Latest news with #corporatesecurity
Forbes
08-08-2025
- Business
- Forbes
How NIS 2 Redefines Cybersecurity Standards For Companies Worldwide
Prof. Dr. Dennis-Kenji Kipker is a cybersecurity expert and works as Scientific Director of the In December 2022, the NIS 2 Directive was adopted in the European Union. Countless EU member states have already transposed it into national law, with most other European member states set to follow. This means the new cybersecurity directive applies to all companies doing business in the EU—and, therefore, to companies worldwide. It is well worth looking at the largest European legal act on cybersecurity to date, both to avoid fines and to strengthen your own corporate cybersecurity best practices. The NIS 2 Directive affects not only companies that are critical infrastructures but also all central economic enterprises, their suppliers and their digital supply chains. In this way, cybersecurity is becoming a task of general economic protection—a trend that characterizes the EU and that more countries worldwide are taking up. As many companies covered by NIS 2 pass on the increased cybersecurity requirements in their contracts, particular caution will be required in the future when providing evidence and documentation of their own cybersecurity standards. The directive affects companies from the following sectors: • Energy • Transport • Banking • Financial market infrastructure • Healthcare • Drinking water • Wastewater • Digital infrastructure operators • IT service management • Public administration and government institutions • Space • Postal and courier services • Waste disposal Additionally, it affects countless manufacturing companies, including chemical companies, mechanical and vehicle engineering, food production and providers of digital services such as cloud computing, online marketplaces and online search engines. The new cybersecurity obligations also cover private research institutions. However, sectoral affiliation is not the only decisive factor in whether NIS 2 affects a company; organizations must also achieve minimum values for turnover and number of employees. Companies that employ at least 50 people or have annual turnover and balance sheets that each exceed €10 million are obliged to implement a cybersecurity management system in the EU. In particular, many medium-sized companies—as well as companies from other countries around the world that do business in the EU—are facing increasingly strict cybersecurity compliance obligations. Regarding best practices, however, the new standards don't require an absolute level of digital security but, rather, a level that is appropriate to the given risks. For example, companies that are newly covered by NIS 2 must first and foremost implement cybersecurity risk management that is based on state-of-the-art technology. Measures to be taken could include the following: • Systems for attack detection • Use of AI tools for automated prevention and response to cyber incidents in the company • Network segmentation • Access control (in particular, zero-trust policies) • Awareness for management and employees • Network mapping and network segmentation • Vulnerability management and update policies Cybersecurity is also increasingly becoming a task of holistic digital resilience. With the recent revelation that IT workers from North Korea have even successfully infiltrated large Fortune 500 companies in the United States, every company's cybersecurity policy must increasingly and actively incorporate the factors of industrial espionage and trade secret protection. This is the Achilles' heel of countless companies, as IT management and employee management must increasingly be considered holistically. In an age of global threats, however, the risk analysis for cybersecurity doesn't end here, as non-technical risk factors and the protection of the (digital) supply chain must increasingly be included. This means that in the age of cloud computing, companies themselves are responsible for ensuring their contractors also demonstrably verify the cybersecurity, availability and data confidentiality of their IT systems. On the other hand, bottlenecks in the supply of hardware, for example—which still largely originates in Asia, particularly Taiwan and the People's Republic of China—must also be taken into account. According to the NIS 2 Directive, it's also essential for companies to document every cybersecurity measure they take. Such technical and organizational documentation is not only in the company's own interest to continuously develop an information security management system, but it can also be helpful when it comes to preparing for cybersecurity audits and certifications or when official inspections are pending—which is also possible under European law. As the individual EU member states are responsible for implementing the NIS 2 Directive, the national cybersecurity authorities carry out such reviews. This means that documenting the cybersecurity measures taken can also help to ward off fines, which can easily run into the millions in the event of serious breaches since NIS 2 defines standardized European fine thresholds for breaches in line with the EU GDPR. The maximum fine for significant entities is either €10 million or 2% of global annual turnover, whichever is higher. The documentation to defend against civil claims for damages following IT failures is of similar relevance. However, documentation is also required beyond this, as the NIS 2 Directive stipulates official reporting obligations in the event of cyber incidents. Maximum reporting deadlines of 24 and 72 hours apply to the content of the reports, which must always be submitted immediately. In case of doubt, competent authorities may carry out random on-site inspections of cybersecurity standards in the companies, for which the management can be held liable. As a result, the NIS 2 Directive and its current implementation in all EU member states could massively increase the level of cybersecurity for globally active companies by the end of this year at the latest. Good cybersecurity best practices will become a general corporate warranty responsibility. All international companies operating in the EU are also required to check whether they fall within the scope of the directive and, if so, to establish suitable best practices to defend against digital threats within the company. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
New York Times
30-07-2025
- Business
- New York Times
What Does It Cost to Keep Workers Safe?
