Is your business protected from cybersecurity attacks?
If there was a breach, would you know what to do?
How would you recover, or could you?
Is your business covered by cybersecurity insurance for the loss?
As the de factor standard for cybersecurity, the Commerce Department’s National Institute of Standards and Technology (NIST) recommends a cybersecurity framework inclusive of five categories: identify, protect, detect, respond, and recover. In today’s blog, we discuss three key components of this strategy—remote work/bring your own device policies (protect), incident response planning (respond), and cybersecurity insurance (recover)—and how they can enable your organization to prevent or survive a cybersecurity incident.
Policies for remote work and BYOD
Policies around remote work and bring your own device (BYOD) have been important for years. But with companies moving quickly and desperately to widespread remote work in response to COVID, data and systems are spread further than ever before, often without adequate protection. Employee use of tablets and smartphones to access business applications, data, and networks has decreased business’ security because it provides an entry point into the company’s network (Ponemon Institute). For example, your employees may access your systems via their own devices that they share with their children. Or, even if they are using company devices, they may log on to your IT infrastructure from multiple networks. They may work from home one day, a Starbucks the next day, log on from their child’s school later in the afternoon while waiting for them to finish practice, go to a remote work site the following day, and on and on. A remote worker could be on 10+ networks in a single week. And this doesn’t even cover employees who travel.
Establishing acceptable use policies regarding remote work and personal devices is an integral piece of cybersecurity strategy. These policies help you minimize exposure to cybersecurity risks and protect your proprietary data. For BYOD, these policies may include a requirement for users to register their personal devices with IT, allow IT to install security software on the devices, and report lost or stolen devices. Remote work policies may include rules around passwords or the use of multi-factor authentication (MFA), security of networks, and more.
Let us Help
Cybersecurity incident response planning
Several metaphors can be applied to incident response planning, but the most apt one is ‘You can’t learn to swim when you’re drowning.” Trying to figure out how to address a cybersecurity incident at your company after the incident has occurred and while you are coping with the aftermath simply will not work. Time is of the essence when incidents happen, and wasted time potentially means more lost data, more risk, and more lost money. An incident response plan—critical for companies in general and often required to get cybersecurity insurance—can help.
An incident response plan lays out the step-by-step process—including roles and responsibilities—your company will follow in the case of an incident. Every action is critical for a positive outcome. What steps do you take if your company experiences a cybersecurity incident and in what order? Who do you call? Can you restore your data? Do you need to notify your vendors, partners, and customers? How about the FBI? How will you communicate with your own employees if the systems you usually rely on for communication are compromised during an incident?
Investing in incident response planning can seem like a luxury expense to small and medium-sized businesses (SMBs). But with 23 percent of SMBs experiencing at least one cyber attack during 2020, and the average breach costing a small business $25,000+ (Info Security Magazine), this small investment up front can save your company significantly in the case of an incident and can mean the difference between your business staying open or closing. Your MSP can help your company develop this plan.
Insurance coverage for cybersecurity incidents has changed drastically due to the increase in the number and severity of cybersecurity incidents. Several years ago, obtaining cybersecurity insurance was done as a rider on an existing policy and required no additional activity by the purchaser. Companies didn’t need a lot of coverage because incidents were uncommon and less costly. Now, with so many incidents that cost companies so much money, insurance companies treat the risk of cybersecurity incidents as they do other risk decisions. Getting a cybersecurity insurance policy now requires increasingly more of the purchaser and getting the insurance company to pay out after an incident requires even more.
Despite its importance, cybersecurity insurance is only used by 13 percent of SMBs (Info Security Magazine). You may be thinking, does my SMB even need cybersecurity insurance? The answer is an emphatic ‘YES!’ Every business is vulnerable. Some insurance companies now compel purchasers to attest to taking certain security actions. For instance, they may require you to fill out a questionnaire about what steps you take to protect your business from incidents. Or they may insist that your company develop an incident response plan (discussed above). They also may demand that you use certain cybersecurity tools such as multi-factor authentication (which we will cover in a later blog). The question isn’t whether you should have insurance, but how much you need and what you must do to comply and ensure the insurance company will pay you if you have a breach.
Technology can be a mess. Let us take it off your hands, so you can do what you do best in running your company. Fill out the form on this page to schedule time with us.