While we reap the benefits of information technology in all aspects of our daily lives, we seldom comprehend what’s going on in the background or consider the potentially costly risks it ushers into our organizations.
Effective enterprise risk management requires knowing and evaluating exposures throughout your systems, including your cyber and data breach risks. The fact that you may not easily relate to the IT staff or comprehend all the technical details does not mean that you can neglect these that are becoming more important, and more risky, all the time.
Unfortunately, many business leaders don’t consider their own cyber risk correctly or accurately. In my business, I help employers manage and prevent risk. When we discuss the risks associated with IT and cyber security, I hear some common myths as to why the employer does not need to be concerned.
While financial institutions, healthcare organizations and retail companies are rightly seen as high-hazard businesses when it comes to holding a lot of confidential data, all businesses hold some.
Many may think an old line manufacturing company has little or no exposure to a network security event. However, they undoubtedly hold data on their current employees, and probably have information on employee prospects as well as recently-terminated employees. They also likely hold the design plans of key customers, acquisition targets and partners. Virtually any business has billing records of many customers on hand, which often contains sensitive data.
There are virtually no businesses without any exposure to a network security event. The exposure varies from business to business in differing levels of financial or reputation implications, but every business has risk. It is important to understand the type and amount of information your firm holds, and also the ramifications if a breach were to occur.
If your client, employee or business partner trusts you with confidential data and it is compromised, it will certainly cause frustration, but it could also result in a lost customer, damaged reputation or financial loss. The perception will be that it was your fault and that it’s your responsibility to repair any damages.
Using a third party vendor may actually present more exposure to your business. As your systems link with other systems and connect with other companies’ data, you take on the added exposure of potentially corrupting or breaching the data of multiple businesses due to your processes and your people.
Also, just because a third party vendor is providing a service for you, it does not mean that they are assuming all of your liability. It’s important to fully understand the indemnification agreements and hold-harmless contractual wording in place with the third party vendors, and to verify that they have adequate resources, including insurance, to back their indemnification obligations to your business.
Bank robberies still occur despite protective measures like time-lock safes, armed guards and other security measures because that is where the money is. The same is true of data breaches. They occur multiple times every day to all sizes and kinds of businesses because that is where the data is.
Consider the recent Sony case. This is an example of a large, sophisticated company with the latest and greatest technology protection that was hacked with apparent ease. Businesses with the best controls still have data breaches. You can’t engineer the people-factor out completely: Laptops get stolen, and PDAs get left in airports.
There have been reports of the FBI, the State Department and multiple Fortune 500 companies being hacked despite sophisticated control measures and teams of people working to protect their systems. When an IT manager says their systems are impenetrable, that person is either extremely naïve or horribly overconfident.
This is very untrue. In fact, the Wall Street Journal reported that many small to midsize companies are being targeted by sophisticated, organized crime units because of their naïve approach to data security.
According to the report, “In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates cyber attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.”
Accepting that your business has technology or cyber risk is the first step toward protecting your operations against harm. The next step is to gain a basic understanding of the systems you have in place – what do they really do, what information is collected, how are they are interconnected, which vendor relationships are data sensitive, and what protections have already been established. But this is only a start.
There are several other things to consider:
A key to this is to find help where you can. High-priced cyber security consultants are great, but they just aren’t feasible for many businesses, especially as margins are tightening for so many employers.
Finding a qualified insurance agent or broker who can help you diagnose your risk and then help design measure to reduce the risk you and your company face is a great start. The best agents or brokers are able to provide this service as an added value.
About the Author
Dan Hanson is Director of the Management Liability Group at risk prevention firm RJF, a Marsh & McLennan Agency LLC company, based in Minneapolis. He designs programs to help companies manage and reduce risk exposures. He may be reached at 763-548-8599 or firstname.lastname@example.org.