Save as PDF
Businesses in all industries face cyber threats of increasing frequency and severity. It is no longer a question of if your organization will experience a cyber incident, but when. From employment/HR data breaches to operational disruptions to wire fraud and more, today’s landscape is littered with real threats that promise real and costly business impacts.
Earlier this month, our team in Nashville gathered a group of industry experts for a panel discussion to discuss the current cybersecurity environment and best practices for businesses to prepare for and respond to potential incidents.
The following Q&A includes insights from our guest panelists, including:
Robb Harvey, Partner, Waller Law
Chris Morris, Partner and Senior Vice President, Benefits Communications Inc.
Darren Mott, Owner, Gold Shield Cybersecurity
Corey Ross, CISSP, IT and Information Security Expert, Checkpoint
What are the most common threats facing businesses today?
- Every year, the FBI publishes a report called the IC3 Cyber Crime Report. The number one threat every year is compromise of e-mail for business. The methodology for making it work varies, but it all largely boils down to social engineering. 90% of corporate network breaches will start with a human factor – someone clicking a link somewhere. The reason social engineering works is because someone always clicks on a link.
- From a threat perspective, email compromise is number one from a financial perspective in terms of general loss. Ransomware gets all the news, though Business email compromise creates 29 times more loss per year than ransomware.
- – Darren Mott
How do you go about building defenses and implementing best practices?
- Once you understand why you should defend your networks, especially something like email, you put technology in place to negate the human factor – AI-based tools like anti-phishing or intrusion prevention. Technology must help you. Anything you throw into your environment related to security will slow down your production. Security basically slows you down, but if you marry the two, it keeps your business going.
- – Corey Ross
- When you apply for insurance, the insurance company will give you a multi-page list of things that you must have in order to get insurance. You must have an incident response plan. That must be enough. It must be looked at and tested by the insurance company. You must have an outside attorney assigned as your incident responder or data breach or ransomware responder. … Make sure that when you have an incident, your first call should be your outside attorney. What the outside attorney adds is the umbrella of the attorney-client privilege that you must have. You need that privilege as soon as you have an incident.
- – Rob Harvey
What are the misconceptions about cyber risk?
- No one expects to be a victim, and no one believes they have anything that anyone would want. Tell me what your business does, and I can tell you who wants your data and why they want it. There will always be the criminals who want it from a financial perspective. Data is valuable.
- – Darren Mott
How do you assess the potential impact of a cyber attack?
- The first step is to have a proper round table discussion with your business area owners, including finance and HR. You need to start with an honest discussion, “If Process A goes down, how long can your business survive?” The average I’ve seen lately is about two weeks before a business has to close its doors. And so, it’s about knowing where that point of failure is and what your maximum tolerable downtime might be. Once you understand these numbers, you can start implementing your technology around it to make sure you can get everything back up and running in the worst case scenario.
- – Corey Ross
What can a business do to minimize risk when choosing a benefits technology partner?
- When you choose an employee benefits provider from a benefits administration perspective, you will be sharing sensitive information with them. Make sure in their master service agreement that they have the right insurance limits based on the size of your organization. Also, make sure they have a SOC 2 certification or a HITRUST certification, which ensures that there’s a third party that goes in and reviews their business practices, so you know they’re handling your data securely for you.
- – Chris Morris
There are many considerations when creating an incident response plan. What are the critical elements of an incident response plan?
- The key element of an incident response plan is to build your playbooks first. It can take a long time to get a solid incident management plan. Having a playbook that says, “This is what we have to do, step by step for ransomware or a rogue employee or whatever the event may be.” Having this in place will really help calm the chaos.
- – Corey Ross
- You can purchase an incident management plan from the internet. I don’t recommend it, but you can buy one. The reason it doesn’t work is because there is no buy-in from anyone at the company, no one really cares. So you need to have a good plan designed for your business, probably provided by your external forensics consultant. And then you really have to rehearse it and buy in. …. You need to make sure you have your external forensics consultant on line when you have a breach. You need to make sure you have your outside attorney on call when you have a crime.
- – Rob Harvey
Contact your Scott Risk Advisor or Benefits Consultant with any questions about your company’s cyber risk and to ensure you are properly prepared and covered for potential incidents. Stay tuned for an upcoming Risk Matters podcast featuring audio from this insightful panel discussion.