Cybersecurity: How to be Proactive
Anthony Munns, IT audit and security partner at Brown Smith Wallace, has more than 20 years of experience with information technology and security, and he has watched the issue of cyber threats grow over the years. He knows the extent to which companies can be affected by cyberattacks. He also knows what they can do to get ahead of threats.
INFOGRAPHIC: For more information on the frequency and origins of data breaches, request our cybersecurity infographic.
How are companies affected by cybersecurity breaches?
Organizations are seeing the Target and Michael's problems where financial information is being compromised, whether it's credit card details or transactions. They are seeing loss of personal information, which is potentially leading to identity theft, and seeing losses of personally identifiable information (PII), which is compromising their requirements to keep that kind of information secure.
There's a "who's next?" type of concern out there. It's impacting the cost side of things: Are you going to have to conduct investigations, provide notifications? How do you fix your sites and keep yourselves from becoming the next victim? There is the indirect impact: loss of reputation, loss of business and the threat of sanctions being applied to the company.
How have cyber threats become more advanced in recent years?
Pretty well everybody is connected, and it is easier for the people who are trying to break into systems to find targets. What's evolved is the type of people that are doing the targeting now has changed. You've got a couple of major new players out there in terms of organized crime, which is now not just after the value of financial information, but also the value of PII and medical information because they can use that data to generate money as well. And you've got the state-sponsored attacks - the Chinese intellectual property attacks, for example, that are going on.
Now, it's not just the high-profile companies that are being targeted. It's more a crime of opportunity where they control a large number of sites and can go for where the weaknesses are in the system and exploit those known weaknesses.
What can companies do to prevent and detect a cybersecurity breach before it happens?
You have to be far more cognizant of the potential risk that is involved with the use of technology, and you've got to understand that risk and put the appropriate steps in place to prevent yourself from being vulnerable.
First, you should conduct a security risk assessment to understand where the potential weak points are in your security infrastructure. You should ensure that you've got employee awareness of the risks of the different types and methods of accessing systems. We've talked about the system vulnerabilities: A lot of those are making sure you are on the latest version of operating systems and making sure your components are updated, and that all the patches have been applied to keep this risk low.
An IT assessment conducted by an outside expert will provide objective insight and help tremendously in terms of blocking attacks and making sure your company is at the level where your risk is reduced so that only the most determined attacker might get into your organization.
Have you considered encrypting your data? This capability is built into operating systems today for many different platforms. Do you have a bring-your-own-device policy as an organization? Do you have appropriate measures in place that the employee has to agree to in terms of being required to have a password on the device? For example, do you require a remote wipe if that device is lost or stolen?
What should companies do to remediate the damages of a security breach?
You've got to ensure that you have the appropriate tools in place to monitor and detect breaches within your system. Do you have a procedure where you monitor your security logs? Do you have a data leak prevention approach? Do you know if data is being taken outside of your organization?
The second piece is do you have an incident management plan. You need to talk to your legal people. You've got a lot of implications as far as compliance and regulations. A lot of companies are in industries that have to be compliant. Forty-six states have data breach laws. The chances are you're either operating in a state or your customers are in a state that has a data breach notification requirement.
You've got a public relations element as well. You've got to have a comprehensive incident management plan that covers that spectrum - that can help you manage the potential reputation impact that comes out of this and the sheer cost of this particular problem that can result in a huge loss of revenue as customers leave your brand.
Do you have cyber insurance? General business liability policies typically now require separate coverage. Have you talked to your broker to ensure you have the proper insurance at a competitive price? If it happens to you, you'll want to be covered against what can be significant losses.
Learn more about the frequency and origins of data breaches in our cybersecurity infographic, or schedule a security risk assessment with Tony Munns.