In this first installment of our cyber safety series, we offer insights into the initial steps you can take to better protect your company from cyber attacks.
Today’s cyber environment can be extremely intimidating. There are a variety of fraud attacks to watch out for, and the increasing number of employees working from home offers cyber criminals even more opportunities to take advantage of unsecure systems and processes.
If you are unsure of where to begin in protecting your business from cyber fraud, address these six areas — assess, encrypt, patch, educate and insure — now for a head start.
Knowing the current status of your cybersecurity processes and technical capabilities is one of the most important prerequisites to protecting your organization against cyber risks.
A well-executed cybersecurity assessment will help you identify the assets most at risk for attack and determine gaps in your ability to secure against a breach. Your assessment should be performed by personnel with sufficient knowledge of technology, and IT and cybersecurity processes and controls. For best results, leverage a cybersecurity framework such as NIST Cyber Security Framework and the Center for Internet Security Common Security Controls to ensure your assessment is thorough and aligned with best practices.
Encryption of data is one of the simplest ways to secure private and confidential data from cybersecurity attacks.
Start by identifying all private and confidential data that could put the organization at risk if they were to be stolen or in any way compromised. In addition to the obvious data that should be secured, such as credit card information and personally identifiable information (PII) and protected health information (PHI) data, also consider data required to be secured by certain regulations such as HIPAA or customer agreements. Also consider risks posed if other confidential company information is exposed, such as plans to acquire or dispose of business units, and research and development of new products.
Be sure to encrypt data at rest and in transit. Also ensure the encryption technology is up to date with current standards.
System vulnerabilities stemming from outdated or unpatched systems create a significant risk of cybersecurity breach. Routinely patching your systems is one of the most important steps you can take to reduce your exposure.
In addition to routinely patching your systems, your patching process should also include activities for identifying and applying off-cycle patches for critical vulnerabilities. For situations where you are unable to apply a patch because of system compatibility or other issues, it’s important to implement other activities to minimize the risk associated with the unpatched system until you are able to resolve the patching issues.
For all our advances in technology, people are always the first line of defense against cyber attacks. The more knowledgeable and prepared your people are, the more likely they will not fall for phishing and social engineering attacks. They will also be less likely to click on a random link or download the latest screensaver app — potentially exposing your entire network in the process.
Provide employees with routine, mandatory training on information and cybersecurity risks, and teach them how your company expects them to identify and respond to possible cyber attacks. With technology and risks changing at a rapid pace, update the content of your employee training routinely to ensure it’s relevant.
While you can take steps to significantly reduce cybersecurity risks, you can never eliminate it completely. Your cybersecurity risk plan should include sufficient cybersecurity insurance coverage to help offset the impact of a successful cybersecurity attack on your organization.
As with any insurance purchase it’s important to make sure the provider is reputable, deductibles are manageable, coverage amount is sufficient for your needs and that you understand exactly what you are getting for your premiums. Also evaluate any existing insurance policies for existing cybersecurity coverage.
In the event of a successful cybersecurity attack on your organization, your first objective will likely be to recover and get back to normal as soon as possible. Routinely backing up critical data and testing for recoverability is critical to your ability to recover from a cyber attack. Ensure your data is backed up with sufficient frequency to minimize any data loss. Consider backing up highly critical data in real-time. Also routinely test the backed up data by recovering the data and processing test transactions to identify any issues.
Contact a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.