Concerns about cyber threats disrupting core operations are now a top operational risk. During a May 8 question-and-answer session, Securities and Exchange Commission Chair Mary Jo White called threats to cybersecurity “the biggest systematic risk we have facing us.” She went on to say, “I don’t think we can give it a high enough priority in terms of trying to assess the risks that are there, assess the vulnerabilities, [and] clearly come up with strategies that best prevent, detect and then respond to cyber attacks.”
Take a Proactive Stance
Given the impact that breaches can have and the level of sophistication shown by perpetrators in recent breaches, it’s not a matter of if a breach will occur, but when and how it will occur.
Cyber data — including financial data, sensitive customer information and employee records stored on the cloud or on the company’s technology devices and networks — is one of the most valuable assets many companies own. Each year, management should evaluate what’s being done to protect these intangibles, where vulnerabilities exist and how to make the assets more secure. Here are some cyber protection best practices for you to consider.
Think Big (and Small)
Many hackers operate overseas, making them harder to identify and prosecute. So, think globally when assessing your cyber breach risks.
However, hacks are often perpetrated through the victim’s small or midsize vendors. That’s because smaller companies often lack the resources to put strong security measures in place — and hackers are ready, willing and able to take advantage.
Consider the 2013 high-profile security breach that caused Target to lose 40 million credit and debit card numbers. Hackers reportedly obtained information through a third-party heating and air conditioning vendor, which had access to the retailer’s computer network. The stolen credit and debit card data was then moved to a server in Russia.
Many other cyber crime incidents have also reportedly been linked to vendors with lax security.
Some companies limit outside access to their computer networks, refusing supplier and customer requests to share data. Others require vendors to verify their network security protocols. Some companies are establishing cyber security ratings — similar to credit scores — based on the amount of traffic to a company’s website coming from servers that are linked to cybercrime. As those ratings become more refined, managers may choose to avoid doing business with high-risk customers and suppliers.
Engage in “Cyber Hygiene”
Protecting against cyber threats is an ongoing challenge, not a one-time event. Every time a software, hardware or application manufacturer releases an update or patch, install it immediately on every device in a systematic fashion. Why? Hackers constantly troll for the latest patches and updates because they show where vulnerabilities exist. If hackers are nimble, they can exploit these vulnerabilities to steal data before customers have a chance to install the fix.
Another useful prevention strategy is requiring periodic changes to log-in passwords. Hacked passwords can cause a domino effect, because people tend to use the same password for multiple accounts. For example, when Adobe lost 33 million customers’ log-in credentials, other websites discovered that their accounts were being accessed using passwords stolen from Adobe. Some companies also use a security question or require users to select a preferred image to add another layer of identity verification.
Companies often have more devices connected to the Internet than management realizes. Moreover, when employees take devices out of the office, they expose data to less-than-secure home networks and public hotspots that provide wireless Internet access. Evaluate which devices need to be connected to the Web and take steps to minimize off-site risks. Consider limiting which employees can work from home, educating employees about the risks of cyber breaches and installing encryption software on devices that link to external networks.
Encryption may create compatibility issues when sharing data with other companies and slow down data transmission. But it can be a powerful and cost-effective tool in the battle against cybercrime.
Seek Outside Help
Cyber security is an important task that few organizations can handle exclusively in-house. Consider seeking outside help to reinforce your current information technology (IT) policies and procedures. For example, a growing number of small and midsize companies use outside computer security companies to evaluate vulnerabilities in their network and test how well in-house IT professionals are securing their networks.
Another popular security measure is cyber liability insurance. Professional and general business liability insurance policies generally don’t cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company’s electronic data and software.
Instead of purchasing a standalone cyber liability policy, you can add a cyber liability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement isn’t as extensive as the coverage in a standalone policy.
In addition, external auditors can help companies evaluate their exposure to cyber breach risks. Risk assessment is an important part of year end audit procedures. Forensic accountants are familiar with ways to identify and reduce cyber breach risks. Failure to protect valuable intangibles against the risk of cyber breaches can turn this valuable asset into a costly liability.