Andrew here. The shooting spree in Midtown Manhattan continues to reverberate. Corporate leaders across the country are huddling with their security teams, assessing necessary actions following a shooting that clearly targeted the N.F.L. This episode comes after last year's killing of Brian Thompson, the C.E.O. of UnitedHealthcare, a few blocks away, and raises questions about whether this will become a new normal. We also continue to grieve and remember the victims, including Wesley LePatner, a senior executive at Blackstone; Julia Hyman, a young executive at Rudin Management, the real estate company that owns the building; Aland Etienne, a security guard; and Didarul Islam, a New York City police officer. We have more below. I also want to thank all of the readers who reached out, expressing gratitude for my calling on businesses to proactively address issues like gun violence. The truth is, in this very fraught political moment, there is virtually no appetite to touch this topic in public or in private. Unfortunately, I don't see that changing. Companies view engaging in any discussion that could be described as a 'social issue' as simply too high a cost. But if the cost is that of the life of an employee, killed in cold blood, what would it take to speak out? Let us know what you think. The cost of corporate security For many businesses and property management companies, the tragic shooting at 345 Park Avenue in Midtown Manhattan on Monday has raised questions about security — including guards, access systems, cameras and more. But how much more will it cost companies to secure an office building? And what do they have to consider beyond stationing guards at the front desk? Danielle Kaye digs into the questions. Security for several New York finance firms was visibly higher after the shooting. Goldman Sachs had a dedicated team of police officers and security guards at the entrance and inside its Manhattan headquarters, the firm's head of human resources, Jacqueline Arthur, wrote to employees on Tuesday, The Times reported. Want all of The Times? Subscribe.
Forbes
15-07-2025
- Business
- Forbes
From Reaction To Resilience: What Comes After Executive Protection?
By Matt Hinton and Justin Cruz The tragic killing of the UnitedHealthcare (UHC) Chief Executive Officer on December 4, 2024, marked a pivotal moment for corporate security. In the aftermath, boards of directors across industries moved swiftly, asking tough questions about the safety of executives. Organizations responded with urgency, deploying protective measures to safeguard their leadership in the office, at home and everywhere in between. For many organizations, this swift mobilization underscored a long-overdue recognition of the vulnerabilities faced by high-profile executives and the strategic imperative to address them at the highest levels of governance. Now, with foundational executive security protocols in place, critical questions emerge: What should organizations prioritize to ensure long-term resilience and executive safety? How can responsive measures evolve into new or enhanced executive security programs with a clear vision for protecting the organization? The answer lies in transitioning from reactive protection to proactive preparedness—an evolution that demands strategic foresight, cross-functional collaboration and a holistic approach to risk management. (Re)establishing the Protective Foundation In the immediate wake of December 4, organizations acted decisively to fortify their executive protection capabilities. This initial phase focused predominantly on physical security: evaluating threats to key executives, standing up or enhancing executive protection programs and protocols, deploying close protection personnel, and upgrading office and residential security infrastructure. These measures, while essential, were largely reactive. Now is the opportunity for organizations to go beyond the initial reactive measures and reassess the broader threat landscape not only to their executives, but to their people, buildings, intellectual property, and brand. This means (re)establishing sustainable physical security capabilities that are commensurate with their risk exposures. Core areas such as access control systems, enhanced visitor management, travel security protocols, intel, and incident response planning must be evaluated and incorporated into an organization's security foundation to protect the enterprise as a whole. Executive protection Expanding the Definition of Protection: Digital and Psychological Dimensions In an increasingly interconnected world, executive exposure extends far beyond physical proximity. Digital footprints, social media activity and publicly accessible personal information have become vectors for harassment, impersonation and reputational harm. Moreover, the psychological toll of persistent threat awareness can impair executive performance and decision-making. It is no longer sufficient to focus only on physical security – companies must take a holistic approach to identifying and managing threats to executives. To address these challenges, organizations must broaden their executive security strategies to include: Comprehensive protection must encompass an executive's digital identity and mental well-being, recognizing that threats to reputation and psychological safety can be as damaging as physical harm. Similarly, effective protection measures need to be integrated throughout the business and take a strategic, enterprise-wide approach led by proactive intelligence and risk assessments. Addressing Insider Threats and Workplace Violence Many executive protection programs are designed to address external threats such as activists, stalkers and aggrieved individuals. However, many serious threats emerge internally, including