By Jeffrey I. Ziplow, MBA, CISA, CGEIT
The headlines are full of them. It seems almost every day we learn about a new cyber-attack that has syphoned hundreds of thousands to millions of electronic records. JP Morgan Chase, Home Depot, Anthem, Target and even the U.S. Government have fallen victim to these attacks. Do hackers only attack large companies in hopes of stealing millions of electronic records? In hopes of a large pay day? The answer is simply no. Mid-sized (and even small) companies are at risk too. Sure, the hackers want as many electronic records that they can get. But something is better than nothing, leaving even the smallest companies vulnerable to attack.
As an executive and leader of your company, you ask yourself the simple question: “As a business, are we protected against a cyber-attack?” It sounds simple. We ask our IT manager or outside IT support company, “Are we protected?” You knew the answer before you asked the question, “Of course we are!” So, you got the answer you wanted…but is it the truth? Did your IT group really perform the due diligence required to help you and your company mitigate risk? Are you confident that all the necessary precautions have been made? Can you sleep tonight knowing that all risks have been mitigated?
I was quite surprised to find that even some of the large companies don’t follow “best business practices” to protect themselves from hackers. Too many times a CEO/COO or IT department assumes that the company is protected without fully testing the controls and protocols implemented for such protection. As a result, in performing risk assessments, we often find “low-hanging” cyber security threats that could have been easily avoided.
Get our cybersecurity best practices checklist to identify if your company/organization has considered a variety of cyber security threats that should and can be mitigated. Again, the goal is to mitigate risk, we can never eliminate it!
Through researching the various cybersecurity incidents over the past several years, I have found that many of the exposures identified were a result of one of the checklist best practices’ items not being applied. If you said “NO” to one or more of these checklist items, you may be at risk for a cybersecurity incident. If you said, “I am not sure” or “I don’t know,” you may be at risk for a cybersecurity attack.
However, don’t feel too bad about your response. Many companies with whom we have conducted risk assessments or similar types of projects (businesses ranging from large to small) have failed at least one of the checklist items. In fact, many times a company has implemented sound cybersecurity practices for most of the employees, only to implement exceptions for the executive management team. A frequent example is the members of the management team can’t seem to remember their passwords, and, as a result, their passwords never change or they don’t have the time to receive cybersecurity training. In a recent “phishing expedition” for a healthcare facility, approximately 10% of the employees provided their user ID and password via email to the fictitious internal IT person requesting it. Even more interesting, many of the respondents were part of the organization’s management team.
There is no doubt that the cyber breaches that have taken place over the past several years are taking on more mature and sophisticated cyber hacking protocols. Nonetheless, more can be done to prevent and/or mitigate these explosive incidents. Focusing on “How can I answer YES?” to all the checklist items is a great start to protecting your company from a cyber-attack. Encrypting key personal information helps to eliminate ongoing exposures as well. Ultimately, implementing these initiatives will reduce risk and hopefully allow you a better night’s sleep.