Demystifying Cyber Risk: Executives, Champion Your Cyber Risk Management
Written by Mike Volk, Cyber Specialist at PSA Insurance & Financial Services Effective cyber risk management involves every part of an organization. Cybersecurity policies guide employee behavior and shape culture. Cybersecurity training helps employees — from IT staff to administrative professionals to C-suite executives — understand and protect the organization from cyber threats. Technology helps enforce policies and provides essential defense and detection capabilities. But the success of any initiative on this scale — one that impacts the entire organization —will succeed or fail based on the vision and engagement of executive leadership. Developing and implementing an effective cyber risk management strategy is a vital element of your business’ success. Yet, for many leaders interested in improving cyber risk management, getting started can be one of the hardest parts. One crucial aspect of this strategy is ensuring compliance with ISO 27001, a globally recognized standard for information security management systems. Adhering to ISO 27001 compliance not only helps in mitigating cyber risks but also establishes a structured approach to safeguarding sensitive information, enhancing your organization’s overall cybersecurity posture. Today, I’ll provide foundational information on the nature of cyber risk. My goals is to help you and your Information Technology team be on the same page when discussing cyber risk and how it can potentially impact your business. Then, in an upcoming post, I’ll provide best practices you can follow to begin a cyber risk review, which will help you better understand your unique cyber exposures and aid in creating a high-level cyber risk profile for your organization. What Is Cyber Risk? Cyber risk is typically portrayed as a mysterious hacker hiding in the shadows, breaking into your network and infecting it with malware. In reality, your organization’s cyber risk is comprised of a variety of factors — some that are unique to your organization, and some that are pertinent to all businesses. The diagram below provides a simplified visual representation of a cyber risk equation that helps define cyber risk. Figure 1. Cyber Risk Equation Why Is Cyber Risk Different from Traditional Risk? The complex nature of cyber risk makes it unique compared to traditional risks. For example, one familiar risk category for most organizations is their physical property. On any given day, it is possible that your property could be destroyed by a fire, flood, storm, vandalism or other incident. In this instance, there is a maximum loss value associated with the property, making the risk linear and relatively predictable based on historical data and other known factors. In contrast, internet-connected technology creates a risk model that is fluid and unpredictable. By “plugging in,” each business, person, device becomes a node in a complex global system. In this system, cyber risk has the potential for exponential growth that is difficult to plot on a graph or predict with historical insurance models. For example, if the network of an organization is infected with a virus, it is possible that the virus could damage the enterprise’s network and spread to every vendor, client, individual or other third party that is connected to the infected network. The virus may also allow a criminal to steal money or sensitive data, leading to other financial and legal implications for the business. Physical damage, such as a building burning down, could be devastating and may impact other nearby buildings. However, it is not possible for the fire to spread to the buildings of every third party that interacts with your business or lead to other unpredictable consequences like those a business might experience after a major data breach. Effectively managing cyber risk is now a cost of doing business. It is important that decision makers begin building a baseline understanding of cyber risk, why it is challenging and how it impacts the organization. It’s also important to acknowledge that managing cyber risk is not free, and it requires a time commitment. Smart leaders are beginning to understand this reality and are facing the challenge head-on. The good news is that with the right information and approach most leaders have the skills to guide the holistic cybersecurity strategy for their organization, even if they are not technical experts or directly involved in implementation. As a leader, simply placing an emphasis on cybersecurity as an enterprise priority is a good place to begin. Armed with a foundational understanding of cyber risk, a cyber risk profile specific to the organization, and the right internal team and external partners, every leader can help reduce risk and position the organization to be more resilient in today’s complex technology-driven environment. In an upcoming blog post, we’ll outline the steps your organization can take to get started with a cyber risk review. In the meantime, if you have questions about how to increase your organization’s cyber resiliency, contact me at mvolk@psafinancial.com. Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.
