harm to consumer and employee confidence.
On one hand, foreknowledge of pending disclosures can put unique pressure on public company executives, who often own considerable amounts of company stock. The ongoing federal investigation of three Equifax C-suite managers for insider trading arose due to alleged stock dumping prior to the revelation of the company’s catastrophic cyber-attack.
Equifax underscores the tension between a public corporation’s responsibility to its board, shareholders, and customers, and the financial implications of both the breach itself and legal requirements governing its reporting and remediation.
On the other, while private companies aren’t under the same legal obligations in terms of disclosure, and while the short-term consequences may be less impactful, these companies still face long-term pitfalls, such as lost trust and tarnished brands. Moreover, a medium-sized business may not have the capital or reserves to recover reputationally or financially after a major data breach the way a multinational corporation can.
Additionally, the moderate scale of many private companies sometimes instills a false sense of security. Middle-market businesses often assume they’ll be overlooked by attackers, whether due to the large number of similar companies, or a lack of enticing assets. After all, isn’t it the bigger fish that stockpile the type of data and info that hackers tend to target?

Be prepared

A lack of proper preparation only exacerbates the panic once an attack does occur. Attempting to deal with an attack on the down low can earn private enterprises a reputation as easy marks, and provoke subsequent attacks. Further, if the rearguard strategy backfires, or is exposed by the press, this can amplify the damage to a company’s brand and leadership, not to mention potential legal consequences if a court can prove negligence.
In terms of the bigger picture, the lack of reliable data pertaining to attacks on private companies leads to lopsided analysis regarding the multifaceted aims and motives driving these attacks, resulting in a sort of half-finished portrait of the threat landscape.
While cybersecurity prevention could be vastly improved by greater information sharing, some surveys of CSOs indicate that only one in seven attacks are reported to authorities. Alas, as it stands, adequate event modeling, and risk and security assessments, are being stymied by a lack of shared intel on private company breaches, effectively hampering the development of comprehensive prevention and management strategies.
This lack has precipitated the introduction of numerous cyber-security regulations around the world, and though the regulatory ecosystem is in a state of flux, the global trend is invariably toward greater transparency. CNBC notes that “governments around the world are introducing legislation which will force more companies to disclose data breaches,” a reach that already extends to private enterprises.

Regulatory environment

Both private and public companies are compelled to comply with local, national and global disclosure regulations, including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and the EU’s soon-to-be-implemented General Data Protection Regulation (GDPR).
The GDPR, which regulates the collection and storage of customer information and data, and can levy fines of up to €20 million, requires that private companies disclose if they have a footprint in Europe, or otherwise handle the information of European citizens.
In the US, Sarbanes-Oxley (SOX) indexes the responsibilities of both public and private companies, including rules pertaining to compliance with federal prosecutors, and criminal penalties. Further, HIPAA governs how any company, public or private, handles personal health information.
Though public companies, traditionally, may have shouldered an inordinate amount of the fallout from disclosure, this has left them better readied for the implementation of legislation designed to enforce transparency. Even more advantageous, public companies now have hard-won practice mitigating the financial risks and ramifications resulting from disclosure.
Private companies, by contrast, are less aware and agile in terms of prevention and response; protecting their brand, for example, or proactively communicating with clients. Simply put, having been in battle, public CFOs are stepping up and getting more involved with cyber-security, while private CFOs, hovering on the sidelines, appear far more circumspect.
Make no mistake: this problem is only getting worse. The situation could improve rapidly if execs from companies of all stripes and sizes shared details of attacks with the larger corporate community.
Whether you are a CFO of an international, publicly-traded conglomerate, or a midsized regional business, it is well within your portfolio to do everything possible to properly prepare for the threat. Engage with the board, secure funding for proper security controls, and encourage leadership to be forthcoming when, not if, your company’s cyber attack occurs.

Who Should Be Responsible For Cybersecurity?

Who Should Be Responsible For Cybersecurity?

