There’s no denying it; cyber security breaches will happen. Building higher “cyber walls” or deeper moats may delay some would-be attackers, but a determined hacker will eventually get in and access your sensitive data. Often, it is the data that you are not aware of that creates significant liabilities for your company.
“It is evident that many companies are investing in cyber security initiatives without fully comprehending the value of the data they have, generate or acquire that would be valuable for threat actors or malicious employees because they have not performed a Data Risk Management assessment,” says James Oliverio, the Founder and CEO of ideaBOX, which utilizes a concept of Cyber Risk Quantification called ROM (Return on Mitigation), a process that enables businesses to evaluate their operational, reputational, legal, and compliance risks in terms of dollars. This approach allows CEOs and boards to easily comprehend the information and approve strategic plans to minimize risks.
Oliverio has a background in IT and climbed the ranks to become the CIO of an investment bank. After leaving the financial sector, he established an IT Managed Services company he later sold and then earned a Harvard certification in Cyber Security Managing Risk in the Information Age, which he now applies expertly at ideaBOX.
“The ideaBOX concept is centered on Return on Mitigation or ROM,” says Oliverio. “We use ROM to measure the potential financial impact of a breach in terms of a client’s business, operational, reputational, legal and compliance risk. When you think about cyber what are we protecting? We’re protecting the client’s data. And we’re doing it at the file level not at the container level.”
The company provides a range of services that includes data security with encryption, cyber-awareness and phishing training, a 24-by-7 monitoring Security Operations Center (SOC), Fractional Chief Information Security Officer (FCISO) as a service, and planning and utilizing the NIST Frameworks.
NIST is an acronym for the National Institute of Standards and Technology, which is part of the U.S. Department of Commerce. The NIST Risk Management Framework, “provides a comprehensive, flexible, repeatable, and measurable 5-step process that any organization can use to manage information security and privacy risk for organizations and systems.” It can help organizations identify, protect, detect, respond and recover in the event of a breach.
The company also offers development and creation of a Written Information Security Plan (WISP) and access to actifile, a patent-pending software solution that provides, in a single pane of glass (an IT term for unifying data or interfaces across several different sources in a single view), advanced capabilities for detecting and measuring financial risk, safeguarding and overseeing sensitive data throughout an organization’s entire enterprise, and providing up-to-the-minute updates in a convenient dashboard.
“With the breaches in years past, Sony, Equifax, Yahoo! and the NSA, it’s always seen in the rearview mirror,” he says. “The companies say, ‘We didn’t understand the financial impact,’ or ‘We didn’t know what data we had,’ and then millions and millions of dollars of brand reputation go out the door because the organization didn’t focus on ROM – return on mitigation. That’s our secret sauce at ideaBOX. It’s our way of shifting the conversation from ROI to ROM.”
Oliverio explains there are many ways companies leave themselves vulnerable to cyber-attack and the perpetrators are not usually individual people. They’re well-funded nation states outside the U.S. and it’s very lucrative business. Not being prepared for this creates tremendous risk and some common business practices can amplify that risk.
“Trusting technology to one vendor, relying on the same vendors or internal staff to manage both system maintenance and cyber security can be very risky,” he says. “In the financial realm, you always have internal and external auditors. They’re two separate entities and the same holds true for businesses when it comes to cyber and operations.”
Oliverio iterates it is vitally important to take the time to assess the operational, reputational, legal and compliance impacts to the business in the event of a cyber-attack and firms need to quantify the financial impact.
“Many companies – probably 70% – have not done the work to flesh out a full strategy,” he says. “They are flying blind. They also do not keep ahead of the threat landscape, the potential impact on their business and do not properly train their end-users. I like to use the analogy of airline operations when describing the situation. Every single time you get in an airplane, a pre-flight check of the entire aircraft is conducted by the ground crew and the pilots. If, once in the air, you experience turbulence or other issue, they have a plan and immediately put it in action. They follow a practiced, core framework, every single time.”
A breach could be thought of as flight turbulence. If a company has done all the planning and practice, they’re more likely to come out of it safely or with minimal fallout.
“Companies must have a plan, do table-top exercises, have advisors, always look to the data and train their end users,” says Oliverio.” Those are the organizations that will deal with breaches more effectively and will have lower premiums when it comes to cybersecurity.”
That isn’t the case for most, however, and when there’s a breach and a ransom is demanded, they go into reaction mode and, in a panic, decide paying the ransom is going to get them back in business the fastest, but the damage can still be catastrophic for their reputation and bottom line. IdeaBOX, through the deployment of actifile, can protect data at a file level and locate and encrypt your files, wherever they might be.
“It’s crucial for companies to safeguard themselves with firewalls, switches, and other infrastructure-related equipment to prevent unauthorized access,” says Oliverio. “While it’s impossible to completely prevent threat actors from infiltrating systems and obtaining corporate data, it’s essential to prioritize encrypting and securing sensitive data to minimize the impact of a breach. And as more companies use actifile, the algorithm improves and becomes smarter at scanning for sensitive data.”
Actifile is essentially a tool and a solution – it’s a platform that can find your sensitive data, quantify it against a risk profile and a dollar amount, and it show you where that data is, who’s touching it, and gives you the ability to encrypt it behind the scenes to secure it without any end-user interaction.
“When actifile approached me months ago and described what it could do, I was skeptical,” he says. “But we ran it against my personal machine, which happens to be my business machine, and it lit up with millions of dollars of risk as I clicked on the interface. I couldn’t see the actual data but it showed file locations outside of my system in a Dropbox. It wasn’t my Dropbox; it was my attorney’s. When I dug deeper, I realized it was information from companies we purchased seven and eight years ago. We did due diligence at the time – background checks, credit checks, etc. – and all that information was just sitting there, now seven years old. The light went off. It shows it in the risk but more importantly, it shows you where the files are, who has access, who’s touching them, etc.”
It can also show you if the files have left your systems. For instance, it can show if sensitive materials went out the door via former employees and then you can turn on encryption so anything stolen is useless to the other side. “The bottom line,” Oliverio concludes. “Building higher and thicker cyber walls is a never-ending process but you can render any stolen information useless by encrypting it at the file level.”
Copyright © 2022 California Business Journal. All Rights Reserved.
Contact us if you’d like an article written on your business: Rick@CalBizJournal.com / 949-648-3815