Combatting cyberattacks: 5 steps to managing cyberrisks
INSIGHT ARTICLE |
The frequency and scope of cyberattacks are growing rapidly, with breaches becoming a significant threat to a business’s reputation and sustainability. Various media reports cover large-scale breaches on a seemingly daily basis, but middle market companies are actually at a higher risk of being breached. Just a single breach can result in significant financial, reputational and operational damage, and your business must understand how to effectively manage your cyberrisks.
RSM recently sponsored the NetDiligence 2017 Cyber Claims Study, a critical tool to help organizations not only understand the source of data breaches, but also how to make strategic decisions that address the motivations, targets and damages associated with a breach. The study provides several insights that illustrate how cyber incidents are significantly impacting the middle market, including:
- The study found that 88 percent of the claims were from organizations under $2 billion in revenue. In addition, companies with less than $50 million in revenue were the most impacted, accounting for 47 percent of the claims.
- The study confirms that cyber incidents continue to increase, with the leading sources, including a hacker (27 percent), lost or stolen devices and rogue employees (20 percent), and malware and viruses (16 percent).
- The “trifecta” of impacted data types—Payment Card Industry (PCI) data, protected health information (PHI) and personally identifiable information (PII)—are the main areas of concern in cyber incidents. PII appears in 36 percent of claims, with PCI and PHI represented in 16 percent and 15 percent respectively, primarily due to the fact that these data types can be easily monetized, while other data types cannot be liquidated as easily.
These figures should serve as a wake-up call for anyone in a small or midsize organization. Your organization is not immune to a breach; you are likely at greater risk of an incident than larger counterparts.
Key steps to protect your organization
With cyberthreats evolving and becoming more prevalent, what can your organization do to reduce the potential of suffering a cyberattack and hopefully minimize the cost should you have an incident? Consider these five key steps:
- Obtain or review your cyber insurance coverage: Even a relatively minor cyber incident can have a significant financial impact on a small or midsize organization. Having adequate insurance coverage can help offset these financial implications.
- Be sure to encrypt your laptops and external storage drives: As evidenced in the study, lost or stolen devices saw a significant increase, with the number of claims nearly doubling. Implementing these protections can be relatively easy and inexpensive for small and midsize organizations, but can have a significant upside by reducing the potential exposure should a device be lost or stolen.
- Implement controls around and proper disposal of paper records: The study noted that claims around these records nearly tripled. Having a better understanding of your paper records, controlling how they are accessed and ensuring that they are securely destroyed can help minimize an organization’s potential exposure. Even for small and midsize organizations, implementing better physical control of records and making sure that they are properly disposed of can be another inexpensive safeguard.
- Know the potential of insider threats: While the overall number of insider-created cyber events may be limited, the financial and reputational cost can be significant, especially for small and midsize entities. These threats can be manifested by someone stealing trade secrets as they depart from an organization, or they undertake some malicious activity to harm an organization. To help combat this, leadership should ensure that adequate internal controls are implemented and being followed. In addition, performing a preliminary analysis of computer activity performed by any critical employee prior to their departure can help to minimize the impact of trade secret data being stolen.
- Understand the specific threats within your industry: Not surprisingly, retail and health care seem to be regularly toward the top of the list in the number of cyber insurance claims, the records exposed and the cost. However, it is interesting to note that professional services and financial services are also high on the list. The real takeaway is that regardless of the business sector, leadership needs to be ever vigilant in trying to protect their organization for potential cyberthreats.
As the survey outlines, no industry or business size is immune to a cyberattack, and small and midsize businesses typically face more acute risks. However, considering these steps and implementing necessary processes and controls can help your organization mitigate potential cyberthreats, and efficiently respond and limit damage if your business suffers a breach.