Joe: So, what do you do Sam?
Sam: I am the CEO of a widget company, and you?
Joe: I am a cyber security engineer.
Sam (CEO): You must be busy with all the hacks I hear about in the news?
Joe (engineer): I am.
Sam (CEO): Hackers only attack the big companies, the probability for us getting attacked is low.
Joe (engineer): Are you sure? According to “The State of Cybersecurity and Digital 2016 (*)” more than 50% of all companies in 2016 have experienced a compromise by an Internal or External threat actor.
Sam (CEO): Anyway, we have a firewall and anti-virus so I think we are covered…
Joe (engineer): That’s good. So bad guys can’t get in, but what if one of your employees or contractors lets a bad guy in? For example, what if they click on a phishing message or download something that causes a problem?
Sam (CEO): So you are saying my employees are the issue?
Joe (engineer): Well, according to a Verizon Data Breach Investigation Report, Insiders are responsible for 90% of Security Incidents. (*)
Sam (CEO): The loss involved in a breach will be so small compared to our revenues. It’s easier to take a chance and write off any losses should they occur.
Joe (engineer): Are you sure? let me ask–what data do you have, if lost, would be catastrophic to the company (customer data, employee data, intellectual property…)? OR, what if one of your employees were responsible for setting off a breach in one of your customers (i.e. Target breached by HVAC vendor). …So there is the loss of the data but you need to also consider the loss of your reputation (reference state data breach notification laws), the financial costs of dealing with lawsuits and fines, and then there is the loss of future business (would you give your money to a financial advisor that’s been hacked? …or have your taxes done by a firm that’s been hacked?)
Sam (CEO): But big companies have all the tools (Fire Eye, IBM, HP, Palo Alto etc.) and they are still getting hacked. What am I expected to do? This could get expensive quick!
Joe (engineer): Good security is not expensive and it’s good for business. Managing corporate policies for items like BYOD and Logical Access (who has access to what systems and at what level) are not expensive and are good business. Having an incident response plan for what to do if you are attacked isn’t expensive and is good business. Keeping software and devices updated with patches is not expensive and is good business. Having a cyber insurance rider added to your liability policy is not expensive. Even using a managed security service can be inexpensive if you use the right company (NetWatcher plug).
Sam (CEO): If my company gets hacked, how do you think it will happen?
Joe (engineer): That’s a big question and depends on how well managed your company is now. Companies get attacked because their users click on phishing messages, install nefarious software, use out of date software like Flash/Java and send PII information over the internet in clear text. Companies also get attacked because the let doors open by not updating systems that are on the internet with patches. Do you know when the last time your IT guys upgraded the patches on your website or other servers on the internet? (read about Mossack Fonseca if you want to see how this bit a law firm). A bad actor will get in and either lock you down for a ransom, or they will steal what you have, or they will ride you into a customer or supplier if they can… Their intent is likely financial gain but it may be even more caustic.
Sam (CEO): OK, you convinced me… I need to do more. I’ll get my director of IT right on it.
Joe (engineer): That’s good, but most organizations see cyber security as a business risk and have a business executive own the problem (or opportunity, if you see it as good for business) versus throwing the ball over to IT. This is also something that your board should be reviewing at every board meeting–did you know that your board members could be personally liable if you are breached?
Sam (CEO): So what do you recommend I do?
Joe (engineer): 1. Like I said, assign a business exec to own cyber security for the company and build a cross organization audit committee that includes your IT Director as a major stakeholder 2. Have your attorney review your contracts with customers and vendors for cyber liability issues (having an attorney make recommendations around cyber may also provide ‘privilege’ if you are ever breached) 3. Ensure you have good 1st and 3rd party cyber liability insurance 4. Engage an affordable Managed Detection & Response company that can do continuous monitoring because Anti-virus and Firewalls are not enough in a world where unintentional behaviors by your suppliers, contractors and employees are opening up your organization for exploit.
Sam (CEO): Thanks Joe. It’s obvious that you are a great cyber security engineer.
Joe (engineer): No problem Sam. I am always willing to provide advice even though not many executives take action on it… that’s why I ALSO have a great cyber forensics business.