Waking up to find your company on the front page news and at the center of a data breach is every CEO’s worst nightmare—and for a number of businesses, it has become reality. Today, the threats from cybercrime are real and frightening, and the risks are extraordinary. Cybersecurity is an incredibly complex issue and business leaders are grappling with how to best protect their businesses, understand the new business vulnerabilities, and identify what steps they can take to protect themselves and their customers from becoming a victim of cybercrime.

There is a strong case for organizations to put protection from malware at the top of their risk agenda. In the past year, 43% of companies experienced a data breach. The average organization experiences a malware event every three minutes, and the costs of dealing with that malware can be astronomical. The International Data Corporation (IDC) estimates that enterprises spent $491 billion in 2014 as a result of malware associated with counterfeit and unlicensed software.

A threshold step to mitigating risk is gaining an understanding of your own network and if the software you are using is genuine and fully licensed. Unfortunately, many businesses are failing to take this basic and critical first step to protect themselves.

It has long been suspected that there is a connection between unlicensed software and cybersecurity threats. A new study commissioned by BSA | The Software Alliance and conducted by IDC confirms this as fact.

The study compared rates of unlicensed software installed on PCs with a measure of malware incidents on PCs across 81 countries. Given that 43% of the software installed on PCs globally in 2014 was unlicensed, it’s clear that many businesses are at risk. The findings were sobering. The correlation between the use of unlicensed software and malware is even higher than the correlations between education and income, or that between smoking and lung cancer. The implication for governments, enterprises and consumers is clear: assessing what is in your network and eliminating unlicensed software could help reduce the risk of cybersecurity incidents.

Fortunately there are proven best practices available to tackle the challenges around software licensing.  The world class standard for Software Asset Management is ISO/IEC 19770-1:2012. The importance of implementing internal controls for legal use of technology, including software, has become so critical that COSO now recommends it in its revised Internal Control – Integrated Framework.

While putting controls in place may sound simple, many businesses are missing this first step. Only 35% of companies have written policies requiring the use of properly licensed software. For CEOs, now is the time to start implementing best practices that will help mitigate security risks and avoid your business becoming tomorrow’s news headline. For more information on additional steps you can take, visit BSA’s website.

BSA Global Software Survey


Five out of six companies with more than 2,500 employees were targeted in cyberattacks in 2014, representing a 40% increase last year, according to Symantec’s annual Internet Security Threat Report. But by no means does that imply big businesses are the primary target: 60% of all targeted attacks struck small- and medium-sized organizations.

The spear-fishing and fraudulent email scams deployed in these hacks have also become more effective. Overall, 14% less email was used to infiltrate an organization’s network, yet 2014 saw a 13% increase in attackers as the cause of a data breach, and the total number of breaches rose from 253 in 2013 to 312 in 2014. This notable increase in precision is a clear indication that companies are not updating their defenses to match current threats.

Fortifying against cyberbreach continues to demand even more concerted effort as malicious actors grow more sophisticated, introducing more and better malware to their campaigns. “While advanced targeted attacks may grab the headlines, non-targeted attacks still make up a majority of malware, which increased by 26% in 2014,” Symantec reported. More than 317 million new pieces of malware were created last year, meaning almost a million new threats were released daily.

Changes in the top causes of data breach offer both good and bad news. While 13% more cyberbreaches were caused by attackers and breaches due to insider theft increased 3%, Symantec found that 15% fewer were due to accidental exposure, theft or loss.

Check out the infographics below for more of Symantec’s findings and insights on how hackers operate:

Symantec 2015 Internet Security Threat Report

Symantec Path of a Cyber Attacker



As we brace for another season of tornadoes, hurricanes, forest fires, earthquakes and floods, all businesses should be asking, “Is our data protected should disaster strike?” Or more simply, “What happens if we lose our data?”

Sadly, despite the fact that significant portions of the country are at risk for severe weather and other natural disasters, not all businesses are thinking pragmatically about catastrophic data loss and downtime, which can lead to staggering financial losses and impact productivity, reputation, regulatory compliance, and ultimately the bottom line.

According to a global data protection study released in December, enterprises are losing as much as $1.7 trillion annually through data loss and unplanned downtime. Data loss is up 400% since 2012, and two-thirds of the 3,300 organizations surveyed had experienced data loss in the last 12 months. Researchers found that although a high percentage of organizations had disaster recovery plans in place, surprisingly few had implemented data protection practices and fewer than half employed remote, cloud-based data protection. Seventy-one percent of organizations were not fully confident in their ability to recover after a disruption.

If your business is unprepared for a disaster, then act now to improve your resilience and mitigate risk. Plan for natural catastrophes and man-made disasters alike (such as theft, hardware failure, human error, system failure, computer viruses, power failure and accidental deletion).

Disaster preparedness begins with a business continuity plan. This serves as your playbook for staying in business following a disaster and it enables you to restore operations and communications systematically while helping minimize risk. Ask your IT department to incorporate the steps needed to safeguard your IT infrastructure from disaster, including backup and recovery measures.  In today’s highly-regulated environment, having a secure backup and recovery solution that meets the stringent requirements defined by Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, FISMA, PCI, ISO and other regulatory standards is expected.

During this process, develop a clear understanding of where the cloud fits in and how it can help save time, money and resources.

