Now the fact of the matter is that cyberattacks don’t have to come from big, well-organized forces. You know, one smart person and one bad person can do an awful lot of damage. It’s something that we have to pay attention to every day.”
– United States Treasury Secretary Jack Lew, October 5, 2014.
Every day – that’s how often you should be thinking about and protecting against cyber threats to your organization.
If you’ve completed an initial assessment of your company’s IT system—which should include an inventory of all sensitive data, ranked by potential risk, along with a basic map of potential breach points, both internal and external—you have begun to understand the threat. This baseline review should merely set the stage and reinforce the reality that cyber risk is and should continue to be an upper management and board level issue, one that is consistently discussed and reviewed.
To facilitate that dialog, start by considering these questions:
- Have new risks surfaced in the last month/quarter/year?
It’s likely the answer to this question will always be “yes.” After all, every new customer, supplier, employee, vendor, computer program or hardware change represents a new entry point into your system. Do any new threats deserve a Top 10 ranking?
- How concentrated are your data locations?
Have you stored information across multiple servers or is everything on just one server, thereby increasing the risk that a cyber-criminal could make a simple lateral move within your system to retrieve more data?
- Have we allocated appropriate resources to IT security?
This includes financial investment in hardware and software, as well as adequate staffing and ongoing employee education.
- Are we monitoring security measures used by third-party and outsourced vendors?
Your company can do everything right internally, but you’re only as secure as your weakest link.
- Do we have an up-to-date, battle tested Cyber Incident Response Plan?
A comprehensive plan should help you identify, respond to, repair, and re-group from a cyberattack.
- Are we actively engaged with a threat-sharing group to aid early identification and reaction to malicious cyber activity within our industry?
Organizations such as Financial Services Information Sharing and Analysis Center (FS-ISAC) provide timely notification and information intended to help companies protect critical systems and assets from security threats.
- Is our cyber liability insurance policy adequate and aligned with our business today and tomorrow?
Of course, MJ is always available and eager to help with any questions or concerns. Cybersecurity should always be a point of ongoing review, so never hesitate to contact us for assistance.