Many of us have been victims of hacking incidents, and we all know of at least one company that has been affected. Every day, cyber criminals are getting craftier. Modern organizations simply cannot afford to have a haphazard approach to cybersecurity.
Not sold? Let’s look at the numbers:
- Global ransomware damage costs totaled $325 million in 2015; these figures are projected to quadruple by 2020.
- Nearly 33 percent of U.S. companies were breached in 2016; of these companies, nearly 75 percent were unaware how the incident happened.
- To avoid public shaming that ensues from a data breach, 14 percent of organizations reported they would pay upwards of $500,000.
To address this pervasive problem, a group of experts immersed in the security field recently sat down during a panel discussion hosted by FinTex at Relativity’s Chicago headquarters to share what their organizations are doing to combat cyber crime.
The Incident Keeping Your Security Folks Up at Night
For Ricardo Lafosse, chief information security officer (CISO) at Morningstar, it really comes down to a deficiency in one application that could jeopardize an entire organization—like the 2017 Equifax breach that compromised the information of nearly 143 million Americans.
“I am always worried that something was missed. For Equifax, it was that one application vulnerability that led to the whole breach,” said Ricardo. “You need to have ongoing situational awareness on your external presence and implement the appropriate controls in place. But, if a hacker does get in, you need to make it extremely difficult to get to that data.”
Last year, ransomware was one of the core threats keeping Joe Rickard, CISO at Incapital, up at night—and rightly so. A 2017 report found mobile ransomware jumped by more than 250 percent during the first few months of that year.
At InCapital, some traders may engage in occasional internet meandering in between optimal trading hours. The thirst for knowledge is almost always beneficial, but visiting certain websites presents “great opportunities to click on the wrong link,” according to Joe.
To evaluate the potential risk posed when employees explored the internet, Joe underwent an exercise to determine whether someone in one department clicking on the wrong link would impact the systems that someone in a different department needed to do their job.
Coming from the law firm perspective, Dara Tarkowski, founding partner at Actuate Law, hears many clients voice concern over one thing: reporting an incident to a regulator.
“What people like me do is come in and try to control and manage all the potential spiraling messes that may ensue from a breach,” said Dara, noting potential repercussions of a cyber incident include risking consumer harm, potential monetary losses, and notifying insurance carriers.
“One data breach could result in a company being required to report to regulators in every state in addition to facing potential civil litigation, shareholder/securities litigation if the issues are material enough, and many other problems that companies encounter—all because of one patch that wasn’t fixed,” Dara added.
BYOD: A Best Practice or a Thing of the Past?
Conversations are happening in companies all over the world regarding whether executives traveling internationally should bring their own device for the job, and opinions have changed over time.
“Interestingly, five years ago, everyone wanted to bring their own device,” said Joe. “Now, the climate [around data security] is so complex that the pendulum is swinging back the other way. We’re starting to no longer support people’s personal devices.”
For Jerry Finley, director of cybersecurity and deputy chief security officer at Relativity, the issue is contingent on location and the associated risks. Relativity maintains a list of areas throughout the globe that carry a high risk of cyber attacks. If a Relativian is traveling to one such region, Relativity may provide a laptop equipped to allow for additional forensic analysis to be performed when the employee returns to the U.S.
“It’s really about knowing the environment,” added Ricardo. “Our overall security approach at Morningstar is to protect the data, regardless of the platform it is on. If it is in the cloud or on your mobile device, we ensure the appropriate security controls are in place.”
Knowing the environment also entails knowing the applicable laws, or getting in touch with people who do. To ensure your executives are abiding by the laws in the country in which they are traveling, engaging counsel from the relevant jurisdictions would be a safe bet.
“You should specify this in your policies and procedures, especially if your company has an international presence,” explained Dara. “The more documented and practiced protocols you implement on the front end, the more defensible your organization’s actions are if something happens.”
Why Every Organization Needs an Incident Response Plan
When a cyber incident occurs is not the time to test your ability to wing it. Having a step-by-step plan on what to do and who to notify is of the utmost importance, especially when it comes to avoiding regulatory scrutiny.
“Being proactive and trying to prevent these incidents is critical,” said Dara. “But, it is equally as important to have checkpoints as part of your incident response plan so you can prevent the domino effect of regulatory and legal problems that ensue from a breach.”
Involving corporate communications in this plan is also a best practice, as they have the expertise to form a statement that accurately and adequately articulates the issue and what your organization is doing to contain it. Ricardo noted that security and corporate communications should communicate often, and not wait for an incident to happen to exchange introductions.
“The first time a breach happens to you is not the first time you should be working with them,” he said. “Have relationships with their team, executive management, and legal. It is also important to know when you should go to the board and follow your breach notification process. This is key when an incident happens.”
An incident response plan will list out the appropriate response when a situation arises, such as a ransomware attack.
“This is where having a good disaster recovery plan comes into play,” Jerry said. “Of course, these things can get complicated, but we have processes in place surrounding this type of event that will help us keep a level head if the need arises.”