This article was originally posted on CSO Online
By Andrew Douthwaite, Vice President of Managed Services
The news today is flush with salacious stories of cyber-security breaches, data held hostage in brazen ransomware attacks, and compromised records and consumer information. So too has the fallout become increasingly familiar: broken trust, ruined brands, class-action lawsuits, and prolonged periods of finger-pointing.
In September 2017, news broke that consumer credit reporting agency Equifax had suffered a catastrophic breach the preceding May. Hackers gained access to the personal data of nearly 150 million American citizens – roughly two-thirds of the country’s population – including full names, Social Security numbers, addresses, and dates of birth. The swiftly unfolding scandal sent the company’s stock plummeting 33%, a market value loss of approximately ten billion dollars. Currently, three Equifax C-Suite managers are under federal investigation for allegedly dumping stock prior to disclosing the breach.
The digital sphere has always been rife with pathogens. Elk Cloner ravaged Apple IIs by way of contaminated floppy disks in 1981, and Brain infected IBM PCs in 1986. Initially little more than nuisances concocted to spread chaos and frustration, today malware is a primary tool of lucrative (if fragmented and decentralized) criminal enterprises whose foremost goal is financial gain through extortion and embarrassment.
The high-profile nature of certain attacks – Equifax, Anthem, Home Depot, Yahoo, Sony, and Uber, to name a few – obscures the fact that while the form, scale, and intent of attacks tend to vary, the threat looms over organizations of every stripe and size – private, public, and not-for-profit alike – in every corner of the globe. Colleges and universities have fallen prey to costly ransomware attacks, havoc has been wreaked on banks in Italy, Canada, and Bangladesh, and Russian hackers hijacked the 2016 federal election through a simple phishing scam. Such attacks are alarmingly easy to design and deploy. Phishing, for example, requires only a single distracted click on a link in an email or text. Once the automated malware has gained a toehold, systems and networks can be crippled in a matter of minutes. 
Standing vulnerabilities are being exacerbated by the growing centrality of digital media in our day-to-day lives. The proliferation of devices means a multiplication of exploitable entry points, as does data stored across networked, hardware and cloud-based platforms. The more sprawling the company or organization, the more exposed it may be, necessitating cyber-security strategies that cover partners, manufacturers, and suppliers. Not only are new dangers always emerging, but they can occur because of easy to make mistakes such as forgetting to update your OS, or through portals as unlikely as an IOT enabled fish tank.
The crisis is as widespread as it is confounding to combat. Perpetrators not only employ an ever-expanding suite of tools and tactics, and target bounties ranging from consumer data to proprietary assets, but they are driven by mercurial motives. Some hackers espouse anti-corporatist ideologies, some are astutely transactional, and others still – Anonymous for example – are first and foremost retaliatory. Add to these slippery intentions a lack of territorial affiliation, and one can see how present-day cyber-foes are diabolically tricky to identify, much less apprehend and prosecute.
All indications are that cyber-crime is in its infancy, a phenomenon that will only intensify. CNBC recently reported that in the first half of 2017, the number of attacks spiked 164% compared to the same period in 2016, entailing 918 disclosed data breaches resulting in nearly two billion compromised records. The report suggests that this increase is partly attributable to new regulations pertaining to corporate transparency, including the EU’s GDPR and the UK’s Data Protection Bill. This legislation coincides with the establishment of government agencies tasked with policing these fraught digital landscapes, such as the Cyber Threat Intelligence Integration Center in the U.S.
Yet the urgency with which governments are working to enforce transparency and security stands in stark contrast to the reluctance demonstrated by businesses to recognize and react to so significant a threat. One need only look at the typical IT budget to recognize how little the gravity of the crisis has sunk in. Even though companies across all sectors rank cyber-security as their most pressing issue, and despite an upward trend in spending, the typical cyber-security budget is profoundly underfunded. According to Steve Vintz of the Harvard Business Review, “IT budgets are typically 3-7% of a company’s revenue, and security budgets are typically 5% of IT spend.” In other words, the average company allocates just over 1% of revenue safeguarding against potentially catastrophic attacks.
This lopsided spending reflects, perhaps, a longstanding disinterest exhibited by financial stewards toward IT issues. It’s the number crunches versus the nerds, the former obsessed with spending and bottom lines, the latter always on the lookout for shiny new toys to tinker with. The VP Finance or CFO, therefore, assumes the attitude of a parent reining in an indulgent child, rather than a collaborator working toward mutual goals. Fissures such as these have the unfortunate effect of relegating cyber-security to the IT silo, with the CFO punting the ball to (often already overtaxed) technical divisions and managers, then washing their hands of further responsibility.
C-suite abdication reveals a central but oft-overlooked error, one baked into the term “cyber-security” itself: though traditionally tucked away under the IT umbrella as a security concern, many if not most of the consequences of cyber-attacks are monetary, with severe and long-lasting financial implications. Though difficult to tally, a 2017 study by Centrify and the Ponemon Institute pegged the average cost of a data breach at $4 million, the average stock price drop at 5%, and the average revenue decline at $3.4 million. And this is to say little of the embarrassment of suffering an attack – looking weak and ill-prepared, the erosion of consumer trust and confidence, and a tarnished reputation and brand – much fewer lawsuits. Target paid $18.5 million after a cyber-attack put the data of sixty million of its customers in peril, and Anthem was slapped with a $115 million penalty. Fortune magazine writer Jeff Roberts predicts that Equifax will pay out approximately a billion dollars to settle suits resulting from its attack.
Moving forward, a chief concern must be not only how CFOs can participate in the design and implementation of cost-effective cyber-security systems and protocols, but more importantly how they can take the lead in fostering company-wide cultures of cyber-awareness, vigilance, and preparedness. Clearly, cybersecurity is everybody’s problem. High time this truth was recognized starting with the executive suite on down.
Check this out article out on CSO Online: HERE

