Chapter 08 — Cybersecurity, Privacy, and Risk Management#

Business Context#

A Day That Changed Everything#

Marcus Chen arrived at BrightHealth Solutions on a Tuesday morning that seemed like any other. As Director of Operations, he managed customer service and vendor relationships for this healthcare technology company serving 200 clinics and managing health data for nearly half a million patients.

The coffee was still brewing when IT director Sarah texted: “Get to the server room NOW. We have a situation.”

“We have been hit. Ransomware. Someone clicked on what looked like a legitimate vendor email. The malicious software has encrypted files across our entire network.” Marcus didn’t need to be a technical expert to understand — BrightHealth’s reputation and survival depended on protecting sensitive patient data. Cybersecurity had always seemed like an IT problem. Now he realized it was a fundamental business problem.

Understanding What Went Wrong#

CEO Jennifer assembled the executive team. Sarah explained using the CIA Triad — the three pillars of security: Confidentiality (only authorized people access patient records), Integrity (data remains accurate and unaltered), and Availability (systems remain accessible when needed).

“Right now we have lost availability.” The malware — malicious software designed to damage or disable systems — had encrypted their files. Doctors couldn’t pull up records. Surgeries were postponed. Emergency rooms reverted to paper charts.

The attackers had exploited a vulnerability — a weakness in their older email system that hadn’t been updated in months. The threat — a sophisticated criminal organization — had been probing companies for exactly these openings. One employee clicking a phishing link cascaded into full crisis.

The company had never implemented comprehensive risk management — the systematic process of identifying potential threats, assessing how likely and severe they are, and taking steps to reduce their impact.

What Should Have Been in Place#

Sarah outlined the missing defenses — layered protections like a jewelry store with cameras, alarms, safes, and security guards:

Encryption — converting data into a secure format requiring a key to access — would have made stolen data useless. Like a browser’s lock icon, it scrambles information so only authorized parties can read it.

Multi-Factor Authentication (MFA) — a security measure requiring multiple forms of identity verification — requires something you know (password) plus something you have (phone). Even if attackers steal a password, they can’t get in without the second factor. Marcus had MFA on his bank and email accounts. BrightHealth had prioritized convenience over security.

Missing: quarterly phishing awareness training, automated anomaly detection, regular software updates, and isolated backup systems.

Recovery and Response#

Jennifer refused to pay the $2M ransom. “We have backups,” Sarah said with relief. This illustrated why Business Continuity Planning (BCP) — preparing procedures and systems to ensure organizations can operate during and after disruptions — matters. BCP isn’t just about technology — it’s about people, communication, and trust.

Marcus led the business response: emergency communications to 200 affected clinics, coordination with cyber insurance and legal counsel, and daily briefings with stakeholders. Over 72 hours, systems were restored, MFA was implemented, the vulnerability patched.

The financial cost: $800,000+ in recovery, legal fees, notification costs, and lost contracts. But Jennifer appointed Marcus as Chief Risk Officer, mandating a comprehensive security culture.

The Cultural Shift#

Six months later: phishing test click rates dropped from 35% to 4%. Vulnerabilities reduced by 80%. Several prospects chose BrightHealth because of their enhanced security posture.

Security is everyone’s responsibility. Whether you’re an intern with a customer spreadsheet or an executive making strategic decisions — the choices you make about security and privacy shape your organization’s future.