Back to Basics: Cyber Risk Management and Your Employees
By Rebecca Gomez
Addressing cyber security risk management procedures to all staff is critical to every organization. A recent report indicated two-thirds of all cyberattacks against organizations (large and small) result from employee negligence or malicious activities. The same report also indicated that external breaches only caused about 18 percent of cyberattacks. Human error, according to many studies, is the leading cause of cyber-attacks. Therefore, administrators and employees need regular training on how to identify and prevent cyber-attacks.
Minimizing cyber threats requires a cyber security plan that includes effective policies and procedures that account for legal compliance and data protection. These policies should include (not an exhaustive list):
- A bring your own device (BYOD) policy: governing whether or not an employee can use their own device to conduct business and the circumstances that deem whether or not personal cell phone use for business is appropriate.
- A password policy requiring the use strong and unique passwords that change at least every 6 months.
- Personnel policies that enhance security
- A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.
Organizations should also have an incident response plan in place which outlines how a company will respond to suspected events. Implementing an incident response plan will help your organization to quickly investigate and remediate cyber-attacks. It will also outline the leaders of the response team and their responsibilities implementing the response plan. The board of directors should be informed of the organizations cyber security program and exposure, as they are ultimately responsible. Brown & Streza offers a unique proactive approach to a Data Security Breach plan that can help your organization prepare in the event of a breach.
Cyber Risk Insurance should be considered as part of your risk management plan (and not your only plan). A Cyber Risk Insurance policy can offer nonprofit organizations with affordable protection. There is no “standard” cyber policy form and administrators should review their cyber policies to understand what coverage their policy provides. Most standalone Cyber policies offer forensic investigation coverage, system restoration costs, defense and indemnity costs associated with litigation resulting from the loss of personal information, or other sensitive data and defense costs and penalties associated with regulatory investigations. Most General Liability policies now exclude coverage for cyber-related claims.
Please let us know if you have any questions regarding cyber risk management or would like us to provide you with a quote. (see attached application)