Data breaches like Target or Sony Pictures were clearly high value targets for hackers. However, these incidents may lull small to moderate sized business owners into thinking their data has no value to hackers. But what if ransomware stops your company from even accessing your IT systems, shutting down e-commerce websites, contact centers and the warehouse from taking and shipping orders?
Marsh & McLennan Agency, a global leader in insurance brokerage and risk management solutions, teamed up with IBM and surveyed 1,141 executives from small to middle-market organizations across North America and found that “they are clearly concerned about cyber risk — but, by their own admission, they do not have a grasp of how to protect themselves. Admittedly, both these companies sell solutions, however we feel they highlight some very real problems.” Let’s look at these conflicting responses:
On one hand:
- Almost 60% said they consider cyber to be one of the top five risks they face, if not the very first.
- 78% said they were highly or at least fairly confident that their organization would be able to manage and respond to a cyber-attack.
- 82% said they were highly or at least fairly confident that their organization would be able to understand and assess a cyber-attack.
On the other hand:
- Only 18% said they had developed a cyber incident response plan.
- 34% said they had conducted a cybersecurity gap assessment.
- 36% said they had implemented a plan to train employees to recognize phishing emails.
- 23% said they had conducted penetration testing of their online defenses.
The Marsh Survey says that executives feel that when a company with sales up to $50 million annually has a data breach, it may cost up to $10 million (MarshCyberSurvey p.3). Obviously, data breaches of this magnitude can cripple or shut down a business.
This risk is difficult to understand and deal with because of the advanced technology and the changing cyber risk landscape. The IT professionals need management support and budget. Given the risk, management needs to understand it better. Let’s look at some of the key considerations in a strong cyber strategy.
Conducting Cybersecurity Risk Assessment
Has your company conducted a cyber assessment in the last 12 to 24 months? The assessment is the process of:
- Identifying the gaps between people (the systems users), processes and technology
- Analyzing and evaluating of the risks to the business and the likelihood of occurrence
- Proposing solutions to reduce the risk
There are many self-assessment tools available. However, given the risk, the potential loss and the difficulty in understanding the technology, an objective, external assessment might be money well spent. Page 8 of the Marsh survey shows how corporations are implementing cyber risk changes.
Changes in the User Environment
Usernames and passwords are keys to the castle. Using default passwords, similar passwords and not changing passwords on a regular basis is bad practice and introduce security problems. Password strength is greatly improved when customized to each unique user and using multiple numbers, case-sensitive characters and special characters.
The second user-oriented activity companies are investigating is training employees to raise the awareness of how cyber criminals use phishing as a way to gain access. One of the biggest causes of a data breach is when employees haphazardly click on suspicious links or download attachments from phishing emails. Training employees and literally simulating and testing their on-line responses and practices can be useful.
Another critical element is that public WiFi is generally not secure. While use of laptops and mobile devices has grown dramatically, so has the risk of bringing in viruses and cyber threats external to the business’ defenses.
Conduct Penetration Testing
The cyber criminal is constantly testing your networks and defenses every minute of every day. If you don’t think so, ask your network administrator how much junk mail, viruses and malware are detected and stopped daily. As the MarshCyberSurvey showed, only 23% said they do penetration testing.
Cyber Incident Response Plan
As the Marsh survey showed above, only 18% said they had a cyber incident plan. What do you want users to do when they think they have a virus or malware? In our mind, it’s like having a fire drill or an emergency plan when fire breaks out. Having been around users when their laptops or devices seem to be taken over by a bug, the first inclination is the shut it down. What is the plan for reporting and dealing with this threat?
Encryption of Customer and Other Key Data Assets
If a customer’s information is compromised in any way, the consequences are catastrophic. PCI/DDS regulation and enforcement in the e-commerce industry, while it had a high cost to many companies, provides greater protection of customer payment and financial information.
How should encryption of key data assets be extended to other data assets? What will an objective cyber assessment deem worthy of further protection, such as proprietary product designs, financial, bank and tax return records, and human resources and employee data?
These are only a few of the critical considerations involved in evaluating cyber threat to your business. The risk will continue to accelerate as we become more reliant on advanced technology. Continuing to assess the risk and taking action is essential.