Posted: March 07, 2013
Top 10 ways to manage cyber risk
The rise of the Internet has its downsideKatherine Varholak and Brooke Yates
Technology has made business a more efficient, streamlined process. Be it data archiving, communication or research, the Internet has become a necessary component of many day-to-day business functions. Despite the many benefits that technology lends to today’s workplace, however, it’s important to keep in mind its inherent risks. Just as the Internet has made it easier for businesses to store and share data, it has made it easier for criminals to access sensitive information and has increased the risk of unintentional disclosure.
Here are the top 10 ways to manage cyber risk for companies to consider as they work to improve their cyber security policies and procedures.
1. Human Nature Is Your Greatest Risk. Curiosity and trust of unsuspecting employees are the greatest threats to cyber security. Cyber criminals prey on these traits and can create convincing traps to entice employees into inadvertently disclosing data or granting unauthorized access to sensitive information. Beware of suspicious emails, even if you think you know the sender; free or found thumb drives; and the use of technology without robust password protection.
2. Regularly Assess Your Cyber Risk. Consider using a broker or insurance recovery attorney to assess your cyber risk and provide guidance on how to: (1) identify your areas of potential exposure; (2) protect your company from a cyber breach; and (3) have a plan in place to respond to a cyber breach if it occurs. At a minimum, conduct internal audits of cyber and privacy breaches within your company on an annual basis.
3. Create A Qualified Team. Identify key personnel within your company who can be charged with monitoring cyber security. The team should include IT personnel and management-level employees, each of whom should have well-defined roles. For larger companies, consider designating a CSO (Chief Security Officer).
4. Develop Written Policies And Procedures. Develop and implement a written information and security program. Have your cyber team research and implement best practices to protect against internal and external threats. Written policies should describe internal reporting requirements for security breaches and must include a crisis response plan with a clear chain of command.
5. Create A Culture Of Privacy. Review company policies to ensure they create a culture of security and respect for privacy. Update training as necessary to enhance understanding and compliance with privacy policies.
6. Have A Strong First Line Of Defense. Secure passwords are an important tool in preventing cyber breaches. Consider implementing mandatory password protection and login procedures for all electronic devices, including private computers and cell phones that employees use for business purposes. Require passwords to be unique, long and complex. The longer the password, the harder it is for a hacker to crack.
7. Stay Up-To-Date. Your cyber/privacy team must continually stay abreast of developments in this fast-paced area. Remember, cyber criminals are often at least one step ahead. Provide regular opportunities for continuing education for your cyber team.
8. Seek Help When Needed. Many small- to medium-sized companies do not have the capacity to implement the most up-to-date security protocols making them the most attractive targets of cyber criminals. A third-party data storage vendor may be a valuable resource in maintaining cyber security. Recognize, however, that such vendors (including "The Cloud") cannot assure absolute protection and will likely attempt to disclaim liability for data breaches. The cost of a breach will ultimately fall on your company, both in terms of reputational damage and lost information.
9. Know Your Vendors. If your vendors, consultants and service providers have access to your clients' sensitive information, ask them about their cyber security policies. What are their policies? What is their track record on security breaches? How do they protect the privacy of your information and that of your clients/customers? What is their protocol in the event of a breach?
10. Maintain Adequate Insurance Coverage. Have a qualified broker or insurance recovery attorney review your existing insurance policies for gaps in coverage relating to privacy and cyber security. Consider adding endorsements to existing policies or obtaining specialized cyber policies to fill in any gaps in coverage. Remember, you may need more than one type of policy to cover your risks.
Katherine D. Varholak is an attorney with Sherman & Howard whose areas of emphasis include appellate litigation, insurance recovery, and construction litigation. Brooke Yates is an attorney with Sherman & Howard with areas of emphasis in commercial litigation, construction, and insurance recovery. Sherman & Howard’s Insurance Recovery Group assists companies and other policy-holders in pursuing all manner of insurance benefits.