Hope: A Failed Cybersecurity Strategy

Many companies still skip the necessary measures to prepare for today’s threat environment.

By Evan Taylor

“What wire?”

This was the supplier’s response to an email from a CFO trying to confirm receipt of a $365,000 wire.

I was recently introduced to this company, the victim of a fraudulent electronic wire payment request. A ransomware scare quickly followed, leaving the company’s leadership on their heels.

In prior conversations, the company had listed cyber security as a top 10 risk — but rarely gave it the commensurate attention, funding or resources. Instead, tariffs, production costs and labor shortages clouded their priorities. Hope was their game plan for responding to a data breach.

Until disaster struck. Then, what followed was a three-week company standstill. Servers, order management systems and email were inaccessible. The company reverted to pen, paper and telephone.

During the first few days after the cyber attack, the executive staff was consumed by a mad dash to interview, price and select a whole host of vendors to coach them (at full price) through the remediation. They hired attorneys, a forensics firm, a public relations firm, call center resources and much more — all done so quickly that they could only hobble their way through the incident response engagement.

Though I wish these situations were rare, they are not.

Fortunately, some companies are taking exhaustive measures to prepare for today’s threat environment, rehearsing and training to incident response plans. They’re locating, hiring and retaining critical IT security staff to monitor and defend their networks. They’re evaluating cyber liability insurance options and putting robust cyber liability insurance policies in place.

But many more still are not. Our company receives calls about breaches in nearly every industry vertical, from non-profits to financial services, manufacturing and construction. Sadly, attackers are industry agnostic. They’re adapting their methods as our defenses evolve.

There is no way to provide absolute protection against a cyberattack. But there are several simple steps that can mitigate the disruption for your company and your clients: response planning, effective use of technology, getting the right people on board, and insuring your company properly.

An ounce of preparation

Incident response planning is critical. There are firms to help more mature companies with customized plans, but free resources are available for companies just beginning to think about planning. It’s a complicated and delicate situation, but evaluating all the potential risks is critical.

Consider the myriad of internal and external partners to include after a breach; create processes for logistical issues, such as protecting legal privilege and coping through the first 24 hours; and develop a method for training employees on your plan and auditing it going forward.

Fighting technology with technology

Technology is critical to business and extensively integrated into the everyday life of a company, which is why attackers go to such lengths to develop new entry points into businesses technological ecosystems.

Manage your technology to operate your business, but place equal emphasis on securing your technology. Recommendations abound but tech security basics include understanding and monitoring your logs, keeping all software up to date and patched, and using two factor authentication whenever possible. Most importantly, find reliable internal and external IT partners to actively manage ongoing tech security.

Partner well

It’s essential to vet and hire key partners to help prevent and respond to breaches. Your triage team should include a data breach attorney, a forensic services firm or a well-equipped managed services provider, and a public relations firm. Having dependable specialists prepared to help you through a breach will vastly mitigate fall out after an attack. Having these professionals available to advise on security concerns and preempt attacks is even more important to the life of your company.

To move beyond the crisis-response mentality when dealing with cybersecurity, maintaining in-house professionals is vital. Hire internal IT resources with background and experience to proactively manage IT infrastructure, inform decision makers and actively engage with company leadership and outside partners in the event of a breach. These professionals can also help craft education campaigns to keep your entire company vigilant.

Invest in protection

Ultimately, no matter how prepared a company is, the experience of a cyberattack in the modern business environment is likely. This makes appropriate insurance the linchpin of any cybersecurity strategy.

The cyber liability insurance marketplace has matured drastically in the last several years. Companies are partnering with well-versed brokers to enhance understanding of product applications, placement, and claims resolution. Companies that have experienced a breach appreciate the value cyber insurance coverage provides, making this risk management line item non-negotiable in subsequent years.

Talking isn’t a solution

For businesses without firmly established cybersecurity practices, protecting a company from tech threats can be daunting. But waiting to act after experiencing a breach isn’t a strategy. Start with a conversation, acknowledge the threat is real, and take real action that aligns with the magnitude of the threat.

Every business is faced with priorities and difficult choices. Taking steps to prepare today — response planning, technology tools, building the right team and appropriate insurance — is a smart approach that protects you, your business and your customers.

Evan Taylor ([email protected]) is a risk consultant at NFP in Charlotte, NC. These opinions are his own. This post originally appeared on PropertyCasualty360