Cyber Security Risk Management for Technology Firms

Apr 14

The following material is provided for informational purposes only. Before taking any action that could have legal or other important consequences, speak with qualified legal and insurance professionals who can provide guidance that considers your own unique circumstances.

Risk management processes have become increasingly critical for companies that market advanced technology products and services, sell Software-as-a-Service, or use complex technology features on their websites and social media pages.

Risk is a part of any business, but digital technology raises the risk or threat to unprecedented levels. Every business owner or manager should understand that threats are now the norm, instead of an exception, and plan accordingly. Hackers and malware become increasingly sophisticated, and the top cyber threats to businesses include:

Denial-of-service attacks that flood your website with more inquiries than your website is designed to handle
Phishing attacks to gain access to your network in various ways
Malware that often has a hidden agenda or just provides malicious attacks on your operating system
Algorithm manipulation of the Internet of Things that can capture data from wearables, smart appliances, and your OS through cloud-computing devices
Sophisticated ransomware that can shut down your computer completely until you pay a ”ransom” for the code to unlock it
Patch management indifference that results in using outdated software
Exposure to risks and threats because of third-party services – such as payment processing, research connections onsite and onsite shipping services
Social engineering, which is an attack based on exploiting social media accounts to get information about vacation plans, business services, and other business and personal vulnerabilities

Unfortunately, failing to update security and install patches is a common failing of many companies. It’s important to remember that when a software company produces a patch, it’s broadly advertised. Criminals can learn how to defeat the systems that fail to install the patch, so they actively look for those companies. It’s as if the software companies were publishing a menu of suitable targets to hack. When a vulnerability is identified, you must attempt to close it.

In today’s digital environment, companies also have a duty-of-care to provide reasonable protection to people who use the company’s website. You are expected to protect financial and personal information or face a lawsuit for damages based on common duty-of-care standards. Government regulations also require companies to protect financial information and medical information through the Health Insurance Portability and Accountability Act, HIPAA, and the Sarbanes-Oxley Act. [1]

What Is Cyber Security Risk Management?

Risk and threat management is an insurance term that’s been around since ancient times when people play games of chance with dice and bones. Dante and Galileo contributed to probability theory, which gave rise to the insurance industry, underwriting and managing business risk.

Cybersecurity risk management is just an upgrade of common business risks – such as insurance protection for unexpected disasters, physical protection of business assets and alarms to detect intruders and issue warnings for fires, break-ins, etc. Instead of protecting vaults and safes, cybersecurity protects passwords, processes, websites, technologies and virtual assets while guarding against digital vulnerabilities.

Software for Risk Management

Small-to-medium-sized enterprises can use risk and threat management software for the basic safety of staff members and customers who use their digital assets. Some of the top benefits of software solutions include:

Customizable risk-analysis options
Improved data mining to study customer behavior, conversion rate potential, etc.
Safe reporting and self-service options for customers
Improved decision-making ability based on verified data
Managing other areas of security, such as scheduling guard rounds, confirming doors are locked, shutting down computer stations when not in use, etc.
SSL-encrypted protection

Cybersecurity Risk Management Framework

The National Institute of Standards and Technology, NIST, has developed a framework for cybersecurity that many security experts consider top-notch protection for businesses. [2] Companies can adopt the security framework in just 10 minutes or less.

Any business can adopt the NIST framework and its protective protocols that include identifying risks, protecting company assets, detecting intrusions, responding to threats, and recovering stolen assets. The robust security blueprint gives any company the tools it needs to protect against threats, mitigate risks and comply with all government security regulations.

Cybersecurity Training and Certification

Unfortunately, new security threats and risks appear almost daily because of accelerated technology and more sophisticated white-collar criminals. All security systems have a common weakness – the human element. That’s why it’s important to screen your staff, define acceptable computer behavior, and train staff in common security risks. Any company should have at least one certified expert in one of the top certification courses at niccs.us-cert.gov. [3]

These courses include Beginner, Intermediate and Advanced levels. Examples of Beginner courses include:

Security+
Certified Entry Networking Technician
Network+
Systems Security Certified Practitioner

Examples of Intermediate courses include:

Systems Security Certified Practitioner
Certified Ethical Hacker
Certified Information System Auditor
Certified Security Analyst

Examples of Advanced courses Include:

Certified Information Systems Security Professional
Certified Information Manager
HealthCare Information Security and Privacy Practitioner
Computer Hacking Forensic Investigator

Depending on your company and its products and services, you might need all administrative staff members to take one or more training courses.

Evolving Security Threats Require Better Management Policies

Government regulations can be a double-edged sword. Companies complain about increased regulations, but many companies use regulations as an excuse to investigate security no further than the government’s guidelines require. The real risks and threats show a vibrant underclass that’s pulling out all the stops to commit digital crimes. The government can’t regulate against every digital threat, so you need to dig deeper into your business security practices.

That’s why it’s so important to put broad security policies in place, install risk management software, adopt the NIST framework and establish an ongoing program of training and certification to meet new threats as they occur. Cyber risk management is an increasingly critical aspect of doing business online, and we recommend that you treat the processes with the utmost respect and top priority in any organization.

Can We Be of Assistance?

We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures.

Please call on us for assistance.

We’re a member of the Professional Liability Agents Network (PLAN).