Recently we convened a panel of experts to talk about the trends and risks they are seeing in cybersecurity, in terms of both the types of attacks that are taking place and what organizations are doing to protect their data and their reputations.
Our panel consisted of four experts who each brought a different perspective regarding the topic of cybersecurity.
Alisa Chestler is a partner with the law firm of Baker Donelson and the leader of the firm’s Privacy and Information Security Team. Chestler is a frequent speaker and author regarding cyber security.
Joe Salazar of Aon Risk Solutions provided perspectives on how insurers are addressing their clients’ needs for coverage to protect against the potential financial risks of an incident.
Brandon Sherman of Frazier & Deeter’s Process, Risk & Governance practice was the moderator and provided perspective on internal controls.
Bryant Tow of CyberRisk Solutions provided insights from his many years providing security solutions. Tow has published several books and articles on cyber security topics and has received several awards including “Governor’s Office of Homeland Security Award for Exceptional Contribution in Recognition of Outstanding Support of Tennessee’s Counter Terrorism Program.”
What The Experts Had To Say
As Tow put it, “The majority of the threat profile isn’t technology, it is people and processes.”
One example that continues to make headlines this year is ransomware. Ransomware is a type of software a hacker uses to encrypt your data, and then demands a ransom payment in order for you to access your data again. This type of denial of service cybercrime has become increasingly common. In the first quarter of 2016 alone, over $200 million was paid in ransomware cases, according to the FBI. Some sources estimate the total cost of ransomware as high as $1 billion by the end of 2016.
But how do hackers get into your data files to take them hostage? They can do so in multiple ways, some as simple as getting an employee to click a link. That one click enables the hacker to start recording keystrokes that eventually lead to a login with access to the networks, databases and systems that the company needs to operate. The next thing you know your data is encrypted and you can no longer access it.
Ransomware is the perfect example of how the biggest threat can be people and their often innocent actions that put the company at risk. Most employees understand enough about viruses and malware (i.e., Trojans, worms, adware, spyware) to avoid the temptation to click on an .exe file, or an email that either has no text or comes from an unknown source. But today’s criminals have gotten much more creative, and the employee may be clicking on a PDF file or a link that appears to have been sent from a trusted source. These types of social engineering tactics allow the criminals to appear to be a client, a vendor, or a personal contact/coworker in order to gain access to your company data.
The bottom line is that you need to have procedures in place, make sure people understand why the procedures exist and train people throughout the organization on a regular basis regarding procedures that help create a secure environment.
Other Cybersecurity Risks You May Face
But it isn’t just your people who can put your data at risk. The panel also discussed vendors or other third parties and how they have led to some of the highest profile breaches in recent years. A vendor with physical or digital access can put your organization at just as much risk as your own employees. Part of your security due diligence should be asking questions about your vendors and their access, such as:
• Have your vendors been through a thorough security review?
• Do they have a SOC 2 report that demonstrates a strong approach to data security?
• Are exceptions or deficiencies from the security review or SOC 2 report related to access or data security corrected in a timely manner or do they persist each year?
Physical access to facilities is a critical aspect of security that is often overlooked. Who has access to your servers? Is the door to the room locked? Are access logs reviewed for appropriateness as well as for invalid access attempts? Is a visitor’s log utilized to show that guests or other unauthorized users were escorted by an appropriate party into the secured areas of the facilities? Simple physical security measures are just as important as digital security protection.
Are You Prepared For a Cybersecurity Incident?
The panel agreed that one of the other common errors companies make is not having an agreed upon response and recovery action plan that is ready to implement immediately upon the discovery of an incident. With the constantly changing landscape of malware, most companies eventually suffer some sort of data attack, and how well the company responds may help the company protect their long-term brand equity.
Taking the time now to work with experts to develop an incident response and recovery plan will enable you to tap into a support team to react quickly and decisively when, not if, a cybersecurity incident occurs. It’s important to define your team before something goes wrong – calling an attorney, insurer, or security solutions advisor after an incident when you are concerned about a lawsuit or other implications will result in a weaker position for your company than if you’d proactively involved these three parties in reviewing your plans and controls. The key is to ensure you’ve taken reasonable measures ahead of time.
Another key step in preparation is ensuring you have proper insurance coverage in place to protect the company in case of an issue. Today there are a variety of insurance products available to offset the risk of an incident, covering costs like:
• Notification to stakeholders
• Identity protection solutions
• Public relations
• Legal costs
• Forensic/Investigation solutions
Understanding what your insurance policy covers and how to quickly trigger it is an important aspect of your risk management strategy. Have a meeting with your insurance provider to ensure your policy covers a breach that is discovered during the policy period, rather than only a breach that happened during the policy period. Often hacks go unnoticed for months, so be sure your insurance situation provides strong support.
The panel told stories of companies dealing with a variety of crisis situations, ranging from large-scale deliberate attacks to less sweeping but also distracting and debilitating issues. It was clear that these experts could have told war stories for hours about how breaches happened and the ensuing aftermath.
The key take away? We’ve entered an era in which companies of any size may be a target and every company, no matter how small, should proactively improve the procedures they have in place to protect their data and their reputation and properly contain, respond, and recover from an incident when it does occur.
Interested in learning more about cyber security? Contact our panel moderator, Brandon Sherman, at Brandon.Sherman@frazierdeeter.com