disgruntled employees, insider sabotage and workplace violence. These threats are often underestimated but have the potential to cause tremendous harm. Organizations should prioritize designing and implementing formal workplace violence prevention and response programs featuring: More formal and holistic insider risk capabilities can be developed that incorporate these workplace violence prevention and response capabilities as an organization matures. Programs can leverage these capabilities to look at other sources of insider threat (e.g., fraud, IP theft, etc.) in an integrated and comprehensive way. By expanding their scope to include internal as well as external threats, organizations can build real resilience and ensure a systemic and coordinated approach to both executive and enterprise security. Reinforcing Crisis Management Capabilities As organizations reassess their executive protection strategies, it is imperative that they also revisit and modernize their crisis management frameworks. The threats facing today's enterprises—ranging from targeted violence and cyberattacks to reputational crises and geopolitical disruptions—require a coordinated, agile and well-rehearsed response. Many crisis management plans were designed for a different era, and often focused on natural disasters or operational failures. In the current environment, these plans must be refreshed and stress-tested to ensure they are fit for purpose. Plans should be all-hazards in nature and align to the organization's culture and business-as-usual operating models. A critical component of this refresh is the regular exercising of crisis response teams against high-impact, plausible scenarios. These exercises—whether tabletop simulations or full-scale drills—are essential for: Reinvigorating Enterprise Risk Management Protective efforts must be grounded in a strong enterprise risk management (ERM) foundation. In many organizations, ERM functions have become fragmented or under-resourced, if they even existed in the first place. Without a clear, enterprise-wide view of risk, it becomes difficult to determine what threats are being monitored, prioritized or even acknowledged. This lack of visibility undermines both executive security and crisis preparedness. Reinvigorating ERM—ensuring it is integrated, data-informed and aligned with strategic objectives—is critical to identifying blind spots, allocating resources effectively and ensuring that protection efforts move from reactive to forward-looking. ERM should be the unifying framework that brings together otherwise siloed risk management efforts across an enterprise…if done correctly. For ERM to guide protection meaningfully, it cannot be a 'check-the-box' exercise or based on historical points of view. In order to add value, it must be strategic in nature and closely tied to the organization's core business objectives and growth. For organizations not sure where to begin, ERM can start with: The Strategic Imperative: Advancing Threat & Protective Intelligence Enterprise and executive security capabilities are drastically augmented when supported by mature threat and protective intelligence operations. To move beyond a reactive footing, organizations must invest in these intelligence disciplines and shift them from niche capabilities to a key corporate function integrated throughout the organization. Modern threat and protective intelligence functions should work side-by-side and integrate behavioral threat assessment, open-source intelligence (OSINT), and continuous monitoring of online venues to provide a comprehensive view of an organization's current threat landscape. This allows an organization to identify, assess and manage potential threats to executives and assets before they materialize, and enables security teams to make risk-based decisions. Key components of an integrated threat and protective intelligence program include: However, protective intelligence is not merely a conglomerate of technology solutions. It requires skilled analysts capable of interpreting nuanced data and collaborating cross-functionally with human resources, legal, corporate security and information security to ensure timely and effective intervention. When deployed correctly, threat and protective intelligence become decision-making filters that allow an organization to intervene early while also reducing blind spots, breaking down silos between departments, and ensuring that teams are positioned to anticipate risk scenarios rather than responding to them. Conclusion: From Protection to Strategic Preparedness The events of December 2024 serve as a stark reminder of the evolving threat landscape facing corporate leaders. While the rapid deployment of executive protection measures was both necessary and commendable, it represents only the first step. To ensure enduring safety and organizational resilience, organizations must now pivot toward strategic preparedness—a forward-looking approach that integrates intelligence, digital security, psychological support, crisis readiness and cultural transformation. In doing so, they will not only safeguard their executives but also fortify their institutions against the complex risks of the modern era. Matt Hinton is a Partner at Control Risks. He heads the North American Crisis and Security Consulting practice. He assists organizations with key risk and resilience matters, including crisis management and corporate security. Justin Cruz is a Senior Consultant in Control Risks' Crisis and Security Consulting practice, based in New York City. Justin focuses on establishing and growing physical security, executive protection, and threat intelligence programs.
Fast Company
14-07-2025
- Business
- Fast Company
CEO security is on the rise. What does it take to keep company leaders safe?