VirtualArmour Finalizes USD$1.5M Contract Renewal with Existing Client

VirtualArmour was taken private in Q3 2021. These legacy press releases are kept online for informational purposes. VirtualArmour is a proud member of the Evergreen Services Group family of companies.

VANCOUVER, British Columbia, Jan. 25, 2018 (GLOBE NEWSWIRE) — Premier Managed Services Provider, VirtualArmour International Inc. (the “Company”) (CSE:VAI) (3V3:F) (OTCQB:VTLR) announced today it had finalized a three year contract for the expansion of enterprise infrastructure management with an existing client in the global technology solution provider industry.
This expanded contract has a total value of USD$1.5M over its term and its scope includes the security monitoring, investigation, response and triage for the company’s 80+ locations across nine countries.
“The focus on prevention is growing within our client base and our dedication to delivering a personalized service experience is what has allowed us to continue to grow and to retain our clients in a competitive marketplace,” said Kyle Duffy, VP of Customer Experience at VirtualArmour. “Being a trusted partner has become even more critical when the impact of a breach doesn’t just impact operations, but the brand and its balance sheet. We continue to focus on integrating with our clients at the deepest levels and assist them in adopting a true, company-wide security culture.”
Due to the sensitivities inherent within the industry, VirtualArmour’s policy is not to disclose specific client details in press releases.

About VirtualArmour

VirtualArmour is an global cybersecurity and Managed Services provider that delivers customized solutions to help businesses build, monitor, maintain and secure their networks.
The Company maintains 24/7 client monitoring and service management with specialist teams located in its US- and UK-based security operation centers (“SOC”). Through partnerships with best-in-class technology providers, VirtualArmour delivers only leading hardware and software solutions for customers that are both sophisticated and scalable, and backed by industry-leading customer service and experience. VirtualArmour’s proprietary CloudCastr client portal and prevention platform provides clients with unparalleled access to real-time reporting on threat levels, breach prevention and overall network security.
VirtualArmour services a wide range of clients – which include those listed on the Fortune 500 – within several industry sectors, in over 30 countries, across five continents. Further information about the Company is available under its profile on the SEDAR website, www.sedar.com, on the CSE website, www.thecse.com, and on its website www.virtualarmour.com  

Company Contact:

Nick Dinsmoor
Vice President Strategy and Marketing
Office: 720-644-0913
[email protected]

Media Contact

Josh Stanbury
Office: 416-628-7441
[email protected]

Forward-Looking Information:

This press release may include forward-looking information within the meaning of Canadian securities legislation. The forward-looking information is based on certain key expectations and assumptions made by the management of VirtualArmour.  Although VirtualArmour believes that the expectations and assumptions on which such forward-looking information is based are reasonable, undue reliance should not be placed on the forward-looking information as VirtualArmour cannot provide any assurance that it will prove to be correct. These forward-looking statements are made as of the date of this press release and VirtualArmour disclaims any intent or obligation to update publicly any forward-looking information, whether as a result of new information, future events or results or otherwise, other than as required by applicable securities laws.

