According to the IBM Cost of a Data Breach 2022 report, the average cost of a data breach in the United States was $9.44 million. The high cost and the increasing risk of a breach has led the Securities and Exchange Commission (SEC) to propose new disclosure requirements for publicly traded companies. These rules aim to increase transparency by requiring companies to disclose significant cybersecurity incidents and report on their cybersecurity management practices and board oversight.
Soon, Cybersecurity 101 knowledge may not be enough. These regulations would also require public companies to disclose whether their boards have members with cybersecurity expertise. This would allow investors to consider their investments as well as their votes on the election of board members and directors.
Cybersecurity 101 for Board Members and the C-Suite:
Cybersecurity involves protecting the information systems of your business and the data that they collect, create, process, maintain, use, share, store, or transmit. Seems simple enough. The complexity comes because attack models, technologies and strategies are constantly evolving – often, at a faster pace than your IT staff can react, let alone proact.
One of the trickiest parts about cybersecurity is that owners, senior managers and board members often don’t know what they don’t know. Of course, there are many tools and resources that can be deployed to protect IT systems and data, but that’s also part of the problem: which tools, which resources, which strategies?
How do you get started in building an effective cybersecurity defense?
Start here: National Institutes of Standards & Technology (www.nist.gov). Gather basic information using a cybersecurity framework like their Cyber Security Framework (CSF). This will help you develop a basic understanding of your organization’s cyber risk and cybersecurity basis. Next, think in terms of IPDRR: Identify, Protect, Detect, Respond, Recover. Here is a brief overview.
- Identify: What data does your organization create, transmit and/or store? This is critical, as you need to know what types of data you have in order to know which compliance requirements you need to meet. If you process credit cards, PCI DSS will apply. Health data may fall under HIPAA. A data classification project should be your first step in understanding your organization’s cybersecurity. Talk to each department’s heads, as even your IT team may not realize all the types of information being processed.
- Protect: Now that you know what you have, confirm what is currently in place to protect your systems, data, people, policies and processes. All sensitive data should be encrypted and should be accessible only by the staff who need to use it. This simple strategy will lessen your exposure should a breach occur. Two-factor authentication (2FA) can be put into place to require something in addition to a log in and password to gain access. That helps, too, and is easy to implement.Remember, a strong multi-factor authentication program will require at least two of the three forms of authentication:
- Something you know (like a password, answer to a security question)
- Something you are (a biometric measure like a fingerprint or face scan)
- Something you have (like a token)
Additionally, it’s a wise idea to invest in additional security measures such as firewalls and endpoint protection, patch management, and more. If your organization doesn’t have the in-house staff to set up and maintain these tools, bring in an experienced cybersecurity firm. Cybersecurity is not place for on-the-job-training.
- Detect: This is a critical, and often overlooked, piece of the cybersecurity toolset. Since the ultimate responsibility to protect the data falls on the highest rank in the organization, you need to know what is in place to detect unusual behavior on the network. Simply having antivirus software is no longer enough – malware is constantly evolving and the protections that rely on signatures cannot keep up.Operating your own 24/7/365 cybersecurity operations may not be a desirable or workable option. Instead, many companies opt to partner with a reputable cybersecurity firm for 24/7 monitoring and alerting. This allows organizations to get the protection and expertise that comes from highly trained cybersecurity specialists without needing to invest in an in-house security operations team.
- Respond: Before an incident ever occurs, it’s crucial to have a response plan in place. Do you have the expertise on staff to quickly identify threats, know what action to take, and how to remediate without compromising logs or other evidence that could be needed if litigation occurs? Most organizations do not; so partnering with a team of cybersecurity experts makes sense. Do you know who will be responsible for leading the efforts? What if the incident occurs outside of normal business hours? Unless you have an experienced 24/7/365 IT security team in place, it’s a smart idea to work with an incident response team to quickly mitigate, minimize and remediate the damage from a breach.In addition to your technical response, you’ll also likely have a public relations or reporting response. You may be required to notify regulators in the event of a breach. In November 2021, the Board of Governors of the Federal Reserve System (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corp. (FDIC) issued a final rule on how banks need to handle and report cybersecurity-related incidents. The proposed SEC rules would expand this ruling to all publicly traded companies.
- Recover: In addition to getting back to business as quickly as possible after an event, you will also want to use every event as an opportunity to get stronger. Analyze what happened, and what has been done to prevent a recurrence in the future. If clients were affected, what kind of follow up communication will you provide from your organization to reassure them? How you handle recovery can make a huge difference in the overall cost of the event, so don’t skip over or cut corners with this step.
Understanding Cybersecurity is critical for Owners, Board Members and Senior Managers.
Every organization, even if it has a genuine cybersecurity expert on the senior management or board level, can benefit from bringing in a consulting team to better understand the challenges and opportunities facing their company. From baseline assessments to yearly reviews, cyber security consultants can offer assessments such as penetration testing, vulnerability scans, and business continuity planning to help ensure your company is prepared to weather a cyber event.
And that’s where Stratix Systems can help.
Stratix Systems is one of the region’s leading technology solutions partners—with the people, resources and experience to deliver the Managed IT, cybersecurity, document management and imaging support you need: where, when and how you need it. The best practices, the most road-tested options, and the best technologies. Backed by knowledgeable people and the most responsive client and technical support in the business.
Stratix Systems offers clients a robust assortment of flexible, secure managed IT, cybersecurity, and document management solutions, as well as imaging and printing technologies to help protect you from hacks and attacks and support administrative workflows – all with significant cost savings that work with even the tightest of budgets. And of course, we provide knowledgeable tech support every step of the way.
So, if cybersecurity is keeping you up at night, it’s time to talk with Stratix Systems. Call 800-444-2943 or visit stratixsystems.com to learn more about how we can help.