Cyber crime will cost businesses $2 trillion by 2019 and $8 trillion by 2022.1 Costs can include damages resulting from theft of personal and financial data, stolen money, theft of intellectual property, fraud, lost productivity, forensic investigation, and reputational damages. Criminals don’t even need to be talented hackers; all it takes are inexpensive tools bought through the Internet or an unwitting employee opening a digital back door by clicking on a link in an email to result in a data breach.
Businesses need to be prepared to deal with cybersecurity incidents because it will happen. According to Robert S. Mueller III, former Director of the FBI, “There are only two types of companies: Those that have been hacked and those that will be hacked.”
Although there is no silver bullet, you can reduce risk and the likelihood of a breach with these 10 tips:
- Know what you’re protecting. Are you handling your clients’ personally identifiable information, such as credit card numbers? From client data to intellectual property to employee records, you need to know what your critical data is. Take stock of it, note how you’re currently protecting it, and determine what laws and regulations apply to your business in safeguarding it.
- Practice good security hygiene. Security is more than doing a yearly vulnerability test. Security must be operationalized to keep your company protected. You need to ensure your organization uses a firewall and antivirus protection, requires employees to use complex passwords, and limits administrator rights so employees can’t download malicious software. In addition, your data should be backed up (and tested), and software updates and patches should be applied as soon as they are available.
- Perform penetration tests. Take your security assessment a step further by hiring a firm to do a penetration test. Testers will attempt to break into your system and gain as much data as possible. In their presentation afterwards, they will show both your executive team and your IT department not just where your vulnerabilities are, but also how much data your business has put at risk.
- Train your employees. It takes only one person to click a link, give away a password, or misplace a laptop to trigger a breach. Make sure your employees are trained on how they can help protect the business and what exactly you expect of them when it comes to security.
- Develop response and continuity plans. It’s much easier to react to a security incident when you have procedures in place. Make sure the appropriate team members know what to do, the corrective actions to take, the process for executing those actions, and how to ensure they’re in compliance with laws and regulations. Because you’ll likely have public relations and legal needs along with forensic investigation needs, identify beforehand the vendors you’ll use in case of a data breach. You don’t want to be negotiating a contract for digital forensics when you need it.
- Encrypt data and devices. From a business perspective, encryption is a great preventative measure because it helps avoid damage to your business’s brand and reputation even if criminals do steal your data (such as through a stolen laptop). If that data is encrypted, it’s far less likely the criminals will be able to access it, and your business will be in a much better situation legally to avoid a costly and embarrassing breach notification.
- Manage mobile devices. Many employees have their company email or other business data on their personal cell phones and tablets. These devices aren’t managed by the business, and they’re a large risk for getting lost or stolen. Your business should have rules in place regarding mobile devices, including that employees create complex passwords and that any corporate data can be wiped if necessary if the device is lost or your employee leaves the company.
- Use multifactor authentication. It is incredibly easy to compromise networks that have poor passwords and no multifactor authentication (MFA). MFA is a combination of two of the following: (1) something you know (e.g., password), (2) something you have (e.g., token or code sent to mobile device), and (3) something you are (e.g., fingerprint). Businesses that implement MFA for all external authentication significantly reduce the risk of an external hack.
- Prepare to show proof. Vendor management will be a priority for your customers, and it should be for you. Document your security policies, complete a SOC 2 report (which provides independent verification that your controls are working like you claim they are), and create a due diligence package. This package should contain a high-level overview of how you protect your information. Providing it to clients and prospects will help them feel comfortable working with you.
- Review your cybersecurity insurance. Does your insurance cover breach notification? The financial loss of a breach? The business interruption and monetary ransom in a ransomware attack? Walk through different scenarios with your insurance broker to identify your coverage gaps as well as what policies kick in and at what levels in the event of a cyber attack.
Cyber criminals target low-hanging fruit. Discovering where your vulnerabilities are, putting security measures in place, testing them, and planning for an event must be performed and managed. Whether your business manages your security risk in-house, engages an outside resource, or relies on a combination of inside and outside assistance, Wipfli’s cybersecurity experts can help.
1 Source: James Moar, “The Future of Cybercrime & Security: Enterprise Threats & Mitigation,” Juniper Research, April 2017.