Cybersecurity: Hope for the Best but Prepare for the Worst – Part I

* This article originally appeared in the August edition of PX Community Matters.

This is the first article of a two part series dealing with what businesses can do in the face of growing cyber threats. Next month, we will cover how businesses should respond in the case of a successful cyber attack. 

Increasingly, reports of cyber attacks on businesses have been making the headlines. The numbers speak for themselves:1
 

  • 5 out of 6 large companies were targeted by advanced attackers in 2014 (40% increase over the previous year);
  • 60% of all targeted attacks struck small and medium sized organizations; and
  • Total of 348 million identities exposed as a result of breaches (average number of identities exposed per breach was 1.1 million).

While these numbers are alarming and underscore the fact that cyber threats are increasingly sophisticated, frequent and cause real damage to businesses, the fact is that this trend is expected to continue and will likely amplify in the coming years. 

In other words, it’s a question of “when” and not “if” your business will be the target of a cyber attack. However, precautionary steps can be taken to limit the potential damage (both monetary and reputational) associated with a successful cyber attack. Here are a few key things businesses can undertake to limit the chances of being a victim of a cyber attack.

1.    Know Where You Stand

In order to prepare adequately for potential cyber threats, map out your business’ networks and IT systems, including a clear understanding of what the key business functions are, as well as where the business’ critical data (i.e., the business’ “Crown Jewels”) resides and how they are protected. Consider encrypting all critical data and limit your employees’ network privileges to only those required for them carry out their duties.

2.    Build a Cyber Monitoring Team 

Communication and coordination between different departments is critical to effectively counter cyber threats. Consider building a team consisting of knowledgeable managers and professionals (internal and external) who will meet regularly to asses threat levels, discuss how to address gaps and make recommendations to management on how to protect the business’ digital assets. The team should not be limited to or be the sole responsibility of your IT department – rather, the team should also include legal, business and c-suite executives. Care should be taken in putting together the team by ensuring that the right people are around the table and that the team’s mandate and deliverables are clear.

3.    Audit and Test Security Measures – Regularly!

Each security measure implemented by the business should be audited and tested on a regular basis. Results of these audits should be regularly reported to senior management and the Board (or the Board’s risk committee) to ensure that the leadership team is aware of any potential cyber threats, understand the business’ cyber risk profile, assess the effectiveness of current defences and be able to can take necessary remedial steps. If necessary and appropriate, consider engaging third party security experts to conduct audits or suggest remedial measures.

4.    Educate and Train Staff, Then Repeat

Training staff is a critical element of cybersecurity. They need to understand the importance of protecting customer and business information. To do so, staff will need a basic grounding of potential cyber risks and how to make good judgments online when faced with cyber threats such as spear phishing. 

Given that almost every aspect of employee and corporate life has a digital component, cybersecurity considerations should be built into relevant corporate policies (e.g., BYOD policies, proper cyber hygiene practices, etc.). Staff need to know and understand the policies and best practices you expect them to follow in the workplace (e.g., how to avoid cyber threats such as spear phishing or how to secure data when traveling to offsite conferences or meetings). These policies should be drafted in simple and practical terms.

Since cyber threats are constantly evolving, ensure regular staff training, including holding refresher workshops.

5.    Be Aware of Supply Chain Risks

Address potential vendor and supply chain risk by restricting access to your network to only what is necessary. Businesses should consider requiring vendors to provide notice of suspected breaches, require third-party security audits and obtain adequate indemnification. Businesses will also want vendors to ensure that they (and their employees) follow proper cyber hygiene. 

6.    Cyber Risk Insurance

Insurance is a key part of risk management and can offer businesses significant protection in the case of unplanned events. Businesses should review their existing insurance coverage in the case of a cyber attack. If it is deficient, consider investing in cyber-risk insurance that would cover network breaches, data loss and potential litigation costs.

7.    Have a plan

Businesses must prepare for the eventuality that they will at some point be victim of a successful cyber attack with their network and data being compromised. The key to handling an attack effectively is preparation. Businesses should map out key legal and business issues that will need to be addressed in the case of a cyber attack (e.g., notification to regulators or security agencies, use solicitor-client privilege, escalation of communications to senior management, business continuity plan, public relations strategy, etc.). 

The Bottom Line

Businesses that have been the victim of a successful cyber attack will admit that it can be a crippling event, especially if the business was not prepared. The key to mitigating the risks associated with a cyber attack is to be aware of the threat, to protect the business’ crown jewels, educate and train staff and most importantly, have an incident response plan ready to go.

                                                                                               

1 See Symantec, 2015 Internet Security Threat Report, Volume 20, April 2015, available online here.