Hope: A failing cybersecurity strategy

Many companies still skip the necessary measures to prepare for today's threat environment.

It’s essential to vet and hire key partners to help prevent and respond to breaches. (Photo: Shutterstock)

“What wire/?”

This was the supplier’s response to an email from a CFO trying to confirm receipt of a $365,000 wire.

I was recently introduced to this company, the victim of a fraudulent electronic wire payment request. A ransomware scare quickly followed, leaving the company’s leadership on their heels.

In subsequent conversations, the company listed cybersecurity as a top 10 risk — but rarely did it receive the commensurate attention, funding or resources. Tariffs, production costs and labor shortages clouded their priorities. Until disaster struck.

What followed was a three-week company standstill. Servers, order management systems and email were inaccessible. The company reverted to pen, paper and telephone. Hope was their game plan for responding to a data breach.

What followed was a mad dash to interview, price and select a whole host of vendors to coach the client (at full price) through the remediation. Attorneys, a forensics firm, a public relations firm, call center resources and much more were assembled quickly only to hobble their way through the incident response engagement.

Though I wish these situations were rare, they are not. Many companies are taking exhaustive measures to prepare for today’s threat environment, rehearsing and training to incident response plans. They’re locating, hiring and retaining critical IT security staff to monitor and defend their networks. They’re evaluating cyber liability insurance options and putting robust cyber liability insurance policies in place.

But many, many still are not. Our company has received reactive calls on breaches in nearly every industry vertical this year, from non-profits to financial services, manufacturing and construction. Sadly, attackers are industry agnostic. They’re adapting their methods as our defenses evolve.

There is no way to provide absolute protection against a cyberattack. But there are several simple steps that can mitigate the disruption for your company and your clients: response planning, effective use of technology, getting the right people on board, insuring your company properly.

An ounce of preparation

Incident response planning is critical. There are firms to help more mature companies with customized plans, but free resources are available for companies just beginning to think about planning. It’s a complicated and delicate situation, but evaluating all the potential risks is critical.

Consider the myriad of internal and external partners to include after a breach; create processes for logistical issues, such as protecting legal privilege and coping through the first 24 hours; and develop a method for training employees on your plan and auditing it going forward.

Fighting technology with technology

Technology is critical to business and extensively integrated into the everyday life of a company, which is why attackers go to such lengths to develop new entry points into businesses technological ecosystems.

Manage your technology to operate your business, but place equal emphasis on securing your technology. Recommendations abound but tech security basics include understanding and monitoring your logs, keeping all software up to date and patched, and using two factor authentication whenever possible. Most importantly, find reliable internal and external IT partners to actively manage ongoing tech security.

Partner well

It’s essential to vet and hire key partners to help prevent and respond to breaches. Your triage team should include a data breach attorney, a forensic services firm or a well-equipped managed services provider, and a public relations firm. Having dependable specialists prepared to help you through a breach will vastly mitigate fall out after an attack. Having these professionals available to advise on security concerns and preempt attacks is even more important to the life of your company.

To move beyond the crisis-response mentality when dealing with cybersecurity, maintaining in-house professionals is vital. Hire internal IT resources with background and experience to proactively manage IT infrastructure, inform decision makers and actively engage with company leadership and outside partners in the event of a breach. These professionals can also help craft education campaigns to keep your entire company vigilant.

Invest in protection

Ultimately, no matter how prepared a company is, the experience of a cyberattack in the modern business environment is likely. This makes appropriate insurance the linchpin of any cybersecurity strategy.

The cyber liability insurance marketplace has matured drastically in the last several years. Companies are partnering with well-versed brokers to enhance understanding of product applications, placement, and claims resolution. Companies that have experienced a breach appreciate the value cyber insurance coverage provides, making this risk management line item non-negotiable in subsequent years.

Talking isn’t a solution

For businesses without firmly established cybersecurity practices, protecting a company from tech threats can be daunting. But waiting to act after experiencing a breach isn’t a strategy. Start with a conversation, acknowledge the threat is real, and take real action that aligns with the magnitude of the threat.

Every business is faced with priorities and difficult choices. Taking steps to prepare today — response planning, technology tools, building the right team and appropriate insurance — is a smart approach that protects you, your business and your customers.

Evan Taylor (evan.taylor@nfp.com) is a risk consultant at NFP. These opinions are his own.

Also by this contributor: