With each day, companies are becoming more dependent upon their systems and data. While these changes offer significant opportunities and benefits, they also carry many new and significant risks, including cyber security risks that business owners and management need to be aware of.
To protect your business from cyber security threats, it’s time to start thinking like a hacker. What sensitive or confidential data do you collect, store or transfer that could be compromised? And how vulnerable is that data to attack?
The risk is significant for businesses that do not make cyber security a priority. Failing to put security measures and infrastructure in place can affect a company’s reputation, productivity and bottom line, says Christopher Byrd, manager of Security & Privacy, Risk Advisory Services, Brown Smith Wallace LLC.
“Exponential growth in the access to and use of data can give organizations a competitive advantage, but with that comes increased vulnerability for cyber attack,” says Byrd.
The types of organizations being targeted are becoming more varied, says Tony Munns, member, Risk Advisory Services, Brown Smith Wallace LLC.
“Several years ago, the primary targets were financial services and similar organizations, but we are now finding that other companies with a high dependence upon technology are becoming targets for attack,” says Munns. “The size of the company doesn’t seem to matter, as hackers often choose their targets based on ease of attack and availability of data.”
Smart Business spoke with Byrd and Munns about the cyber threats businesses face and how they can maintain data security.
What cyber security challenges are companies facing?
While companies are not purposely exposing themselves to cyber security risks, many have limited resources to understand and address their vulnerabilities. Today, companies are doing more with less at a time when the number and severity of attacks are on the rise. Companies often focus on keeping systems up and running, while information security drops down the priority list. The greatest challenge is that this is a complex area that is constantly changing, requiring expertise and resources that often aren’t readily available to companies. So, increasingly, they turn to a third party that specializes in cyber security to perform a security audit and testing to identify weak points that can be invitations for hackers.
What impact will companies face because of these issues?
There are many potential impacts if sensitive information is not adequately protected, including direct costs such as fines, investigation, notification and legal fees, and indirect costs, including lost business opportunities due to reputational harm. The impact can also depend on applicable laws and regulations, such as:
- HIPAA — The Health Insurance Portability & Accountability Act, which addresses the protection of personally identifiable health information.
- PCI DSS — The Payment Card Industry Data Security Standards, which is aimed at protecting payment (credit, debit) card security.
- GLBA — The Gramm-Leach-Bliley Act, which is designed to protect personal information collected by financial institutions.
Many industries have regulations in place to enforce data security, and there are more regulations being enacted at every level. In addition, virtually every state has adopted data breach notification laws that companies must adhere to. Exposure of personal information can result in hefty repercussions — cost estimates exceed $200 per record lost. For organizations with hundreds or thousands of records, the financial impact can be significant.
Often, as a result of a security breach, company executives find their time and attention consumed by the response, similar to other types of major incidents.
It is critical today for businesses to establish security measures and an infrastructure that protects data so that if security is breached, there is a record of compliance with laws and regulations. Across the board, there is an emphasis on urging companies to get their house in order on matters of cyber security.
How do cyber security breaches occur?
There are generally two basic types of security incidents. First, there are unintentional situations, such as an employee losing a laptop computer containing company data. In these cases, data security is generally not top of mind, as no one plans on these incidents.
The other security threats are very much intentional. There are cyber criminals who make money by hacking into systems and mining data. Once a system is compromised, the attacker can siphon off data or steal money directly, for example by initiating large bank account transfers.
Recently, there has been a resurgence of ‘hacktivists’ — ideologically motivated hackers that attack an organization to damage its reputation because of a political or social stance. Additionally, there have been a number of recent breaches involving industrial espionage, some purported to have been sponsored by other countries. These attackers can stay embedded in a company while compromising information that provides a competitive advantage.
What can businesses do to protect their interests?
The key is to identify security risks and put an appropriate security program in place. A company’s security program should include a comprehensive security policy with assigned responsibility, risk assessment, security control framework, independent assessment and employee awareness. And, for when all else fails, there should be a response program, which should be tailored to meet regulatory requirements and be regularly tested.
Reach out to an expert to get a security risk assessment and begin developing a plan to protect information from cyber threats. When — not if — a security breach occurs, you want to be prepared with a plan to protect your business interests.
Christopher Byrd is manager of Security & Privacy, Risk Advisory Services, at Brown Smith Wallace in St. Louis, Mo. Reach him at firstname.lastname@example.org or (314) 983-1374. Tony Munns is member, Risk Advisory Services, at Brown Smith Wallace. Reach him at email@example.com or (314) 983-1297.