Forbes Newsletters

Plus: How To Cope With Deeper And Costlier Ransomware Attacks

BECOME A MEMBER • Newsletters • MyForbes

Ransomware is getting much more expensive for companies. New data from cyber risk solutions company Resilience found that in the first half of the year, the average cost of a ransomware attack was up 17%. On its own, this is a sizable increase—but it’s more notable considering that the number of companies in Resilience’s portfolio reporting attacks was down by more than half. In short, cybercriminals are targeting fewer companies, but getting much deeper into victims’ finances.

The new depth of attacks comes through better honed methods. The report said that cybercriminals are using AI for social engineering—including more convincing phishing emails, infiltrating browser-based systems, and impersonating actual employees. They’re also doubling up on ransom demands: asking for one to decrypt data, and another to prevent public release. And the criminals are using their access into a victim’s system to find their cyber insurance policies, using those to set the bar for how much they should demand.

“Financial incentives are driving cyber criminals to be more clever and creative, and companies are facing larger losses than ever before,” Vishaal “V8” Hariprasad, Resilience cofounder and CEO, said in a statement. “Cyber crime comes in waves. Attackers exploit a tactic until defenders catch up, then pivot to new weaknesses. Understanding the financial consequences of attacks and the most common points of failure is paramount to stopping that fallout at the root.”

Avoiding devastating attacks is key. Resilience suggests companies use new defensive strategies to face these specific threats: Keep data encrypted by default, making it harder for thieves to use; and utilize more protection to keep cyber insurance policies secure. Continuing anti-phishing training, as well as better training for employees who would respond to impersonation attempts, will also help maintain security. And more rigorous vetting of vendors’ cybersecurity systems can also assist in keeping your own company’s information safe.

Cybersecurity incidents can be especially devastating when payment systems and financial records are targeted, but new global developments and customer expectations are creating a host of new potential points of attack. I talked to Ed Woodfield, CISO of global corporate payment platform PayQuicker, about what some of these threats are and what to do about them. An excerpt from our conversation is later in this newsletter.

If you like what you read here, you can easily share it online and on your social media pages. This newsletter, and all previous editions of Forbes CIO, can be found on our website here.

Megan Poinski Staff Writer, C-Suite Newsletters

Follow me on Forbes.com

In today’s CIO newsletter:

First Up: Nvidia-Intel deal brings computing’s past and present together

CIO Strategy: Today’s executives are under huge pressure and self-care is paramount

Bits + Bytes: How to balance technology and business when determining cybersecurity spend

BIG DEALS

Nvidia

The U.S. government isn’t the only heavy hitter taking a stake in struggling chipmaker Intel. AI titan Nvidia, the world’s most valuable company, is acquiring $5 billion in Intel shares. Nvidia announced a new partnership with Intel to accelerate AI development: Intel will build personal computing chips that integrate Nvidia’s GPUs, as well as custom CPUs for Nvidia to integrate into AI infrastructure platforms in data centers.

Intel, once a titan in computing, has seen its fortunes fade in recent years as technology has become more sophisticated. CEO Lip-Bu Tan has been working to reinvigorate and refocus the chip maker since he took the helm in March, laying off employees, slowing down new facilities, and focusing on finding customers before increasing manufacturing capacity. As the U.S. seeks to expand its lead on AI technology development, the federal government has been offering a hand to Intel. Under former President Joe Biden, the company had been promised close to $11 billion to support its manufacturing facilities as part of the CHIPS Act. President Donald Trump rescinded the funds in that legislation, and instead brokered a controversial deal last month for the federal government to take a 10% stake in the company.

The Nvidia deal brings together two industry leaders to collaborate on technology. Both have strengths, knowledge and clout to bring more to the space.

“This historic collaboration tightly couples NVIDIA’s AI and accelerated computing stack with Intel’s CPUs and the vast x86 ecosystem—a fusion of two world-class platforms,” said Nvidia CEO Jensen Huang. “Together, we will expand our ecosystems and lay the foundation for the next era of computing.”

So far, the deal has boosted stock prices for Nvidia and Intel—especially Intel, which has seen a more than 28% jump on Thursday morning. Analysts say it may move the S&P 500 to an all-time high later today.

CYBERSECURITY

STEFANO RELLANDINI/AFP via Getty Images

CrowdStrike has been investing in AI enhancements to its cybersecurity platform. Last month, the company announced it was acquiring real-time telemetry monitoring company Onum for $290 million, and this week, a deal to acquire AI security platform Pangea was announced. Forbes senior contributor Tony Bradley covered both of the announcements.

