I often hear statements like these from business owners in regulated industries like financial services -
"My branch manager is responsible for my cyber risk preparedness."
"I just had my audit done, a few weeks ago and my chief compliance office says, I am all good..."
Here's another one -
"My IT manager who we worked with for 20 years says we are using the best technology solutions in the industry to protect our networks and data."
"Nobody told me that storing my PASSWORDS.TXT file in my dropbox folder was a bad idea."
So, what are the common threads in these aforementioned statements?
... Well, YOU GUESSED IT!
1) The curious case of "It's not my problem!": So the logic of many a business owner goes something like this - My outsourced IT, branch or compliance manager is responsible for my cyber protection strategy. And, from a legal standpoint, if I still get hacked, it's their problem not mine.
NOT TRUE! It is your problem...and, maybe your entire outsourced staff of IT, compliance and branch manager's unless your signed contracts state otherwise.
2. "Thou Shalt Not Verify": There is a famous Software Quality Mantra that states that programmers should never verify their own code. The reason is simple - No checks and balances. Programmers are not likely to not find enough problems with their own code to justify their time and effor. THe same goes for first-line IT managers and compliance officers.
To further consider business, technology and legal implications of the "It's NOT my problem" sentiment, here are some questions to think about:
1. If there is ever an investigation in to a data breach incident at your firm by the authroties, how do you prove that you (or your employees) followed all the rules as recommended by your IT, compliance or branch managers? (Remember, these folks aren't checking your systems and policies every minute of the day.)
2. How do you explain this breach incident to your customers? (Remember, the smallest clients are often times the most nervous ones.)
3. How do you prove to all your stakeholders that this will never happen again?
4. How do you enforce rules on all your employees without overburdening the business?
This brings us to the "So, what can we do to be prepared" part of this discussion. Well, here are 4 tips for you to consider.
1. Get a second opinion. Cyber threats are real. Embrace these risks and don’t run away from them. Hire expert third party firms that focus on cyber security preparedness in your line of business. Find firms that understand policies, best practices and can suggest tools to improve monitoring and enforcement of these best practices. Get educated and ask lots of questions (This is your prerogative!)
2. Be Pro-active, NOT Reactive. When it comes to cyber security, the let’s wait and see approach never works. Do your research (or ask your peers) and actively seek out tools that can consistently elevate your firm’s level of cyber security preparedness. Remember, with all the recent breach incidents, regulatory (watch dog) organizations like SEC, FINRA, the department of justice (DOJ) are starting to increase their scrutiny of businesses handling Personally Identifiable Information (PII). So, businesses in the financial services and health care industries are experiencing more spot audits and/or lots of discovery and paper trail requests.
3. Cyber Governance should represent at least 10% of your Annual IT budget. Yes, you will need to push out that marketing spend by a quarter and prepare to spend at least 10% of your total IT expenditure on cyber security monitoring solutions. At the very least, it will help you sleep easy at night knowing that you have a strategy. More importantly, the cost of inadequate preparedness will be catastrophic. If you experience a data security breach, the legal bills and fines will be just the beginning. Even, if your vendors get pulled-in to the legal battle, the reputation hit and shame alone could cost you your business. Frankly speaking, “It wasn’t my problem” will be a weak defense.
4. Let PAPER TRAIL set you free. More than just documenting an information security policy, get an automated system to enforce your policies and generate audit reports that describe exactly what controls you have in place and document them periodically with time stamps from a third party. This paperwork will not only help you monitor your cyber security base line but also, prove to your compliance officer or auditor that you took this matter seriously. Enforcing cyber security best practices on all your firm’s systems all year round is the best defense and the paper trail is even better! It could make all the difference in your cyber defense.
Here’s a BONUStip, incase you still can’t get over the part about offsetting marketing spend by a quarter comment (tip #3).
5. Talk about it. Discuss your cyber risk preparedness strategy with your clients, especially the talkative ones. Be sure to let them know that there is NO way to prevent cyber attacks but given it’s a numbers game, you are doing your best to safeguard their information (more than your competitors, even). Show off an innovative tool you might be using to monitor your cyber security preparedness. It certainly demonstrates your knowledge of important issues, pro-active attitude and innovative thinking. You will get more referrals this way – I guarantee it!