Businesses are increasingly backing up their data and apps in a secure, off-site cloud environment (not in the physical office), because the cloud is faster than other options and typically offers the most protection at the lowest cost. Recovery in the cloud requires no travel and no extra hardware, and it offers extreme levels of reliability. Should disaster occur, a cloud solution allows the continuously backed up systems to be restored as virtual machines. All of the cloud’s benefits speak to why highly regulated businesses protecting sensitive data are finding that virtualization technologies make it simpler to comply with stringent security and compliance regulations governing electronic storage and access to data.

Here are seven steps to help businesses plan for data loss and downtime:

  1. Identify the risks. List and categorize all natural and man-made threats and their impact on various systems. Ask what would it take to knock out our entire network and how much unplanned downtime can our business sustain?
  2. Inventory IT assets. Which are most critical to maintaining business continuity? What’s our tolerance for loss of those assets? The cost of the response should be balanced against your tolerance for system downtime.
  3. Define goals. In a worst case scenario, how long can our business shut down? Does it need to recover off-site? Define goals in terms of RPO (Recovery Point Objective, “How much data can we lose?”) and RTO (Recovery Time Objective, “How long can we be down?”).
  4. Develop a plan. Include “IT Assets Inventory,” data protection procedures and contingency plans, notification/activation schedules, a list of roles and responsibilities, a list of resource requirements, and details about training provisions. Good plans include maintenance and backup/recovery testing schedules.
  5. Understand the cloud’s benefits. Virtualization technologies make backup and disaster recovery vastly faster, cheaper and easier. The combination of the cloud and the right backup and disaster recovery solution allows for continuous data protection (so the backups always run 24/7/365) as well as consistent compliance and security.
  6. Implement the plan. If executives understand clearly the consequences of system disruptions, you will win their support and funding for contingency policies.
  7. Test the plan. Continuous testing and plan updating helps ensure business survival.

{ 1 comment }

On April 1, the EEOC’s New York District Office issued a Determination finding probable cause to believe that the City of New York’s Department of Citywide Administrative Services (DCAS) violated Title VII and the Equal Pay Act based on its “pattern of wage suppression and subjective promotion based on…sex, race, and national origin.” In the accompanying conciliation agreement proposal, the EEOC demanded numerous forms of programmatic relief from DCAS (e.g., EEOC monitoring and notice postings) as well as back pay, future pay, compensatory damages and legal fees and costs totaling more than $246 million. For any employer, the EEOC’s position is one that ought to be heeded for “lessons learned….”

The Charge

The Communications Workers of America, AFL-CIO Local 1180 filed a charge of discrimination with the EEOC against DCAS in 2014 on behalf of a class of African-American and Hispanic women who were (or still are) employed as administrative managers in various NYC agencies. The Union asserted that a discriminatory pattern of wage suppression on the basis of sex, race and national origin exists as well as facially neutral policies governing assignment, promotion and wages that have a disparate impact on female African-American and Hispanic administrative managers. To this end, the Union alleged that the minimum salary for administrative managers—which is disproportionately paid to Hispanic and African-American women—has been frozen for many years whereas the maximum salary for administrative managers (positions held primarily by Caucasian males) has increased significantly.

In addition to arguing that the Union did not have standing to file a charge with the EEOC, DCAS denied the allegations of discrimination and provided “a small sample of administrative managers along with their gender, race, agency, salary, and description of their job duties in an attempt to demonstrate that administrative managers do not perform equal work.”

EEOC’s Determination and Proposed Conciliation Agreement

The EEOC agreed with the Union, opening that DCAS’ evidence “was insufficient” and did “not withstand scrutiny.” The EEOC also alleged that DCAS declined to provide certain requested information and “the Commission determines that the silence is an admission of the allegations in the charge, and exercises its discretion to draw an adverse inference with respect to the allegations.”

In addition to its Determination, the EEOC provided a proposed Conciliation Agreement to resolve the charge against DCAS. The Conciliation Agreement, were DCAS to accept it, would require DCAS to, at a minimum, award raises via “an annual step process;” increase the minimum salary for all administrative managers; and agree to “proper oversight, opportunity and enforcement of equal employment,” which would include the appointment of an EEO monitor; amended job descriptions with a revised posting and bidding process; and provision of tuition assistance to union members to “level the playing field” for union members so that they can “effectively compete with their white male colleagues in the workplace.”

With respect to monetary damages the EEOC demanded $188,682,531.00 in back pay, a new starting salary for administrative managers of no less than $92,117.00, $56,922,000.00 in compensatory damages under Title VII, and no less than $1,000,000.00 in legal fees and costs.

The EEOC gave DCAS until April 17, 2015 to provide a written counter-proposal or advise if it did not wish to engage in conciliation. Absent what it deems a “reasonable written counter-proposal” from DCAS, the EEOC warned that it may deem conciliation futile and fail conciliation.

Implications or Employers

The headline grabbing dollar amount requested by the EEOC in this proposed conciliation agreement is certainly staggering and catapults this case into the “one to watch” column. Furthermore, this confirms what we predicted in our EEOC-Initiated Litigation Report – that the EEOC is going to focus this year on recovering large settlements and verdicts to try to make up for low recoveries in fiscal year 2014. As DCAS has already publically stated that it intends on participating in the conciliation process, we will be sure to monitor developments. Stay tuned!

This post can also be found on the EEOC Countdown blog here.