At CrowdStrike’s Fal.Con event this week, cofounder and CEO George Kurtz said in a keynote, “The age of AI is here. It’s hard to debate that. But what does it really mean from a security perspective? It’s certainly transforming cybersecurity, but it’s transforming the adversary as well—the speed, the scale, the sophistication, the deception, the adaptation.”

By bringing Onum under the CrowdStrike umbrella, the company’s president Michael Sentonas told Bradley that it will be able to “get closer to the source of the data and then work with that data as it’s being sent.” CrowdStrike says this integration can deliver 70% faster incident response, and up to 40% less ingestion overhead, bringing data into the system that is smaller, smarter and more actionable.

Pangea’s technology uses AI technology to protect every layer of a company’s enterprise AI systems, Bradley writes. This will help CrowdStrike extend its Falcon platform—which received a major AI-enabled upgrade designed to improve speed and scale—to better protect data that trains models, as well as the AI models themselves.

CIO STRATEGY

Getty

It’s been a challenging year for business across the board, which can lead to stress and burnout. I spoke with David Astorino, a senior partner at RHR International, about the executive coaching he’s done this year, trying to help executives better deal with the pressures of today. In my interview, more fully featured in this week’s Forbes CEO newsletter, he outlined how executives first need to get themselves to a place where they are in balanced physical health—not skipping sleep or eating unhealthy food, but not burning their bodies out with extreme training either.

Next, they need to work on their mental health by talking with someone about the challenges they are facing. “We want CEOs showing up as emotionally attuned as possible, whether that’s showing up to inspire you on the vision of the company, or to be a little tougher on the performance,” Astorino said. “How I do that is so critical because it just cascades and has ramifications throughout the whole company.”

And finally, executives need to realize that—especially right now—they have an impossible job. That realization, Astorino said, can help them understand that they have to let go of the wheel a bit; working harder or doing more won’t solve all of the issues they face today.

“That’s hard for people,” Astorino said. “Who wants to be a CEO? Who wants to be a business leader? They want to solve problems. They want to win. They’re competitive and they are ambitious, and they want to have the mantle of responsibility.”

“And so you have to allow a lot more space to tolerate things that I cannot control,” he said.

PayQuicker CISO Ed Woodfield. PayQuicker

BITS + BYTES

How To Fight Cybersecurity Risks In Online Payments

In today’s world of e-commerce and fintech, many transactions happen online. And just like anything else that’s online, there are many cybersecurity risks associated with this line of business—threats that can be much worse for a business since they involve its finances. I talked to Ed Woodfield, CISO of global corporate payment provider PayQuicker, about the challenges of cybersecurity in this area and potential solutions for the future. This conversation has been edited for length, clarity and continuity.

What makes cybersecurity in this area so difficult, and are there any ways to make it easier?

Woodfield: We rely on partners a lot, right? We need payment processors, banks, and you have regulatory stuff, but there’s a lot of vendors involved with that as well. Working on those partnerships, that’s nice to put things on paper, but paper controls don’t protect your loss as much.

If you’re using APIs where there’s not human intervention, you can do things built into the API. You can put protections in there, you can update the API with partners, and that’s immediate and built in. But there’s still going to be manual interactions. People are going to have portals to do stuff and look at things, but people don’t want to use portals as much. They want to be able to tap a phone and just do things.

I think the move to people not wanting to go to portals is going to help be able to do things more in an automated way quickly, and that is one of the ways to constrain the effects of fraud—and to be able to do it dynamically.

Feedback loops on AI are okay, but some AI LLMs are trained with a knowledge date: a cutoff date of their knowledge from version to version, even though they’re taking in new data and still training for the next version. It’s not immediate. There’s still a lag. There are some learning capabilities, and that’s what people are working on as they go along.

So there’s still going to be people—whether it’s in fraud or financial planning—that’ll have to manually deal with the strategy and how to approach different concerns. Even after you select those choices, they take a while to be implemented. There’s always a delay, and it’s hard to do this.

I think every once in a while, there’s something that motivates changes in applications, APIs and regulations all at once to say: ‘Okay, we’ve seen this enough. We have to do something about it.’ But that doesn’t happen now. Everyone’s doing their own thing, whether it’s the U.S. versus the EU doing different regulations, or it’s a focus on consumer rights. Open banking is a big concern, not only [because] you’re going to be sending financial data all over the place, but also because it costs money.

What should somebody in charge of tech and security make sure their CEO and CFO know about moving forward with electronic payments?

[There are] multiple facets. There’s the payment channels themselves that you have to worry about, and you absolutely must get on the automation and AI bandwagon. The adversaries are going to be using it and you can fall behind, so learn AI and embrace it, learn how you want to constrain it.

