Five years ago, cybersecurity centered on protecting confidential information — personally identifiable information, Social Security and credit card numbers, and personal health information. And it was largely retail, health care and higher education organizations that concerned themselves with it. Now, most organizations recognize their risk of cyberthreats and that the target may not be confidential information, but designs, processes and systems access, which can also be monetized by hackers.
Still, organizations struggle to comprehensively protect themselves from attacks, either not doing enough because they believe it won’t happen to them, or not recognizing gaps in their protections.
Smart Business spoke with Jim Altman, Middle Market Pennsylvania Regional Executive at Huntington Bank, about the ways companies can protect themselves against cyberthreats.
What stops companies from addressing cyberthreats comprehensively?
For a long time, many companies didn’t believe they were at risk for cyberthreats because they didn’t think they had information worth stealing. That mentality has changed. Cyberbreach data shows smaller companies can be quick hits for hackers because they may not have strong IT security due to lack of resources, and larger organizations with numerous access points are vulnerable despite greater security protections.
It’s difficult to fully address cyber risk because there is no box companies can check that says they prevented all the threats to their system. It’s also hard to measure their network security return on investment. Most companies that haven’t had a breach don’t know if it’s because of luck or because their security held up.
What preventive measures should companies take to reduce their cyber risk?
The biggest impact companies can have on threat protection starts with training their employees. Cyber incidents typically start with someone within the organization falling for a phishing scheme, either by clicking on a link or downloading malware. That enables hackers to access an organization’s systems. Once that happens, it’s very difficult to prevent cybertheft from occurring.
One area to focus employee training is phishing testing, in which companies regularly send simulated phishing emails and see who can be tricked into clicking a link or opening an attachment from a suspicious sender. Once an employee fails a phishing test, they can be enrolled in additional training and then sent further phishing emails to see if they are better able to recognize the threats. Companies that regularly train their employees on cyberthreat issues are able to raise awareness and either reduce or eliminate the likelihood of an employee falling for the latest attack.
Another thing companies can do to reduce their cyber risk is to work with network security professionals to find and fix existing vulnerabilities in their systems. They may also do penetration tests to gauge how difficult it is to get into their system and utilize intrusion detection to quickly identify and shut down access by unauthorized users.
Companies should also utilize fraud protection, such as a business security suite from their bank focused on mitigating monetary fraud, and cyber insurance to protect the company from damages caused by a cyberattack when other protections fail.
How can companies mitigate the impact of an attack should one occur?
Companies should take a close look at what their business does today, where they want to go in the future and identify the cyber risks inherent in their strategic plans. So often, insurance programs are renewed year over year without much thought to how their business has changed. But because of the proliferation of cyberthreats and the interrelation of cyber to other types of insurance policies, cyber is changing the way insurance companies evaluate risk and should equally change how companies think about cyber insurance.
Digital threats are demanding that a company’s insurance policies work together to ensure there are no gaps in coverage in event of a cyber incident. Companies need to work with an insurance broker who specializes in cyber risk to build a total insurance solution that mitigates the cyber risk associated with their operations.
Insights Banking & Finance is brought to you by Huntington Bank