Now that we are aware that cyber risk deals not in the “if,” but rather in the “when” and “how bad” realms, this installment of the Cyber Risk blog examines how to handle your cyber risk responsibly, mitigate the damage it can cause, and limit your exposure from breaches.
Cyber Risk Mitigation – Mitigation begins with the right resources. One of the most important ways to go about diminishing your cyber risk is by implementing a cyber security plan for your business. Most experts recommend that businesses have a strategic approach to cyber security. For a sample planner, the Federal Communications Commission created the Small Business Cyber Planner to help businesses evaluate their current cyber security posture and create a plan[1]. The planner is fully customizable, allows you to cater to the specifics of your business, and is designed for smaller businesses that lack the resources to hire dedicated staff to handle cyber threats. While there are other resources out there, this one is recommended.
A comprehensive cyber security plan focuses on three key areas:
Prevention:Preventative solutions, policies, and procedures need to be put in place to reduce the risk of attacks.
Resolution:In the event of a cyber security breach, plans and procedures need to be in place to determine the resources that will be used to remedy a threat.
Restitution:Be prepared to address the repercussions of a security threat with your employees and customers to ensure that any loss of trust or business is minimal and short-lived[2].
Information Security Hygiene – Paying attention to the details is crucial when it comes to cyber security and limiting the prevalence of breaches. Many of these tips are common sense solutions and preventative measures that are simple to employ. Unfortunately, businesses tend to overlook many of these, in turn leaving them at heightened risk of cyber attacks. Five such elements are:
Install Patches – Installing patches as they become available is an effective (stops 95% of all network intrusions) and easy solution. Not nearly enough companies utilize it, leaving major software (Android, Java, Apple, Adobe) at risk of attack.
Manage Your Network Boundaries
Manage Access and Permission Levels – Use common sense and choose non-obvious passwords for your systems.
Consider Whitelists or Blacklists for External Traffic
Managing Network Activity Proactively[3]. – Be on top of the game and monitor who accesses your servers and networks.
Professional/Legal Consultation – First, don’t overlook your in-house resources (Chief Technology Officers/Chief Risk Officer), if you have such resources. They are adept at handling sensitive situations such as this and are of great use in assessing and dealing with such risks. Another resource, and one of the most effective ways to manage your cyber risk, is to utilize 3rd party risk assessment professionals to assess your cyber situation and conduct in-depth analysis of the risks in your company. And, of course, every communication regarding assessment of risk should include your attorney, either in-house or outside counsel. Including your attorney in every communication allows those communications to be covered by the attorney/client privilege, and thus be non-discoverable should anything go wrong later.
Cyber Insurance – Due to the prevalence and severity of cyber attacks, it probably makes sense to take out insurance to protect your assets and company as a whole. As there are many factors to Cyber Insurance, it will be covered in the next blog post.
Conclusion – To sum it all up: preparation is the key. Be sure to have an in-house plan and work with the experts (CTO/CRO, Risk Assessment Professionals, counsel) at all times to ensure the company is prepared for a cyber breach. As echoed in the previous post about cyber risk, “the question is not ‘if’ your company will have a data security breach, it’s ‘when’ will that breach occur, and ‘how’ bad will it be.” Don’t be afraid to spend a little bit; get insured, get covered and you will be able to properly handle your company’s cyber risk. With the proper preparation and utilization of resources, you have a chance of mitigating what would otherwise be disaster.
[1] See: https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Planning%20Guide_1.pdf
[3] See: http://www.computerweekly.com/news/2240178473/Cyber-security-the-best-weapon-remains-good-information-security-hygiene
This Blog, and the information contained herein, are intended for informational use only. Nothing in this Blog should be construed as legal advice.
Comments