Partner with strong partners that will do that for you as well. Third-party risk is the bane of my existence, but it is very important to have these partners because they focus on certain issues. They are there because they’re experts in it. And if you don’t do it, you’re going to have a big cost to bring it in house.

When it comes to general cyber protections, phishing is the root of all evil. Stats say from 70% to 90% of ransomware has really started with phishing. Business email compromise [has also] evolved. Now it’s focused on vendor email compromise—about twice as often as business email. All that starts with phishing. On the enterprise side, [your job] mostly is to make sure your employees aren’t doing bad things. If your employees get compromised, then your systems could get compromised.

A lot of that focus on phishing is just security awareness. We repeatedly send things out to our employees, even if it’s more of a personal thing, not a business-related security issue. We’ll send articles and other things to them constantly to put them in the mindset of thinking in a secure manner. We leave it open. This is a no-judgment zone for us. If people think they did something, you just tell us. We’re not going to yell at you. People report stuff to me all the time, and we encourage that security culture. Building a security culture, especially to protect yourself from phishing, is the No. 1 thing to do to protect your business.

From an application perspective, a lot of people are in the cloud now and they don’t necessarily have good cloud protections. The CSPM and CWPPs have evolved into CNAPP. It’s a cloud native app protection [platform]. It’s the full bubble of cloud protections: not just your infrastructure protection and monitoring, but protecting your workloads as well.

You’ve got to have good cloud protections. A lot of people think you put it in the cloud, it’s all done. It’s not quite that easy. You still have to monitor, and monitoring is probably the hardest part of all the cyber worlds because it’s a lot of data to go through.

There are so many issues that are coming up with payments: payments in general, payments by different methods, payments across borders, different national and geopolitical protocols that need to be followed. And identity means something different everywhere you go. What do you see as the solution, and do you see it as something that gets resolved in the near future?

The technical stuff is the same as always has been done for technical solutions: You analyze a problem, you gather data, you put out a solution and see how that works, and you keep doing that repetitively. It’s a circular effort of improvement. From the business side, you should be involved with that.

I think there sometimes is a disconnect on the technical side and the business side. Make sure that you see when you’re making certain changes: How does that improve your bottom line? Does that reduce your fraud cost? CFOs have always had a problem with fintech. They’ve got that balancing act of trying to figure out how much to balance spend to combat fraud: This new tool will save us $1 million when we had $2 million of fraud before and then it cost us half a million.

Okay, that’s great. It works out. But the old saying is, you don’t put a $10 fence around a $1 cow. You can’t afford to throw tons of money at this. You’ve got to do this iteratively, technologically or financially. The key to this is the financial side should know exactly what you’re doing in your fraud programs and your technical programs so you can quantify how it has affected your bottom line. Then you just have to keep doing it.

I don’t think it’s much different than normal. It just happens so much faster right now. This is why we have to pay attention to AI and automated techniques: You have to embrace those, or you’re going to fall behind business-wise.

COMINGS + GOINGS

Data solutions provider Hitachi Vantara Federal appointed Majed Saadi as its chief technology officer. Saadi was most recently the VP of growth and technology at Synergy Inc., and has also worked in leadership at General Dynamics IT.

Project management platform Smartsheet named Ravi Soin as its new chief information security officer. Soin previously worked as the CIO and CISO at Edifecs. He serves on the SeattleCIO advisory board and was recently honored as Seattle CIO of the Year.

Identity security platform CyberArk promoted Omer Grossman to a new role as chief trust officer and head of CYBR unit. Grossman joined the firm in 2022, and Ariel Pisetzky will succeed Grossman as Chief Information Officer, joining the company from Taboola where he was vice president of information technology & cyber.

Send us C-suite transition news at forbescsuite@forbes.com.

STRATEGIES + ADVICE

AI technology is quickly becoming ubiquitous and is perpetually being relaunched and able to do brand new things. This can put businesses and employees on a treadmill dialed up to the top speed, rushing to keep up. It may be better to slow it down a bit and apply human logic and deliberation to AI, really thinking about what your enterprise actually needs to work better.

Studies and research into tech can be useful to help you figure out how things are working and where problems and solutions lie, but much of that research may be paid for by wealthy tech companies that could have an outsized influence—and benefit—on the narrative. Always consider these kinds of inherent biases when you look at research.

Quiz

New technology that Meta showed off on Wednesday night boosted its stock on Thursday morning. What got investors so excited?

A.	AI audio translation of videos and Reels on Facebook and Instagram
B.	A new model of AI-powered smart glasses
C.	Meta Quest jewelry and shoelaces to enhance movement in the metaverse
D.	An interactive gaming portal on Facebook

Check if you got it right here.

More From Forbes