Cyberattacks capable of disrupting core operations are now a top operational risk of just about every type of business imaginable. In fact, the U.S. Securities and Exchange Commission has called threats to cybersecurity "the biggest systematic risk we have facing us."
Given the negative impact that data breaches can have, and the level of sophistication shown by hackers in recent incidents, it's better for business owners to think of the risk as not a matter of whether a breach will occur, but when and how.
Whether stored in the cloud or on physical servers, sensitive data — such as financials, intellectual property, business plans, customer information and employee records — represents some of the most valuable assets owned by a business. With this in mind, it's imperative for you and your leadership team to reevaluate, at least annually, what you're doing to protect your systems, where vulnerabilities might lie and how to improve cybersecurity. Here are some best practices to consider.
Many hackers operate overseas, making them hard to identify, find and prosecute. So, think globally when assessing your cyber risks.
However, it's not only your own defenses you need to worry about. Hacks are often perpetrated via the vendors of the victimized organization. That's because vendors tend to be smaller companies with fewer resources or less motivation to put strong cybersecurity measures in place — and hackers are ready, willing and able to take advantage.
Retail giant Target once suffered a data breach when hackers reportedly obtained information through a third-party HVAC vendor that had access to the retailer's network. The stolen credit and debit card data was then moved to a server in Russia. Although this breach happened a while ago, it still represents a common way that these criminals operate.
Some companies limit outside access to their computer networks, refusing supplier and customer requests to share data. Others require vendors to verify their network security protocols. Some businesses also now use cybersecurity ratings — similar to credit scores — partly based on the amount of traffic to a company's website coming from servers that have been linked to cybercrime. As these ratings become more refined, companies that use them may choose to avoid doing business with high-risk customers and suppliers.
Protecting against cyberthreats is an ongoing challenge, not a one-time event. Every time a hardware or software provider releases an update or patch, systematically install it immediately on every device. Why? Hackers are constantly vigilant about spotting the latest patches and updates because they show where vulnerabilities exist. If the perpetrators are quick, they can exploit these vulnerabilities before users install the fix.
Another useful prevention strategy is requiring employees to periodically change their passwords — as well as to never use duplicate passwords. Hacked passwords can cause a domino effect, because people tend to use the same password for multiple accounts. For example, software developer Adobe once lost 33 million customers' login credentials and, soon after, other websites discovered that their accounts were being hacked using the same passwords stolen from Adobe! As you may have noticed, many companies now require or strongly recommend two-factor authentication to add another layer of login security.
Businesses often have more devices connected to the internet than management realizes. Moreover, when employees take devices out of the office, they expose company data to less-than-secure home networks and public hotspots. Identify every device that needs to be connected to the internet and take steps to minimize off-site risks. Consider limiting which employees can work remotely. For those that do, provide ample training about cybersecurity.
In addition, install encryption software on devices that link to external networks. Encryption may create compatibility issues when sharing data with other companies and slow down data transmission. But it can be a powerful and cost-effective tool in the battle against cybercrime.
Cybersecurity is an important task that few organizations can handle exclusively in-house. Consider seeking outside help to reinforce your current IT policies and procedures. A growing number of small to midsize businesses use third-party consultants to evaluate network vulnerabilities and test how compliant employees are about following the rules.
Another popular security measure is cyberliability insurance. Professional and general business liability policies generally don't cover losses related to a hacking incident. Cyberliability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company's electronic software and data.
Bear in mind that, rather than buy a standalone cyberliability policy, you may be able to add a cyberliability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement probably won't be as extensive as the coverage in a standalone policy, but this may be a cost-effective move if you've taken other comprehensive measures. To discuss this or other ways to address the costs of the mission-critical issue of cybersecurity, contact your CPA.
Get in touch today and find out how we can help you meet your objectives.
