Cybercrime is a multimillion-dollar industry and businesses are fighting well organized, deep pocketed adversaries and need to be prepared.
Every business type collects different amounts of data. Some face more risk than others based on the type and amount of information collected.
To minimize risk of cyber incidents, we recommend businesses prepare for cyber threats and implement the following best practices.
Having a documented cyber policy is critical for any organization, and banking businesses are no exception. However, a company cannot simply create a policy and never do anything with it – business leaders must ensure all employees are familiar with the details of the policy.
A company’s cyber plan should address the access to and release of financial information, intellectual property, customer records and employee records. The policy should lay out who has access to sensitive data, how the data is moved, how often its updated, how its stored and the technology involved.
A company’s cyber policy should also clearly lay out acceptable use rules – can employees use their work devices for personal use? Can security programs be removed from these devices?
Another key component of an organization’s cyber function is designating a member of the organization to implement and enforce the policies. This person should champion the organization’s cyber function, own the budget and manage the hiring process.
As many industries increasingly embrace hybrid work and remote work models in the wake of the COVID-19 pandemic, businesses need a policy that specifically addresses remote work cyber controls.
Though a hybrid work model means that companies have less control over cybersecurity than if employees were in the office five days a week, there are precautions they can take to reduce risks.
Organizations should consider the physical aspects of remote work that need to be laid out in the policy, such as the exclusive use of the organization’s VPN when performing work duties. If employees are using their own devices, businesses should consider having their staff download applications that store and protect client information.
A company’s employees can make or break its cyber policy. Employee adherence is essential to maintaining strong safeguards against cyber incidents.
C-suite members and high-profile partners often have their contact information prominently displayed on company websites and are active on networking sites like LinkedIn, which make them prime targets for bad actors. It is critical that these high-profile members of organizations follow the cyber policies and set a good example for others.
Another important aspect of implementing cyber policies is training. Organizations should be consistently training employees on the cyber policies and running phishing tests to ensure employees can recognize and appropriately respond to suspicious emails. Yearly cyber response exercises should be held, too, to ensure each member of the organization understands their respective roles should an incident happen.
Responding to Cyber Incidents
If your business waits until it has been breached to pull together a cyber incident plan – you are too late.
Companies must develop a cyber response plan before anything happens and delineate roles and responsibilities to the organization’s stakeholders. The response plan should include multiple “what if” scenarios that are practiced at least once a year.
If a cyber incident does occur, it’s important that the business meet the obligations for the state(s) in which it is operating.
Businesses could also consider purchasing cyber insurance that covers data breaches and CEO fraud. Oftentimes, the insurance policy will also provide businesses access to cybersecurity consultants that can aid in the response if an incident does occur.
Third Party Partners
If a business does not have the capacity to manage its cybersecurity needs it should consider partnering with a third-party consultant. When evaluating potential partners, businesses should seek out those with proven track records.
Businesses should also ask to speak with other businesses who have worked with the cybersecurity companies before. Successful cyber consultants should be happy to direct companies to current or former clients that can give positive testimonials.
Another way a business can vet potential cybersecurity partners is to come up with a list of the organization’s need or issues and ask the vendor how they would solve or address those problems. That way businesses can get a sense of what a possible partnership with the company would look like.
Following the above best practices will help companies protect sensitive client data and reduce the risk of experiencing a significant cyber incident.