Not a week goes by without news of another high-profile cyber attack ? Target, Sony, JPMorgan Chase, just to name a few. Not even the federal government is immune. Just this week, the U.S. government announced that hackers had accessed the personal data of more than 4 million current and former federal employees. And earlier this week the Internal Revenue Service announced that individuals used stolen data to gain access to the tax returns of more than 100,000 people through an application on the agency's own website.
It's clear that information theft is a constant threat that impacts companies on a daily basis. For every big, public incident, there are scores more that go unreported. Cyber crime is a broader problem that's not confined to tech companies and large corporations. The risks are very real for all companies.
The truth is, if you possess personally identifiable information on a lone employee or single customer, you have a cyber exposure. That data doesn't have to exist on a network, either. These days, holding any personal information ? even if it exists only on paper ? presents a potentially costly privacy risk that falls under the cyber umbrella. Loss can occur as a result of access to networks via stolen credentials or breaches, unsecured or lost mobile devices, or malicious email or Web links.
Regardless of your size or industry, adequate controls are needed to minimize the risks to your sensitive data. Here are five steps you can take to strengthen your cyber risk management strategy:
1. Perform a risk assessment. A critical first step in enhancing your data security is to identify system vulnerabilities and understand how your data is managed and secured. You should have a thorough inventory of the kind of information you have, how much of it you have and where you have it.
2. Educate your team. Everyone is accountable in managing cyber risks, including temporary workers and contactors. Implement a sound internal communication and training strategy on the protection and proper use of sensitive data, including how to recognize and report security threats. Integrate cyber security into employee orientation, with an emphasis on the consequences of sharing passwords, falling for email phishing scams, exposing laptops and USB storage devices to theft, and otherwise neglecting to observe data security policies.
3. Know your vendors. When entrusting personal information to third parties, implement reasonable measures to ensure they have the capacity to protect this information. This means selecting only service providers that are capable of maintaining safeguards for personal information equal to or better than yours, and contractually requiring them to maintain such safeguards. You should also require your vendors to show proof of insurance to provide you with protection if they are the cause of loss.
4. Address portable devices. Accidental loss and theft of laptops, smartphones and tablets are leading causes of compromised data. It is crucial to always encrypt these devices to render the protected information unreadable and unusable in the event of a breach.
5. Make sure you're properly covered. Insurance is an important weapon in this war. According to the Ponemon Institute, the average security breach costs organizations almost $200 for each record that's stolen, or about $5.5 million for the typical company breach. A claim that size could cripple a business without adequate insurance coverage. Ideally, it never gets to that point.
Hallstrom is director of Information Risk Insurance for CNA. He brings more than 15 years of experience in technology, cyber and information risk insurance to his current role. Hallstrom is responsible for network security and privacy issues, underwriting guidelines and engagement with CNA actuarial in the pricing of the CNA cyber product portfolio.
This blog entry has been republished with permission.
Readers are encouraged to respond using the “Add Your Comments” box below.
The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access