When the outbreak of the pandemic moved school, business and socializing online in 2020, the platform Zoom, whose user base increased 20-fold in three months, saw a large increase in cyberattacks and data breaches. This phenomenon was, and is, not contained to Zoom; any companies experiencing rapid growth, or increased attention, are also at greater risk for cyber attacks. That partly explains why there was a sharp increase in attacks on the healthcare sector, which obviously became more prominent during the pandemic; and why attackers used ransomware against fitness brand Garmin, which had seen several successive years of business growth. From acquiring a new company to hiring more employees to entering new markets and verticals, all of these expand the attack surface; any change in situation — or planned change in situation — requires a new quantification of cyber risk.
Cybersecurity being a cornerstone of growth also means that the CISO should be participating, along with other executives, in any discussions involving growth. Whether a company is growing from within, by hiring more employees or making acquisitions; or from the outside by expanding its markets and customers, the CISO and cybersecurity need to be at the heart of the discussion, along with the traditional C-suite executives and traditional risks, including competition, regulatory concerns, and the level of consumer demand.
Risks When Acquiring a New Company
Cybersecurity has become a standard part of evaluating risk when buying a company in recent years; it increasingly affects deal prices as well. But it is also key to continue such cyber evaluations even after the deal closes. This means actually digesting and addressing the risks revealed during the due diligence stage, and protecting the larger attack surface.
Every organization has three main elements when it comes to cybersecurity, or any other topic: people, processes, and technology. All three of these factors need to be worked into defending the expanded attack surface. This means training the staff of the newly absorbed company, so there is a united understanding of cybersecurity policies and risk. It also means merging or updating the protocols and work culture of the newly acquired company into the parent company, and, lastly, making sure that any technological solutions are prioritizing not just risky areas, but protecting the most important assets. This last equation is constantly changing, especially in the post-merger period, so companies need to keep engaging in professional penetration testing, or ethical hacking, of their networks; but also in continued risk quantification.
Assessing Vulnerabilities During a Hiring Frenzy
Another aspect of hyper growth, especially at startups, is rapid hiring of new employees. This also expands the attack surface. On a basic level, more employees means more user accounts, more devices, and more software, especially cloud-based products, and, possibly, more physical locations to protect. Each new employee is a potential new path to an attack or data breach.
New employees are often easier targets for phishing attacks because they may not fully understand the communication norms and contacts at their new employer. Large numbers of new employees at once raises the risk of falling victim to phishing attempts, which can set off a cascade of damaging events, including ransomware and supply chain attacks.
Despite the rush and pressure, companies need to take time for proper training, and also not neglect proper vetting of employees; a large new cohort of employees also raises the risk of insider threats.
Rapid Market Growth Attracts Hacker Attention
A major cyber risk that comes with market or user expansion is that companies can be perceived by attackers as bigger or more lucrative targets due to increased public attention, increased data, or growing revenue. Expanding into new verticals or geographic areas means not just understanding increased risk, but also complying with more regulations, including privacy laws, obligations to report breaches to various bodies, or meeting specific standards required for providing services to governments or the public sector. This all requires planning ahead and appropriate budget allocation.
Clearly, cybersecurity has become not just an essential part of growth itself, but a key element of growth planning and strategy. Perhaps the biggest change for many companies in all of this is the role the CISO plays; rather than just overseeing current cybersecurity needs, the CISO plays a growing role in assessing overall business risk and expansion strategy. Just as organizations would never plan growth without the input of their chief operating, marketing, finance and product officers, they should not plan it without their CISO. The CISO is increasingly looking forward and outward, with the rest of the C-suite, as cybersecurity is a bigger piece of business expansion.