5 Questions Executives Should Ask to Assess Cybersecurity Readiness
Did you know that cyber crime will cost businesses $2 trillion by 2019 and $8 trillion by 2022? The costs can be extensive, including lost productivity, forensic investigations, reputational damage, fraud and the damages resulting from the theft of personal and financial data, money or intellectual property. Criminals don’t even need to be talented hackers; all they need are inexpensive tools bought on the internet or an unwitting employee who opens a digital backdoor by clicking on a link in an email.
Businesses need to be prepared to deal with cybersecurity incidents because they will happen. According to Robert Mueller, former director of the FBI, “…There are only two types of companies: those that have been hacked and those that will be.”
To help prevent a data breach, business leaders should ask security, legal and IT five big questions about their cybersecurity readiness:
1. What data are we protecting?
Companies need to understand what their “crown jewels” are that need to be protected. These jewels could be financial accounts, credit card data, health records, intellectual property or M&A plans. The answer is likely going to be different for each company. It’s also important to take stock of your company’s crown jewels and determine what laws and regulations apply to your business in safeguarding them.
2. How would a data breach or extended business interruption impact our company?
For some, a breach of client data could have devastating reputational effects. For others, a business interruption that impacts the production line could have an extensive financial impact. What is your worst-case cybersecurity incident scenario? Consider asking that question at your next management meeting. The answers may surprise you.
3. How are we protecting our company’s crown jewels?
Management needs to allocate the appropriate resources to make sure that security is operationalized. This includes updating software and hardware to address current threats, backing up data so that it can be recovered and limiting access to confidential records. Whether you outsource IT services or support them in-house, your controls should also be tested routinely to make sure they are working as anticipated. Penetration tests, email phishing exercises, back-up and recovery tests and incident response tabletop drills are examples of the types of activities that can identify weaknesses and improve resilience.
4. Have we provided our employees adequate training to be successful?
Companies can invest in all the latest and greatest technology to prevent attacks, but people are the weakest link in the security chain. It takes only one person to click a link, disclose a password, misplace a laptop or fall for a fake email from the CEO requesting a wire transfer to cause a major problem. Make sure your employees are trained on how they can help protect the business and what you expect of them when it comes to security.
5. What is our playbook for responding to a cyber incident?
As Benjamin Franklin wisely stated, “Failing to plan is planning to fail.” It’s much easier to react to a security incident when you have procedures in place. Make sure the appropriate team members know what to do, the corrective actions to take, the process for executing those actions and how to ensure they’re in compliance with laws and regulations. Because you’ll likely have public relations, legal, insurance and forensic investigation needs, companies should make arrangements with these vendors in advance. Most importantly, practice the plan by working through your responses to various cybersecurity incidents.
Managing Risk Effectively
Cyber criminals target low-hanging fruit. As a business, you must manage the process of discovering where your vulnerabilities are, putting security measures in place, testing those measures and planning for a cybersecurity event. Whether your business manages security risk in-house, engages an outside resource or relies on a combination of inside and outside assistance, Wipfli’s experienced cybersecurity professionals can help. Contact Jeff Olejnik or your Wipfli relationship executive to learn more.
 “The Future of Cybercrime & Security: Enterprise Threats & Mitigation,” James Moar, Juniper Research, April 25, 2017, https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enterprise-threats-mitigation, accessed July 9, 2018
 “Speeches,” Robert S. Mueller III, FBI, March 1, 2012, https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies, accessed July 9, 2018