If your organization experienced a data breach that cost well over six figures and shut down operations for several months, could you survive? Would you lose customers and employees? Businesses must assess their cyber risks and make sure they have the proper systems in place to prevent and respond to cyberattacks.
At an event hosted by Smith & Howard in February and headlined by former Governor Tom Ridge, the country’s first Secretary of the Department of Homeland Security, a large crowd gathered to listen to the Governor and other cybersecurity experts. One common point highlighted by them all was the need for ongoing employee education on cyber risks.
“The greatest weakness in an organization’s defenses is its people,” said Governor Ridge.
Governor Ridge went on to emphasize how businesses must provide their employees with education and training against phishing and other scams. Many cyberattacks happen when employees click on malicious email links that appear to come from someone within their organization. By clicking on the link(s), the employee will unknowingly give a hacker access to the organization’s data. Depending on the type of organization, that data could be very valuable. Health and financial organizations, for instance, store vast amounts of data containing people’s personal and banking information, leaving possibly millions of people vulnerable in the event of a data breach. All organizations hold private employee information (social security numbers, for example) that is data coveted by cyber criminals.
Governor Ridge, who is now Chairman of alliantgroup, said that cyberattacks are considered an act of terrorism, reflecting the changing profile of terrorism since the terrorist attacks in 2001. The Internet has so many benefits, he said, but the world’s interconnectivity brings with it some peril. Every single connection to the Internet is a point of vulnerability. It is estimated that by 2025, over 25 billion devices will be connected to the Internet, creating even more points of vulnerability and risk.
According to Governor Ridge, business leaders need to understand that cyber risk is not just a technical problem. It is a business risk. The dollars spent on cyber defense must be seen as an investment, not an expense. He said there are three things businesses need to do.
- The top priority is to train their people, because “cyber hygiene” is critical.
- The second item is the process of implementing security measures. For proper governance, cybersecurity professionals must check, maintain and update their security systems as appropriate.
- The third thing to do is use technology to create layers of defense. He reminded the audience that risk cannot be avoided but can be effectively managed if the correct actions are taken.
In answering a question from the audience, he said that human error and behavior are more often than not responsible for networks being hacked. For that reason, he stressed that education and digital hygiene are imperative as hacks are becoming increasingly frequent and sophisticated.
Following Governor Ridge, a panel, featuring former Congressman Rick Lazio, Cyber Liability Specialist Ralph Pasquariello and Smith & Howard’s Enterprise Risk Security (ERS) manager Martha Raber, was moderated by Marvin Willis, Smith & Howard’s Accounting & Advisory Practice leader. The panelists reiterated the points made by Governor Ridge and described the dangers posed by weak cybersecurity and human error.
Plan of Action
“There are two kinds of businesses: those that have been hacked and know it, and those that have been hacked and do not know it,” said Lazio, who served four terms in the U.S. House of Representatives and is now Senior Vice President of alliantgroup. He told the audience that if they thought they had escaped a data breach, they needed to be prepared, as it was very possible an outside entity had pierced their defenses and was lying dormant inside their system.
Raber, who specializes in educating and helping organizations navigate and manage cyber risks, discussed the actionable steps businesses can take to reduce the risk of becoming a victim of ransomware. She told the audience that they need to:
- identify threats
- determine if the threat applies to their organization and
- break it down so they know what steps need to be taken in the event that they are hacked.
“If your business does experience a cyberattack, your action plan would ideally already be in place because you have invested in enterprise risk management (ERM). The first step would be based on a pre-determined incident response plan after a thorough business impact analysis that determines how your organization should respond. Response to a cyberattack is also contingent upon what type of incident occurs. Generally, it is a triage process. The initial response is to understand and contain the incident, then determine your next steps according to the incident response plan that you should have in place,” she said.
Containment is not enough. If a business manages to contain a hacking incident but does not report it, the hacker is free to attack others. All organizations should contact their local FBI as part of preparing an incident response plan and get to know the names of the agents. Local FBI agencies, like the Georgia Bureau of Investigation (GBI), are available and willing to be a part of testing. A table top exercise, which ensures the response plan works prior to an actual incident occurring, involves contacting the FBI and provides valuable experience should a cyberattack take place.
Raber pointed out that different organizations face different threats. That is why it is important for businesses to invest in enterprise risk assessment and management. Smith & Howard’s Enterprise Risk team performs risk assessments and, in a heat map provided to clients, details each risk, its potential cost to fix and potential cost if left unchecked. This allows business owners to understand and weigh the financial cost and financial impact to their business and make sound decisions in priorities for risk management. For instance, a $10,000 fix may seem expensive, but it will prevent a $250,000 problem if a company falls victim to a cyberattack. This would take priority over a $25,000 fix that prevents a $10,000 problem.
Taking that point further, Lazio said that businesses will spend six figures to protect their physical property, including computers, but balk at spending similar amounts to protect their data. He warned that people should not be naïve about the financial risk they face from cyberattacks.
Protecting Your Crown Jewels
Companies and organizations need to determine what they consider to be their “crown jewels” and put extra safeguards around them. For instance, do you collect a lot of data and sensitive information about people? Those would be considered crown jewels. Where is this data stored? Who has access to it and who is accessing it? Where and to whom is the data sent? Another crown jewel would be the systems your business uses. What critical information system could your business not function without? What would happen if that system went down? A system that is down represents lost money.
Pasquariello informed the audience that insurance policy limits need to be reassessed to ensure they are adequately protected against cyberattacks. A $500 million dollar company having a $1 million limit on their policy does not make sense, because it will not cover the cost of loss of business in the event of a cyberattack. He said that all industries and companies, regardless of size, are at risk. Insurance will keep a company in business but it has to match the value of the company.
He also reminded the audience that when people are hit by ransomware, their data is not just encrypted, it is stolen. Therefore, they should make it a priority to update their systems with the latest patches to ensure that the weak entry point exploited by the hacker has been shut down.
In closing, Lazio reassured the audience that solutions can be scoped according to the size of a company and the risk it faces. There are basic, cost-effective things that can be done. Employees must be trained, because over 90% of attacks come in through the workforce. They are an organization’s greatest asset and greatest vulnerability.
Where do you start? Engage with a company you know you can trust, one that is accredited and has experience working with businesses like yours, and allow them to help you develop a strategic game plan. Smith & Howard’s Enterprise Risk Security team will be glad to answer any questions you may have about the steps needed to protect your organization. Please contact Marvin Willis or Martha Raber at 404-874-6244 to learn how your company can better assess its security systems and data risks, or fill out the contact form below.