Has your small or midsize business finally decided to bite the bullet on cybersecurity preparedness by adopting software to protect the firm’s sensitive information? If so, the key task for you now is to determine whether these new cybersecurity protections are, in fact, working. After all, data breaches do not hit the same firm every day, and you probably have many other things to do in lieu of becoming a part-time IT expert.
As the co-founder of a firm that provides cybersecurity software to financial firms, I can tell you that it’s important to have cybersecurity tools and protocols that can be trusted to counter preventable attacks and mistakes, as well as execute proper and timely incident response for unpreventable data breaches.
In practical, concrete terms, these are four items that can drive the effectiveness of a cybersecurity platform for your company:
1. Impartial Risk Assessment
Good technology conducts an ongoing impartial assessment of your firm’s potential vulnerability to hackers and human error. This allows whoever is responsible for cybersecurity at your company to customize the weighting of the firm’s risk parameters, while still adhering to regulatory constraints.
Ideally, the technology would grant each firm and user an easy-to-understand grade to this effect, along with how that figure compares with others in your specific industry. Comparables demonstrate whether serious work is required to reach par, or whether you’re ahead of the curve. Proprietary software built in-house at a small or midsize firm is unlikely to have access to such information.
2. Third-Party Vendor Diligence
In today’s environment, which is defined by the proliferation of third-party service and solution providers, up-to-date and industry-specific technology should offer third-party vendor due-diligence features. Paramount among any set of vendor due-diligence features is the ability to identify and conduct a comprehensive risk assessment on every vendor the firm uses.
Those assessments should be based on commonly accepted, industry-specific criteria, not artificial benchmarks devised in vacuum by the firm or its cybersecurity provider, which tend to be self-serving. The assessment should collect and validate the responses from each vendor, then give a grade to each vendor.
In addition, the technology should restrict access to a firm’s data to only pre-approved vendors whose workers use devices that a cybersecurity provider can actively monitor, or those vendors with a satisfactory record of meeting regulatory and compliance standards.
3. Testing And Remediation
Your cybersecurity tools should perform periodic incident response tests on users, devices and networks to evaluate the firm’s readiness and follow-through in real-life hacking or phishing attacks. Since bad actors intend to exploit common weaknesses -- including impersonating trusted individuals or institutions to alter or retrieve passwords -- your software should train your team to resist them.
When users do fall victim to scams, either simulated or malicious, automated playbooks or remediation processes should kick in. For example, the software should update the grade of the firm and user, track the incident in accordance with compliance policies and give the compromised user real-time onscreen education to internalize best practices.
4. Cyber Insurance
Many business owners have property and casualty or liability insurance. The same principles of coverage, preparedness and policy relevance should also apply to cybersecurity protections for your company.
Cyber insurance should be specific to your firm's business model and user behavior. Relevant insurance protects firms against direct monetary expenses stemming from data breaches. These may involve replacing software and hardware, client lawsuits or fines from regulatory violations, such as lapses with customer data.
In addition, cyber insurance should come with a straightforward and speedy application process that lets the firm modify coverage to fit its needs, while still providing every user with sufficient coverage. Because good behavior should be rewarded, ideally the insurance package’s pricing and range of protections would factor in the grade that the firm’s cybersecurity technology assigns.
A large company with hundreds of employees spread across the country who work with dozens of third-party vendors to sell many lines of service is fundamentally different from a five-person company in a single office selling a handful of products. Likewise, those two firms require vastly different cyber insurance packages.
How To Keep Your Team Informed
Unless you are your firm’s chief information officer or chief compliance officer, you probably don't have constant, hands-on interaction with or decision-making responsibilities for cybersecurity tools and processes. But all employees and firm leaders should have easy access to the firm's written data protection policies and protocols.
Those documents should detail the features of your firm’s cybersecurity providers, as well as guidelines you and other users should follow to mitigate the risk of a breach. Those guidelines should include tips on how to spot fraudulent or suspicious activity before data is compromised, steps to act fast in case of a cyber incident and the individuals at the firm responsible for ensuring that these processes, policies and protocols are carried out.
When all of this is in place, then -- and only then -- will you have a reasonable level of confidence that your firm’s cybersecurity preparedness resources are working effectively.