Writing in the latest issue of Willis’s Resilience magazine, Alice Underwood, Executive Vice-President in Willis Re, offers 6 tips for minimising, mitigating, and managing cyber risk.
Cyber training and governance: employees and key partners need to know about phishing and malware. “Don’t click the link” is one of the most powerful ways to reduce cyber risk, and yet it is commonly ignored. Hands-on training exercises that present employees with examples of the kinds of emails that can conceal malware are perhaps the most powerful way to get the point across. Furthermore, employees and partners must understand data encryption protocols and the IT staff must actually enforce them.
Prioritise critical intellectual property: what are the ‘crown jewels’ of your company’s data – the most valuable trade secrets, intellectual property and information about strategic plans and sources of revenue? This will show you where to focus your efforts.
Identify vulnerabilities: the IT staff should know where data is stored, how it is accessed, and how and when it is transmitted. Those with access to important data and systems can include employees, vendors and service providers – as well as customers. Each of these links can present vulnerability for inadvertent breach or malicious infiltration. It’s also important to review vendor contracts to verify who is responsible for identifying whom should a breach or business interruption event occur.
Provide leadership with actionable information: after collecting and analysing information on vulnerability and threats, this often highly technical material must be conveyed to decision makers in a concise and understandable format. Business leaders need to understand the risks, their potential effects and the alternative courses of action.
Invest in adequate protection: there are numerous tools available to protect company systems and data, including firewall and encryption software and routines that prevent the use of unauthorised USB drives. Your access protocols can require two-step verification and strong passwords, as well as limiting the duration passwords can remain in effect; it’s also important not to make the requirements so onerous that individuals resort to writing them on easily found scraps of paper (which comes back to training). Going beyond these types of access measures, there are software packages that can provide active threat identification and monitoring. Establish guidelines for reviewing and upgrading all of these technological measures as needed, since the cyber landscape changes quickly.
Develop a response plan: perhaps the most important step of all is to develop and test a response plan for cyber events. The playbook should outline steps to take in case of an event so that no one is left to make a rushed and unprepared decision, and practice exercises can identify ways to improve this plan as well as building skills to enable the most appropriate response.