Employees & Small Business Security
With the alarming evolution of the recent Equifax breach and Tuesday’s shocking announcement that Yahoo’s 2013 data breach impacted every single customer account that existed at the time, identity protection has become a topic of both priority and panic. What can your business do to protect YOUR sensitive data? Our client, national identity protection services leader EZShield, thankfully provides easy to understand advice and solutions in this month’s guest blog. Written by Eugene Bekker in Business Protection Small Business Security: Employee Security Awareness Let’s face it: without the proper employee security awareness and training put in place, your employees won’t be able to recognize and address the risks that are actively targeting your business. Between good password habits, data breaches and business email phishing scams, you have a lot to consider when it comes to your business security. Your employees’ security habits in the office (or lack thereof) can significantly impact your overall business security. Follow us through Part 1 of our Small Business Security series where we discuss three major security risks to your small business, and how your employees can make or break your business’ security. Making or Breaking Your Business Security As a small business owner, protecting your sensitive business, customer and employee information is not always top of mind. But, small businesses are especially unique in terms of security because of their small size. Data Breaches Small business owners are often led by the misconception that their businesses are not targeted in data breaches. However, smaller businesses mean smaller budgets – which in turn, usually means decreased IT security. Contrary to popular belief, 61 percent of data breach victims in 2016 were businesses with under 1,000 employees. The financial losses from small business data breaches – averaging around $665,000 – are enough to put 60 percent of SMBs out of business within 6 months. Employee Impact: The Ponemon Institute found that 48 percent of small business data breaches were caused by employee error. Interestingly enough, nearly 30 percent of employees said data breaches were an “average” priority on their list. Password Security Simply put, weak passwords = weak business security. Emphasizing strong passwords is key when it comes to effective employee security awareness training. LastPass found that 61 percent of us are more likely to share work passwords than personal ones. But sometimes it’s necessary for your employees to share passwords at work in emergencies, through team-sharing accounts, or when delegating work to others. Employee Impact: Unfortunately, 59 percent of small business personnel said they did not have visibility of their employees’ password practices. This is especially concerning because 20 percent of employees are using easily hackable passwords in the office, and 7 percent are using passwords that have been previously compromised in a breach. Phishing Whether it’s to steal business funds, sensitive business, customer or employee data, or to install harmful software onto company devices, phishing emails can impact businesses of all shapes and sizes. Phishing attacks have been on the rise since 2004, significantly increasing 65 percent between 2015 and 2016. Since 2015, more than $3 billion has been lost to business email compromise. Employee impact: Employee security awareness of phishing attacks is so important because 91 percent of hacking attacks started as phishing emails last year. However, 97 percent of people around the world cannot identify a sophisticated phishing email. Fail to Plan, Plan to Fail Every business’ security program will be different simply because every small business is unique. Your business’ security program should appropriately address the information your business handles, and how your employees could potentially impact that information. The PCI Security Standards Council suggests you consider the following eight areas when creating your own business security program: Authentication: Are my employees creating strong passwords and using multi-factor authentication or password manager services? Network Connection: Are my employees using secure Wi-Fi networks and aware of the numerous hacking and IoT vulnerabilities? Access to Devices: Are my employees using business-approved devices in the office? Physical Security: Are my employees physically protecting work-issued devices and sensitive business information, especially while travelling? Data Encryption: Are my employees properly handling encrypted business, customer or employee information? Back Up: Are my employees regularly backing up data so that it can be recovered if it’s ever lost or stolen? Software Installation/Patching: Are my employees regularly updating software with the latest security patches? Basic Security Hygiene: Are my employees considering basic preventative measures they can take – anti-virus programs, firewalls, good email and password habits – to further secure business information? What should I do? Get a head start by using the checklist above to see where your current security program may be lacking. Stay tuned for Part 2 next month where we’ll show you ways to make business security in the office more fun for you and your employees. The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content. Originally published by EZShield on their “Fighting Identity Crimes” blog.
Is Your Business Taking the Proper Steps to Minimize Digital Risk?
With technological advances, there comes a heightened technological risk. Cyber-attacks are increasing at an alarming rate, targeting almost 3 out of 4 small businesses. By putting a security plan in place, a company’s level of threat decreases dramatically. Ultimately however, leaders must take the initiative to protect their people, secure their assets and strengthen their brands!
Breach Response Planning – Most Plans Fall Short
Dealing with a breach is one of the most stressful and very real situations any executive team will face. One of the first calls should be to an experienced crisis management team and/or PR firm familiar with breach response.
Data Breach: Not “If,” But “When”
Imagine everything from cell phones, automobiles and even coffee makers having network connectivity. Find out what can be done to help companies minimize data breach risk.
Inside the Home Depot Data Breach
Home Depot’s recent data breach became the largest retail breach in history. Home Depot has faced criticism from numerous angles since the reports of this incident broke. It is always crucial to tell your story when all the facts are accounted for.
Large Company Data Breach
The Fallston Group engaged with a large company that experienced a significant security breach of sensitive patron credit card information. Our team quickly sprang into action and developed and executed an assertive strategic crisis communications plan maximizing positive stakeholder opinion and trust in the company.
Cyber Attack – Is Your Business at Risk?
The average financial hit is almost nine thousand dollars when a company becomes a victim of an attack. Following these simple steps to decrease your chance of becoming an easy target.
Target Security Breach Affects 40 Million
Target faces multiple law suits after a security breach when about 40 million customers had their credit and debit card data taken.
Cyber Attack: Don’t be a Victim
October is National Cyber Security Awareness Month. All businesses are at risk of cyber attacks on a daily basis. Read more about what security measures can be taken to assist in preventing the reality of these threats.
