CORPORATE

CYBER SECURITY: BUSINESS / CORPORATE
Can you afford not to manage your cyber security?

Hackers Sweet SpotIs your business prepared in the event of a cyber security breach? Now is the time to take stock of your cyber security health, including the importance of securing information through best cyber security practices; identifying your risk and the types of cyber threats; and learning best practices for guarding against cyber threats. Cyber security should now be a major concern of any small business owner that collects customer’s data including personal information like date of birth, where they live, any health records, or credit card information. A cyber security threat can range from being merely inconvenient to life-threatening, or can cause your business to go out of business.

Have you ever wondered if you, as a manager, CEO or Board Member if your business is prepared to deal with a cyber security failure in your organization? Are there all the necessary systems in place? Do you have enough resources and is there enough careful planning to keep any attack from interrupting your company’s activity and causing it financial or reputation damage?

How do data breaches occur? The main cause, are misconfigured systems or applications, followed by user error. Both technical and human errors could end up costing your company much more than what it could have been an investment in strengthening your defenses. At POWERNET, we apply years of cyber security assessment & prevention expertise in helping you identify potential vulnerabilities and implement sound data breach prevention practices for effectively securing your sensitive information.

QUESTIONS: How well are you balancing your need to lock down data with tighter security controls, while providing your team with practically effortless access to the information that drives your success? You can never be sure of your security stance unless you’re conducting periodic security assessments.

StrategyCompanies must now fend off ever-present cyber attacks—the threat of cyber criminals or even disgruntled employees releasing sensitive information, taking intellectual property to competitors, or engaging in online fraud. While sophisticated companies have recently endured highly public breaches to their technology environments, many incidents go unreported. Indeed, businesses are not eager to advertise that they have had to “pay ransom” to cyber criminals or to describe the vulnerabilities that the attack exposed.

Cyber Security must be addressed at the most senior levels

CIOIn many organizations, cyber security has been treated primarily as a technology issue. Most respondents believe that executive senior corporate leaders have too little understanding of the cyber security risks and business implications to discuss the trade-offs for investment, risk, and user behavior. A few institutions have started to make cyber security a key part of business strategy rather than technology governance. At the very least, hire a SME, like POWERNET's CIO Consulting Solutions, to fill the gap, and gain perspective on your situation. At one company POWERNET helped, the CEO signaled the importance of cyber security by his direct involvement with senior security executives in making key decisions. Some organizations have placed divisional chief information security officers in business units, pairing them closely with senior executives there. Others report on cyber security issues to the Board’s risk committee rather than the technology committee.

Refresh cyber security strategies to address rapidly evolving business needs and threats - We heard many respondents say that CEOs and other senior executives inquire how to “solve” cyber security. Corporations need to acknowledge that it is an ongoing battle. New digital assets and mechanisms for accessing them simply mean new types of attacks. Already, many corporations are conducting simulated cyber attacks to identify unexpected vulnerabilities and develop organizational muscles for managing breaches. Some have built sophisticated capabilities to aggregate and analyze massive amounts of operational data (such as e-mail headers and IP traffic) to uncover emerging threats. In addition, corporations must make cyber security, such as the information security measures that need to be implemented before entering new geographies, a key part of the business case for major initiatives or new-product introductions.

What should senior executives do to ensure that cyber security is sufficiently addressed?

At leading organizations, cyber security should be a constant item on the agendas of CEOs and boards. To stay ahead of the threats, executives must engage in an ongoing dialogue to ensure their strategy continually evolves and makes the appropriate trade-offs between business opportunity and risks. We believe this dialogue should start with a number of critical questions:

  • Who is responsible for developing and maintaining our cross-functional approach to cyber security? To what extent are business leaders (as opposed to IT or risk executives) owning this issue?
  • Which information assets are most critical, and what is the “value at stake” in the event of a breach? What promises—implicit or explicit—have we made to our customers and partners to protect their information?
  • What roles do cyber security and trust play in our customer value proposition—and how do we take steps to keep data secure and support the end-to-end customer experience?
  • How are we using technology, business processes, and other efforts to protect our critical information assets? How does our approach compare with that of our peers and best practices?
  • Is our approach continuing to evolve, and are we changing our business processes accordingly?
  • Are we managing our vendor and partner relationships to ensure the mutual protection of information?
  • As an industry, are we working effectively together and with appropriate government entities to reduce cyber security threats?
  • Do we as a corporation have enough cyber insurance to cover all of our risk?

