CDF Key Takeaways: Cyber Risk: Do You Recognize Your Organization’s Vulnerability

CDF Key Takeaways: Cyber Risk: Do You Recognize Your Organization’s Vulnerability

Key Takeaways from Cyber Risk: Do You Recognize Your Organization’s Vulnerability?

We hope you’ll take away the importance of having a plan in place to ensure that your organization is ready not if, but when faced with a breach or attempted breach of security. While inconvenient, the cost savings and the value of having a positive public perception are worth it in the end.

General Overview

  • Cybersecurity and risk should be top of mind for every organization.
  • Retail is a big target for data breaches due to storage of customer data (i.e. – credit card info), but all industries are at risk.
  • Employee awareness and training are imperative. Policies and procedures should be established.
    • Training is the most cost-effective way to mitigate cyber-related risks.
    • Test employees with mock phishing emails. This is a teaching moment to heighten awareness.
    • Make everyone aware that most devices are not secure and can be easily hacked in a matter of seconds.
    • Training should be ongoing. Employees should be on high alert seasonally (season may be industry specific, but W2 phishing around tax season is common).
  • Even with tremendous resources, planning and preparation, there is no full-proof way to protect an organization, so plans must also be in place for when a breach occurs.
  • Ransomware and malware attacks are not always expensive in terms of payment, but they can bring an organization to its knees and cause reputational harm and may have many other unintended consequences both financial and otherwise.
  • Protecting yourself can be expensive. Look at industry-specific information on what you should be spending and/or consult peer groups to establish a budget for cyber security.
  • ISO is an expensive process. Is it worth it?
    • Depends on risk profile, peer groups, industry, policies, procedures and strategy
    • Large companies expect their partners to have their cyber houses in order (could mean ISO necessary)
  • Do you have a comprehensive information policy?
  • Systematic expiration/deletion of old/unnecessary data helps to reduce downstream litigation costs (i.e. – Do you really need the information from an employee who hasn’t been with the company for 15 years?).
  • Evaluate and rank different types of risks to help create an action plan. Hacking for credit information is the most common risk.
  • Understand cyber hygiene policies and procedures. This is also critical to negotiating insurance risk.
  • There is no “silver bullet,” but have a plan in place for WHEN a breach happens.
  • Security is not always convenient (i.e. – people do not want to reset their password), but it is necessary.
  • Fire your CEO because you didn’t have a plan, NOT because you had a breach and also a plan of action. Breaches will happen.
  • Cyber security is war. You must test, train, drill and exercise for when it occurs, because it will.
  • Never put something in your privacy policy if you are not 100% sure about it.
  • Evaluate and rank different types of risks to help create an action plan. Hacking for credit information is the most common risk.
  • Understand cyber hygiene policies and procedures. This is also critical to negotiating insurance risk.

Law Enforcement

  • Bring in the FBI and law enforcement if:
    • You have all your internal data in a row.
    • The size and scope of the breach is large enough / appropriate to merit their involvement.

Insurance

  • Carrying insurance to cover these risks is important. Downstream litigation is likely in the event of a breach.
  • Cyber insurance policies cover through business interruptions, but they do have limitations, such as the cost of consulting services, and unintended financial impacts to business (perhaps due to reputation issues). It is important to have a good understanding of policy limitations.
  • $500 Million is the market insurance risk cap. For a Fortune 1,000 company, there is not enough insurance to cover all the risk.
  • The cost of total insurance for smaller companies is not generally affordable. Weigh the risk vs. cost to determine the best policy.

Data Storage

  • Should a company use the cloud (third-party) to store data, or use an internal server? It depends!
    • Third-party risk = Your risk too! Confirm you are covered if a third-party breach puts you at risk.
    • All third-party vendors must be vetted (initially and ongoing). Look at their policies and procedures and get recommendations. Pay attention to data security in the contract.
    • Data segmentation is important. Do not hold all data in one location. A hybrid approach is often best, holding some data on an internal server and some in the cloud
    • Ensure ISO Certification

The Board’s Role

  • Board members should ask the CEO:
    • Do you have the right people on the team?
    • What is the IT team telling you about the company’s cyber risk? Has it been verified? Keep in mind, the IT team wants to make sure they look good. Trust but verify!
      • Has an overall risk assessment been completed?
      • Did it take a holistic approach?
  • What help does the CEO want from the Board?
  • Cyber risk is very technical in nature. It may be that not all board members will understand, but ideally there will be a knowledgeable board member
  • Board should inquire about:
    • Testing
    • Technology
    • Training
    • Overall security
    • Risk
    • Policies and procedures

Words of Wisdom (WOWs)

  • Develop an intellectual curiosity around managing your risk.
  • Being breached is not always the worst thing that can happen. Mishandling the breach and not having an action plan in place is far worse.
  • Get started now! Start with a cyber security assessment. It can be a multi-year effort so take a deep breath. You want to be able to say you have a comprehensive plan. Once you think you have completed it, you need to start the process again.
  • Don’t wait! Litigation is less expensive when you are prepared.
Share with your peers: