Bites
For the busy executive that doesn’t have time to read lengthy articles but wants to stay on top of Cybersecurity strategies and thought leadership, Family-Driven Awareness Inc. proudly introduces our easily digestible bites of Cybersecurity knowledge. If you like what you see, please keep checking for new updates.
Cyber Insurance – Now What?
If you have cyber insurance, excellent! Now, you need to be sure you understand what your contract covers and more importantly what it doesn’t cover. In the event of a breach, you want to make sure you have questions like this answered well beforehand, along with questions like, what PR firm will I reach out to for assistance to protect my brand, what law firm specializes in breach response, who can help me with a forensics assessment, and which organizations specifically does my cyber insurance cover me to work with?
Cybersecurity Awareness and You!
In April of 2018, Utah-based company HealthEquity reported 23,000 accounts were compromised in a data breach when an employee fell for a phishing scheme. As a result of human error, information like employee names, deduction amounts and social security numbers were exposed. The HealthEquity breach is hardly an isolated incident in healthcare or any industry for that matter. According to research from historical claim data analyzed by London-based consultancy Willis Towers Watson, 90% of all cyber claims stemmed from some type of human error or behavior. While organizations can’t control the actions of cybercriminals and rogue staff members, they can address how employees approach security and mitigate the risk of a breach by strengthening internal cybersecurity habits. Addressing the problem could be a simple matter of conducting training sessions that advise employees to use approved software and apply strong passwords—or applying common sense practices around technology access. You don’t even need to start with a massive awareness campaign, start small, talk to a professional, find out where your gaps are and plan from there.
Planning Ahead
Gone are the days that cybersecurity can be relegated to the IT department; it is now a C-suite and board issue that requires corporate wide attention. By asking the right questions and following a risk-based roadmap for prevention and response, executives can better protect their companies, customers & shareholders. Some tips for you:
- Learn the basics. You don’t have to be a coder to play a meaningful role in your company’s cybersecurity efforts. But you should take reasonable steps to learn the foundational elements of cybersecurity.
- Identify your crown jewels and understand your network. It is important to have a basic understanding of what kind of sensitive information your network possesses and how your systems store or transmit that information.
- Talk to a professional.
- Plan for a breach, including managing board or senior management expectations that there should never be one, because a breach likely will occur. A good plan also provides the added benefit of demonstrating to regulators and would-be plaintiffs that you have taken cybersecurity seriously in the aftermath of a potential breach. In the end, corporate executives should treat cybersecurity like so many of the other risks they manage.
Two Types of Companies
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
– FBI Director Robert Mueller
Costs associated with a breach
The average cost of a data breach rose 6.4% year-over-year to about $3.9 million in 2018, according to research sponsored by IBM Security and conducted by the Ponemon Institute. The average cost for each lost record rose to $148 from $141, an increase of 4.8% from 2017, while the average size of data breaches increased 2.2%. It takes an average of 221 days to identify malicious and criminal attacks, and 81 days to contain them. Once a data breach takes more than 100 days to identify, the estimated cost rises by $1.1 million to a total of $4.2 million. Tools that heighten detective or forensic capabilities can significantly reduce data breach cost, researchers noted.
Ransomware and associated costs
When considering expenses related to ransomware demands that could possibly impact an organization, it is important to understand that related costs like: forensic specialists, negotiators, breach coaches, legal and public relations professionals may be more expensive than the actual ransom demanded. Not to mention the expenses associated with regulatory costs, liability and business interruption losses. With human error being such a strong factor in these types of attacks, ransomware attacks are here to stay.
When educating an audience
When educating a younger audience (or any audience in the world of cybersecurity), remember everything in cybersecurity begins and ends with the understanding that if you have data, then you have cyber risk. If your audience truly does not believe their data is at risk, your lesson will fall on deaf ears. If you’re instructing someone, start your lesson with stories and case studies on how real this problem is and make them specific to your audience. A high school audience, for example, may not put much thought into statistics on cyber breaches that negatively impact the healthcare industry, but they will certainly pay attention when they know how it connects to them.
The Cybersecurity skills gap
According to a recent study, the problem with the Cybersecurity skills gap is only getting worse.
- 2014: 23 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills
- 2015: 25 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills
- 2016: 46 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills
- 2017: 45 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills
- 2018: 51 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills in each of those years, cybersecurity was consistently the largest problematic skills shortage area.
By 2020 this will be an epidemic!
GDPR and You
GDPR Notification of a personal data breach – Not later than 72 hours after having become aware, notify the personal data breach to the supervisory authority. Here’s what you’ll need to include:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
Breach Coach
Anytime you are taking on a complicated and crucially important corporate project with multiple layers, multiple points of contact, competing priorities and deadlines; you are most likely going to want to work with a project manager. Someone that can manage things as efficiently as possibly, allowing you to achieve the desired results with an incredibly effective use of time and money.
When it comes to cybersecurity, one of the most complicated and crucially important projects for business is responding to a cybersecurity incident. That being said; wouldn’t it be great if there were project managers specifically for these circumstances? There are, they are called breach coaches.