VirtualArmour Pursues New & Growing Market with Strategic Partnership

VirtualArmour was taken private in Q3 2021. These legacy press releases are kept online for informational purposes. VirtualArmour is a proud member of the Evergreen Services Group family of companies.

Vancouver, B.C. – (January 17, 2018) Premier Managed Services Provider, VirtualArmour International Inc. (the “Company”) (CSE:VAI) (3V3:F) (VTLR:OTCQB) announced today that it has finalized a strategic sales partnership agreement with leading IT solutions consultancy Alacrinet.
With six offices spanning the United States and one location in Puerto Rico, Alacrinet provides digital and cybersecurity consultancy services to a host of notable brands which include the USDA, US Department of Energy, Activision and Uber.
The agreement will see Alacrinet and VirtualArmour act as strategic partners, expanding the range of service offerings both organizations are able to offer and jointly pursuing commercial opportunities across the Western United States.
“With enterprise businesses compelled to stay ahead of the growing cybersecurity risks being faced, the need to implement and manage a complete security approach, able to robustly protect and remediate attacks, is no longer an option, but a requirement,” said Brian Bouchard, President and CEO of Alacrinet. “We are proud to partner with VirtualArmour, a company with a high level of specialist experience and expertise in protecting critical data and infrastructure.”
“We are very pleased to have finalized this partnership agreement with Alacrinet. With their extensive reach, strong industry relationships and impeccable reputation within the security consulting space, we see this as a great opportunity to drive growth for both companies. It will enable us to immediately access new business development opportunities and notably, give us the ability to target, and deliver a more comprehensive set of services to a new base of larger enterprise customers.” said Russ Armbrust, VP of Sales at VirtualArmour.
About VirtualArmour
VirtualArmour is an international cybersecurity and Managed Services provider that delivers customized solutions to help businesses build, monitor, maintain and secure their networks.
The Company maintains 24/7 client monitoring and service management with specialist teams located in its US and UK-based security operation centers (“SOC”). Through partnerships with best-in-class technology providers, VirtualArmour delivers only leading hardware and software solutions for customers that are both sophisticated and scalable, and backed by industry-leading customer service and experience. VirtualArmour’s proprietary CloudCastr client portal and prevention platform provides clients with unparalleled access to real-time reporting on threat levels, breach prevention and overall network security.
VirtualArmour services a wide range of clients – which include those listed on the Fortune 500 – within several industry sectors, in over 30 countries, across five continents. Further information about the Company is available under its profile on the SEDAR website, 
www.sedar.com, on the CSE website, www.thecse.com, and on its website www.virtualarmour.com 
About Alacrinet
Alacrinet is a Palo Alto-based Security and IT consulting company, focused on delivering customized solutions in all areas of IT solutions. 
 
Alacrinet assembles great technology to create customized solutions for a wide range of clients. As Digital Curators, Alacrinet’s team  listens to clients and to leading industry analysts to ensure they are developing their skills and delivering solutions using the best technologies in the market. They take the time to sort through the ever-evolving resources and services available before choosing the most fitting and effective tools for our customers. 
 
As the technology industry has evolved, from the early days of website design through personalization, mobile computing, Big Data analytics, and the Cloud, the Alacrinet team has developed their skills to always stay one step ahead. With the increasing need for cybersecurity, our team of highly-trained experts are prepared to help clients find the right solution in SIEM, Endpoint Management and Security, Data Security and Application Security. Further information about their team is available under the company profile on LinkedIn, www.linkedin.com/company/703222, and on its website www.alacrinet.com
 
Company Contact:
Nick Dinsmoor
Vice President Strategy and Marketing
Office: 720-644-0913
[email protected]
Media Contact
Josh Stanbury
Office: 416-628-7441
[email protected]
 
Forward-Looking Information:

This press release may include forward-looking information within the meaning of Canadian securities legislation. The forward-looking information is based on certain key expectations and assumptions made by the management of VirtualArmour.  Although VirtualArmour believes that the expectations and assumptions on which such forward-looking information is based are reasonable, undue reliance should not be placed on the forward-looking information as VirtualArmour cannot provide any assurance that it will prove to be correct. These forward-looking statements are made as of the date of this press release and VirtualArmour disclaims any intent or obligation to update publicly any forward-looking information, whether as a result of new information, future events or results or otherwise, other than as required by applicable securities laws.