Okay, so you decided to read it, just as some employees will click on that phishing email attachment!  Did you know that October was the 15^th annual Cybersecurity month? This makes it a great time to discuss cyber breaches and what you can do about them.

By now you’ve probably heard that becoming a victim of a cybercrime is not a matter of “if,” but “when.” If you haven’t started protecting your company and your customers, it’s not too late but the clock is ticking. In this article we will explore some ideas for you to consider.

Start by recognizing that cybersecurity is not just an IT problem. Everyone in the company has to own this, and the owner should be the champion of best practices. But IT is a great place start, including multi-factor authentication (a simple password is no longer sufficient), frequent data back-ups, an email scanning service that detects phishing attempts, centralized anti-virus & malware protection, encryption, and virtual personal networks (VPNs). Train your employees on how to spot phishing emails and other pitfalls — there are a wealth of resources available online.

Next, your management team, along with IT, should identify all the types of customer and employee information retained by the company. Prioritize the information — What do you consider critical? What is already publicly available?  For the confidential information (e.g. social security numbers, credit card information, credit check reports, bank account numbers) develop plans on how to protect this information, including retention policies and guidelines on who can access this information.

Where you may need some professional help is in performing a “gap assessment” and developing an “incident response plan.” The gap assessment helps you assess your existing controls and identify any shortcomings. Your controls include your hardware & software, policies & procedures, compliance with legal requirements, etc. The incident response plan is critical; once you’ve been breached, it’ll be too late to determine what to do and whom to contact. The response team should include an attorney (well-versed in the legal requirements for notification in all the jurisdictions you operate), your insurance company (more about cyber insurance below), your IT forensic specialist, your public relations contact (your reputation is perhaps your most valuable asset, and insurance cannot restore it.)

Lastly, after you implement the appropriate controls and procedures, buy cyber insurance for the things you can’t change. Work with your team to estimate the costs associated with a prolonged system shutdown, credit monitoring for customers, contracted experts to help with the recovery, the restoration/recreation of data, public relations, etc.

Breaches are no longer a matter of “if.” Be proactive in minimizing the damage.