Tag: cybersecurity

Cyber-Attacks: Not IF but WHEN

“There are two kinds of companies. Those that have been hacked and those that have been hacked and don’t know it yet.” – Mike Rogers, Former Chairman of the House Intelligence Committee

The December KRS Insights Breakfast featured guest speaker Michelle Schaap, an attorney and cybersecurity expert with Chiesa Shahinian & Giantomasi, who spoke about how to protect your company from cyber-attacks. For those who missed the breakfast, we wanted to share some of Michelle’s eye-opening insights and recommendations.
Protect your company from cyber attacks
Here are some of the many reasons why it is important for your company to start paying attention to cybersecurity:

  • More than 70% of cyber-attacks are against small to medium-sized companies.
  • IRS and other regulations across multiple industries require that you have cyber-insurance.
  • If your company gets hacked, you’re in breach of confidentiality clauses in contracts you have with other entities.
  • Getting hacked can put you in breach of your website’s privacy policy and FTC statutes.

As Michelle pointed out in her talk, timing is everything in detecting a security breach. The average time it takes a company to detect and identify a breach is 20 to 582 days and the average time to contain a breach is 7 to 175 days. “That leaves your company’s ‘Crown Jewels’ exposed for far too long,” she noted.

Data breaches are costly

In 2015, reported losses totaled over $1 billion, according to the Internet Crime Complaint Center. In the U.S., the average cost of a data breach was $217 per record. That means for a breach that involved 5,000 records, your company is looking at $1 million in tangible costs. There are intangible costs as well, such as the cost of business interruption, lost customers and lost trust.

Not surprisingly, 50% of small businesses that experienced a data breach are out of business within the following year.

Preparedness is from the top down

“You should be doing this yesterday,” said Michelle. “The bad actors update malware all the time and you need to keep up with the storm. It’s not once and done.”

She emphasized that the best way to get and stay prepared is to have the commitment to cybersecurity start with your organization’s senior executives. From there, it can work down through the organization from the Chief Information Security Officer (CISO) through the IT department and out to employees and third party vendors. “If your company doesn’t have a CISO, consider bringing in an outside consultant to fill this role. You need to invest in this,” she commented.

Data is everywhere – and needs to be protected

You need to be prepared and protected anywhere you receive, create, store, access, manage, transmit or use confidential or otherwise sensitive data. This includes locations outside your office.

“Wherever sensitive information will be accessed – whether it’s a hotel, Starbucks, or an airport – you need to protect it. The bad actors travel with devices that skim off computers,” said Michelle. “So you need to be mindful about where you are when you access data on your laptop.”

You also need to protect equipment such as copiers, cell phones and other devices, as well as the physical environment and technology which may store sensitive data and be vulnerable to hackers.

Have a plan

Today, more companies are required to have cyber-insurance coverage. To get coverage, you need to have a cybersecurity plan in place that includes policies and procedures for identifying and assessing vulnerabilities, mitigating risk, monitoring and detecting breaches, and responding and recovering from them.

“The day you discover you have been hacked is not the day to figure out how to respond,” said Michelle.

The good news is that you don’t have to figure this all out on your own. There are risk frameworks, such as ISO 27001 and the PCI Security Standards, which can help you prepare your cybersecurity plan. Third party consultants can also assist your firm in planning.

We’ve got your back

At KRS CPAs our goal is to make it as easy as possible for you to get the advice and counsel needed, so you can focus on what matters most to you. The KRS Insights Breakfast Series offers timely and relevant information from experts like Michelle Schaap, who can help you stay knowledgeable and prepared.

Visit our Insights page to subscribe to our newsletter and you’ll be notified about upcoming breakfasts plus other KRS news, events and resources.

Michelle Schaap practices primarily in the areas of cybersecurity preparedness and technology, construction law, corporate and commercial transactions, and franchising.

If you are concerned about your organization’s cybersecurity, contact her at 973.530.2026 or [email protected].

Cybersecurity Mistakes You Cannot Afford To Make

Companies can’t afford to be asleep at the wheel when it comes to protecting personal and corporate data. Below are the five common mistakes you can’t afford to make when it comes to protecting assets from cyber-attacks.

Mistake #1: Assuming you’re not a target

Protect yourself from cyber attacksWhether large or small, organizations in every industry are vulnerable to attack. The stories that make the news headlines are usually about theft of credit card data or personal identity information. As a result, companies that don’t handle this type of data often believe they are not a target. All companies need to recognize this risk and work to detect and prevent the devastating damage cyber-attacks can cause. While developing your plan, consider your organization’s response if it does happen to you. This will help you react faster and potentially minimize the negative effect of a data breach.

Mistake #2: Approaching security as just an IT Issue

Many attacks come from the inside of an organization as a result of misuse, theft or loss of devices. A company-wide security policy including employee education, policies and procedures should be developed specifically for your business operations and employee device usage. Regular “audits” of the policies should be conducted to ensure compliance at all levels within the organization.

Mistake #3: Neglecting to understand and update your network

Organizations may never be able to prevent every attack; networks are too expansive and there are many opportunities to breach software. However, failing to understand the structure of your company’s network and where company data flows to and from will prevent you from knowing what to protect. Once you have determined what needs to be protected and systems are in place to protect your data, continued monitoring, testing and updating is necessary to avoid an increased opportunity to invade your systems.

Mistake #4: Relying on anti-virus technologies

Anti- virus technologies are very helpful but are not sufficient to prevent advanced attacks. Hackers are at their game non-stop and have evolved their tactics faster than anti-virus technologies can react. Updates to anti-virus and malware software are necessary, but strong data security policies, testing and monitoring are also needed.

Mistake #5: Failing to use strong passwords

Passwords should be unique and complex. It is easy to use the same password for many different applications and quite often this is what many people do. The cyber attackers know this. Unique passwords for each application are best. Your passwords should be complex. Never use words like “password” or “football”. “12345” is not a good password either. Your password should contain a combination of letters (upper and lower case), numbers, capital letters and symbols. Phrases using symbols, for example Th3king&! (The king and I) is a way to remember a complex password.

As you can see there is no one security solution to protecting your company’s data. Data security must consider the data and system as well as internal and external users. Your plan should also consider your plan of action if there is a cyber-attack and breach of company data. A good action plan can limit the exposure and damage a data loss may cause.