Hello and welcome to Modern CEO! I'm Stephanie Mehta, CEO and chief content officer of Mansueto Ventures. Each week this newsletter explores inclusive approaches to leadership drawn from conversations with executives and entrepreneurs, and from the pages of Inc. and Fast Company. If you received this newsletter from a friend, you can sign up to get it yourself every Monday morning. Prominent CEOs and high-net-worth individuals have long had security details, but in recent months executive security feels like it has become a more conspicuous part of the corporate landscape. It is no longer unusual to see a CEO's protection officer standing nearby during lunch in a restaurant. I've had a growing number of companies request a 'sweep' of our office before a CEO visits Fast Company or Inc., and I've seen leaders arrive at meetings in bulletproof vehicles, even after traveling just a few blocks. This rise in CEO security isn't just anecdotal: More than a third (34.4%) of S&P 500 companies offered executive security in 2024, according to a fresh analysis of 2025 proxy statements by intelligence firm Equilar, up from 28.2% in 2023. Median security spending last year increased to $105,749, up 6% from a year earlier, with some companies, such as Intel, boosting security spending more than 8,000%, to $250,000 from just $3,000 in 2023. And security spending is likely to climb in 2025 following the fatal shooting of UnitedHealthcare CEO Brian Thompson in December 2024. Experts say heightened security resources correlate to a rise in credible threats against executives, fomented by political rhetoric, social media, and antibusiness sentiment. Bodyguards for the top boss Even for public company CEOs, the level and visibility of their security operations vary wildly based on their fame and circumstances. Meta provides CEO Mark Zuckerberg with a $14 million annual pretax allowance to protect him and his family, up from $10 million in 2018. 'We believe that Mr. Zuckerberg's role puts him in a unique position: He is synonymous with Meta and, as a result, negative sentiment regarding our company is directly associated with, and often transferred to, Mr. Zuckerberg,' the company says in its 2025 proxy statement. In contrast, Berkshire Hathaway last year spent $305,111 on in-home and personal security services for its equally high-profile but relatively unprovocative CEO, Warren Buffett. Most CEOs are initially reluctant to embrace protection. 'Usually, CEOs think everything's fine,' says Paul Donahue, president, global security services at Constellis, which provides security services and support. When they do concede to security, chief executives can be very selective about the professionals who guard them. 'We tell all of our executive protection folks, 'CEOs operate at a very high speed, they're highly demanding, and they're as particular in picking security as they are in picking a plane they're buying,' so we've had a lot of turnover,' he says. Constellis recruits ex-military, ex-law enforcement, and career security professionals to work in its executive protection unit. Donahue says those careers instill people with the skills, including discipline and an understanding of chain of command, needed to succeed in the field. Protecting a CEO can be a balancing act: Security professionals need to be able to say no to clients, especially when a seemingly simple request, like running out to pick up a pint of ice cream, might require Constellis to put together a patrol team and mobilize several cars. 'But if they insist, we'll go to Häagen-Dazs at 11 p.m.,' Donanue says. 'It's as personal a service as I think there is.' Should companies invest in CEO security? While the odds of an incident are fairly low, Donahue argues (self-servingly) that it is money well spent. He notes that the Thompson killing unleashed a wave of negative sentiment about United Healthcare and the health insurance industry, damaging the company's reputation and hurting employee morale. Furthermore, he says, if companies spend millions of dollars guarding intellectual property, products, and brands, they should feel comfortable earmarking a couple hundred thousand dollars for CEO protection. 'If you truly believe your most important asset is your people, which we hear over and over, you probably should spend a little more on protecting that important asset,' he says. How do you protect yourself? CTOs outearn founders at tech startups
CNA
10-07-2025
- Business
- CNA
Ex-ASML, NXP employee sentenced to three year jail term for sharing corporate secrets
ROTTERDAM :A Dutch court on Thursday sentenced a former employee of semiconductor firms ASML and NXP to three years in prison for sharing sensitive company technology with a contact in Russia, in violation of European Union sanctions. The District Court of Rotterdam found the 43-year-old man, German Aksenov, guilty of computer intrusion and illegally providing technical assistance to Russia. "NXP has a zero-tolerance policy towards data theft and embezzlement. We cooperated with the prosecutor's offices throughout this process", NXP told Reuters in an email. ASML was not immediately available to comment. Aksenov was arrested in August 2023 and has remained in custody since. Prosecutors had initially accused Aksenov of selling stolen design manuals for cash and having contact with Russia's FSB intelligence service. However, the court's final sentence was one year less than the four years prosecutors had demanded, as it could not be proven that Aksenov had been paid for sharing the confidential business information.
