Breaches in cyber security can be detrimental to the health of enterprise organizations and SMBs alike. Not only are they financially devastating, but they also erode consumer trust. The advent of widespread distributed teams in 2020 added an additional layer of risk and cyber criminals took notice.
Data breaches are no longer a matter of if but when and they are killers of productivity. According to a 2021 Norton cyber safety insights report, globally, victims of cybercrime spent nearly 7 hours resolving each breach resulting in a total global loss of 2.7 billion working hours.
Boston-based growth equity firm Volition Capital has dedicated an entire team to research, vet, and ultimately invest in cybersecurity startups that are committed to making premiere cybersecurity adoption a standard practice in every organization.
To better understand which organizations are on the bleeding edge of protecting enterprises against cybercrime and what enterprise leaders should be focused on now to prevent cyber-attacks in 2023, I caught up with Sean Cantwell, managing partner at Volition. Specifically, Sean and I touch on how to mitigate the biggest threats facing IT teams today and the strategies your organization can employ today to secure your data immediately.
Gary Drenik: Sean, I want to understand what’s happening generally in the larger cybersecurity sector. Can you tell me more about Volition Capital’s investment philosophy, especially when it comes to cybersecurity?
Sean Cantwell: Over the last several years, we’ve seen a few key events catalyze the improved sophistication and frequency of cyber-attacks. Largely, the enterprise is relying on cloud and hybrid cloud environments, which is creating new challenges around data privacy that requires new solutions. We are working remotely on more devices than ever and across the enterprise, there is a shortage of security talent to keep up with the demand.
It was interesting to see in a recent Prosper Insights & Analytics survey that more than 40% of people, across generations, have denied permission for mobile apps to track them, in an effort to protect their digital privacy. This indicates to us at Volition that as consumers become more concerned about their digital identity, enterprises will have to take big steps to protect sensitive data or risk losing consumer trust.
Prosper – Protecting Digital & Online Privacy
For these reasons, Volition Capital is looking for the right solutions that are going to fill these gaps. Specifically, we are investing in cybersecurity technology that can proactively protect, intelligently detect, and automatically respond to cyber threats and vulnerabilities. We believe the conversation about cybersecurity is only getting started and there is a huge opportunity for growth in this area.
Drenik: In your opinion, what’s the greatest cybersecurity risk that enterprise organizations should be aware of today?
Cantwell: With the onslaught of distributed work, the rapid expansion of SaaS usage and the prevalence of IoT devices, enterprise organizations have security vulnerabilities everywhere you look. We firmly believe that your organization is only as strong as your weakest link whether that is a vendor you work with or a login on a personal computer.
In fact, one of the largest security breaches in recent history can be traced back to third-party vendor vulnerabilities. If you remember in 2013, Target compromised 40 million customer records that included sensitive financial data like credit card numbers. The breach was linked to malware that got into the Target point-of-sale system through emails from a small third-party HVAC provider, Fazio Mechanical.
Drenik: Target certainly saw some breakdown in consumer trust after that. In fact, I think in 2013 they were the U.S.’s third-largest retailer, which is not the case today. Knowing how long it takes to recover from such a detrimental attack, what can enterprises do to protect against this?
Cantwell: Enterprise organizations need 24/7 cybersecurity monitoring, but constant manual vigilance is unrealistic—especially given the shortage of IT talent. This is where CISOs should look to invest in SOC-as-a-service software that adds an extra layer of security to what IT teams are already doing.
We work with a company called BlackKite and believe that they solve a real problem in the enterprise—identifying the security blind spots created by third-party vendors that we talked about with the Target example. Using software like BlackKite brings visibility to those weak points by using technology to approach them from a hacker’s point of view and adapt organization-wide security changes to protect against them.
Drenik: With consumer trust, and ultimately revenue on the line, what can enterprise organizations do to communicate to their customers and clients they are taking data privacy seriously?
Cantwell: Yes, so we know from survey data from Prosper Insights & Analytics that consumers are becoming wary of how their data is used. 60% of adults don’t like it when social media sites, search engines, mobile apps, etc. take their personal, online, and mobile location data and allow advertisers to use it to send them targeted advertising. Communicating how you record and use consumer data should be part of your security strategy.
Prosper – See Legislation That Prevents Social Media From Selling Personal Data
A few key things can help you do this and concurrently build more trust with your customers and clients. Internally, focus on building a cybersecurity-centric culture and stress the importance of attention to cybersecurity across all divisions. At Volition, we do this by adopting a zero-trust security model. You can also build trust by clearly communicating how you use your customer data and by offering opt-in or double opt-in options for all of your client communications.
Drenik: Sean, you’ve been really helpful in breaking down what enterprise organizations need to think about when it comes to cybersecurity. Finally, If an organization doesn’t have a set cybersecurity strategy and has no idea where to start, what should they do first?
Cantwell: As early as you can start weaving cybersecurity into your process the better. For those organizations that are developing code, whether for internal or external use, cybersecurity should be considered a core ingredient—not a layer that is added on at the end. If your cybersecurity is designed to function with your applications, you will be more protected against external threats.
For SMBs, thinking about cybersecurity is critical. In 2019, a study from the National Cyber Security Alliance found that of small businesses with less than 500 employees, 10% were forced to close after suffering a cyber-attack. Small businesses don’t have the resources to revamp their security protection like Walmart or Amazon do, but business leaders should look at all of the things we’ve talked about today, consider which vulnerability is the most pressing and address that first.
Drenik: Thanks, Sean. Your insights have been very valuable. We appreciate your time.