As more value migrates online and corporations adopt more innovative ways of interacting with customers and other partners, the cyber security challenge will only increase. Since the virulence and sophistication of assaults and complexity of IT environments have risen rapidly, addressing this challenge requires solutions that cut across strategy, operations, risk management, and legal and technology functions. Companies need to make this a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth.

POWERNET Security Wheel

Cyber Security is a challenging field and you’ve probably already seen that even big companies suffer from data breaches and cyber attacks, and they have a lot more resources than you. But the numbers show that your business is more vulnerable to attack than you may realize, because of the issues above and many more. Cyber Security is a concern for businesses of all sizes.

WHAT CAN I DO TO REDUCE THE RISK?

You may not fully appreciate their Internet risk exposure, nor have the time, money or it is not good for your ROI. But there are steps you can take to improve security and mitigate their potential financial loss. These three questions you should ask:

  1. When was the last time you met with IT management to determine possible areas of concern?

    PrioritiesThere are many priorities in a company’s daily activities, and sometimes cyber security doesn’t rank in the top 5 or even among the top 10. But don’t be surprised if you should find yourself in the situation. Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the business owner or a team of senior managers, conveys to employees the importance of information security and the need for their collective effort to protect the company’s assets.

  2. When did you last look at your policies, procedure and inventory of your company’s critical assets?

    Policy InfrastructureDo you have a cyber security policy in place? If not, you should definitely create and implement one to give your team a set of guidelines to follow when it comes to information security. A compliance policy won’t do. You need one dedicated to protecting your company’s confidential information and intellectual property.

    A cyber security policy or an information security policy ensures that all the hard work you put into building your company is shielded from cyber criminals. This will be your written plan to handle any and all issues related to cyber security, from encrypting and backing up data to handling a crisis situation in the event of a data breach. POWERNET can get started and help you personalize one according to your needs.

    Content is created all the time in your organization. Data flows through numerous channels, but do you have tight defenses around your most valuable assets? It’s essential for all key people in the company to know what these assets are and how they are protected. Don’t skimp on resources with this respect, because having critical data compromised could have lasting negative effects on how the company operates. Here are some of the elements to include in your company’s cyber security policy:

    • PlanAcceptable Use Policy – an Acceptable Use Policy (AUP), acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager of your company’s network that restrict the ways in which the network or system may be used.
    • Internet Access Policy – this policy applies to all Internet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through the computing or networking resources.
    • Email, Passwords and Communications Policy – this policy regulates the way email and other communication channels specific to the company are used. Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
    • Network Security Policy – a network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company’s security environment.
    • Remote Access Policy – the remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks.
    • BYOD Policy – a BYOD policy, or bring-your-own-device policy, is a set of rules governing a corporate IT department’s level of support for employee-owned PCs, smartphones and tablets. If not set, it could be a nightmare.
    • Encryption Policy – the purpose of an encryption policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
    • Privacy Policy – a privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.
       
  3. Do you have a cyber security incident response plan in place? Are there a set of predefined communication guidelines that can be used in the event of a security failure?

    A security breach is a near certainty for businesses today – more a matter of when, not if, one will occur. Preparedness is key to surviving the fallout. An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. There are 6 common categories of costs when it comes to cyber security threats:

  • Reputation and brand damage
  • Lost productivity due to downtime or system performance
  • Lost revenue due to system availability problems
  • Cost of repair to network & forensics to determine root causes
  • Technical support to restore systems
  • Compliance and regulatory failure costs.
Key Takeaways

Find an Insurance Carrier that Provides More than Just Coverage

Cyber InsuranceAt POWERNET, we will help you for free find a great insurance carrier. Always work with your insurance carrier to ensure that any procedural requirements for coverage are integrated into your final plan. Having appropriate cyber insurance coverage is just as important as having best practice-based policies and procedures in place. Partnering with the right insurance carrier can help you proactively improve their cyber security posture and reduce financial losses. Experienced carriers need to provide full breach risk management solutions to help your company prevail in the face of an inevitable security event.

POWERNET will work with owners and executive teams to help you be proactive against your cyber security risks. POWERNET has both hourly and retainer contract rates, if you are interested in our services, feel free to call us at our offices at 256-489-8425 with the type of service you need.