National News
A solid cyberpreparedness plan
May 14, 2015 posted by Steve Brownstein
Small businesses with large customers have emerged as a growing ID theft and data breach target as cybercriminals realize that many small business vendors to large organizations have weak data breach defenses, if any at all.
Cybersecurity and cyber-risk assessments with an emphasis on vendor due diligence were key topics of discussion in New Orleans last week, mentioned during the Risk and Insurance Management Society annual conference.
The conference centered on cyberidentity theft risks — instead of insurance — as other experts have been expressing concern about the significant lack of cyberattack preparedness and ID theft vulnerability within the small business market segment.
Key discussion points at the RIMS conference included the most common cyber-risks. They follow to help you protect and defend against ID theft and minimize impact should your business be hit.
•Failure to complete an annual information security assessment.
•Failure to complete vendor due diligence – a big hot spot for hackers and ID-theft criminals.
•Failure to know about and understand state and federal breach notification laws – which can put a small business out of business.
•Failure to have formal breach incident response plans in place that outline procedures for protecting data and vendor networks.
•Failure to complete effective pre-employment background screening – to spot those who intentionally misrepresent their identities.
There are especially juicy industry targets that cyberthieves are aiming for. If your company has customers in the following industries, you are a bigger ID theft target: education, financial institutions, financial services, health care, hospitality, and retail industry groups.
Karen Miller, who is the senior treasury and risk manager for FireEye, a leading cybersecurity and malware protection firm, made it clear that businesses need to learn how to be "resilient" by understanding their risk profile and having an appropriate information security policy and plan.
"Resiliency" is the new key word on how businesses are coping with the challenges of cyberthreats and the eventual data breach event by being "compromise ready." She remarked that small business vendors are being scrutinized more as big organizations conduct deeper cyber-related due diligence before hiring vendors.
This creates an opportunity for a small business to distinguish itself by being a standout on cybersecurity plans and measures; it's a good point to add to your marketing to help you win over competitors who aren't as prepared.
Miller said that every business, small and large, should consider having a formal vendor due diligence policy and program in place to vet the potential information security risks in working with any business partner or vendor.
Every business – especially small businesses that serve as vendors to larger businesses – must strengthen information security and governance by completing the following three action items:
• Use technology to keep hackers out and detection capabilities to know when they break in.
• Implement quarterly or annual mandatory security training for employees.
• Documentation in writing of security policies and programs, including incident response.
