Cybersecurity: Is Risk Management Very Important?
I have spent a lot of time traveling the security circuit and educating myself about the threats of cybersecurity. Last month I had the privilege to participate at the PSA Cybersecurity Congress, a collection of industry experts and integrator executives. The event covered a lot of ground, and although I consider myself up on the times, I was pleasantly shocked with the abundance of new knowledge I took away from it. Here are a few thoughts from my integrator ownership seat and panel moderator perspective.
The Cybersecurity Congress was created by PSA Security to explore and educate about the risk and opportunity that cybersecurity presents to integrators. The congress consists of a broad set of experts. Content was delivered through presentations, thought leadership panels and one-to-many exchanges.
The event started off with some mind-boggling statistics, such as the fact that nine out of 10 small businesses do not have a formal written Internet security policy for employees. Fifty percent of all targeted attacks were aimed at businesses with fewer than 2,500 people. These statistics include most integrators.
For technology integrators there are two areas of risk. There is the risk that their businesses could be compromised by a cyberattack. There is also the risk that an integrator’s service team could implement a solution in a client environment that created a point of exposure. I believe both are equal in the level of exposure to the integrator’s business.
At the Congress event I had a chance to moderate a panel, “Risk Management: Strengthening Your Oversight of Cybersecurity Risks.” The panel focused on the risk to a business and steps to mitigate the risk. I had three industry experts on the panel: one was an expert on network infrastructure and systems, another was a CEO of a cybersecurity liability insurance company, and the third panelist was an attorney/risk management and cybersecurity consultant.
We began by talking about network security and what comes to mind when most people think of IT security in a business. In addition, 44 percent of employees say their employer has no formal policy, training or security requirement they must follow when using their own devices to perform job functions. We talked about the exposure to a business based on the lack of formal policies and procedures. Developing corporate policy for users and the business is important for any cybersecurity business strategy.
Another area of business exposure is the lack of insurance coverage to protect the business from a cybersecurity breach. With the average cost of $1.5 million to resolve a cyberattack, the impact to a business can be crippling. Most traditional business insurance policies fall short of protecting the business, owners and shareholders. This type of insurance is specialized and not offered by all insurers. In addition to insurance, your company must be legally positioned to respond immediately with a formal response plan. The plan should include a communication strategy, corrective action plan and the steps required to reduce any legal exposure.
Based on my experience, I recommend the following steps:
- Create a formal role for ownership of your security environment with measureable outcomes and timelines for mitigating your risk.
- Have a penetration security test performed on your network and systems twice a year.
- Create a formal security policy that addresses the use of personal devices for business use and also home workers.
- Take very seriously software patches and updates.
- Establish a budget line item specific to security investment and governance.
- Make sure your business insurance policy includes cybersecurity coverage.
- Create a contingency plan with specific procedures for responding to and reporting data breaches.
- Consider outsourcing your security to industry experts.
Organizations have experienced a 176 percent increase in the number of cyberattacks since 2010. If you don’t have the expertise to secure your business, you should engage with an expert in the industry. No company wants to make headlines for a cyber-breach; the impact on your reputation and cost to your company will far exceed the investment to secure your business proactively.