As we continue to push forward in this age of instant access to information, the notion of “Cybersecurity” won’t be leaving us anytime soon. Recently ExponentHR hosted a Lunch and Learn, where our panel of cybersecurity industry experts discussed options for managing this growing frontier. The key takeaway is that organizations must take a comprehensive enterprise-wide approach in order to protect their customers and prevent disruption to their business.
Implement good processes and policy.
Satish Gopalaswamy, a cybersecurity risk analyst, warned that most breaches can be prevented through taking deliberate steps to ensure that your organization has good cyber hygiene. Good cyber hygiene can be achieved through strong cybersecurity policies and systems, as well as employees following those policies closely and practicing good personal cyber hygiene. The first step seems to be the easiest to accomplish through diligence in system selection and a sufficient audit process – more on that later- but the second and possibly most at risk is the employees and their knowledge of cyber policies and ability to adhere to them.
It takes a village so train them well.
The majority of breaches happen because the foundation of an organization, their employees, are not properly educated on the company’s cyber protocols. A company can have all the best rules and regulations in place, but if every employee is not aware and strictly adhering to these practices then you increase the vulnerability of the organization. While the policies and system selection typically take place among the IT and executive team, the ongoing education of employees falls within the HR team.
Trust but verify.
In addition to knowing what puts your organization at risk and implementing processes and procedures to mitigate risk, it is equally important to invest in audits of those controls to ensure that you are continually protected. Ben Lozano, of Montgomery Coscia Greilich, reinforced the importance of confirming that your cyber security controls are well-designed, implemented, and monitored. Without the assessment of these controls the organization sacrifices resiliency to a cyber-attack.
You’re not alone – seek help.
Possibly the most terrifying element is navigating your legal obligations to secure client and employee data and the legal ramifications that arise in the event of a breach. This is where insurance and counsel come to the rescue. Kara Altenbaumer- Price, a Senior Vice President with USI and licensed attorney, noted that although through properly built insurance plans, it is possible to transfer the financial responsibility of a breach, you can never reassign the legal responsibility. Cyber liability insurance, although new, has robust capabilities to mitigate your risk to exposure by offsetting costs associated with a breach, including investigation, business losses, privacy and notification, lawsuits and extortion, and ultimately allowing you to focus on your business.
In addition to protecting yourself through cyber liability insurance, Bob Chadwick of Selzer Chadwick and Soefje, LLP, advises consulting a cyber law counsel before a breach ever happens in order to protect yourself and remain educated on your legal obligations.
By the end of the event, our panel had laid the groundwork for navigating the uncharted territory of protecting from and preparing for a cyber-attack through education, audit, insurance and counsel. A special thank you to Kara, Satish, Ben, Bob, and our moderator Fidel Baca for their insights and guidance.