Bad news for business: Cyberthreats are growing in number and scope, and hackers are uncovering increasingly sophisticated means to steal your company’s private information.
According to cyber specialists at the 2016 Cybersecurity Summit hosted by Providence Business News on Dec. 8 at the Crowne Plaza Providence-Warwick, no business, large or small, is safe from a potential breach in security.
The panel discussion featured local government consultants, businesspeople and academics who shared the resounding message that businesses need to be prioritizing cybersecurity.
According to Jeffrey Ziplow, cybersecurity risk-assessment partner with BlumShapiro, hackers are well-organized, well-financed and better at hacking into systems than ever before.
Some common cyberthreats include phishing and spear-phishing schemes that attempt to scam a user into surrendering secure information; ransomware, a type of email software that encrypts data until a sum of money is paid for retrieval; social engineering, or psychologically manipulating a person into surrendering information; payment fraud; credit card scanners and more. Often, businesses fall victim to a combination of these and other threats.
“It’s a matter [of] … when it’s going to happen,” said Kevin Tracy, senior vice president and market executive at Bank of America’s Business Banking Group.
Peter Nelson, co-founder of NetCenergy LLC, estimates only about 60 percent of businesses are properly protecting themselves by checking and monitoring for security flaws before a breach occurs.
“Cybersecurity is not an IT department’s problem. This is a corporate problem that people at all levels and departments need to be aware of,” said Ziplow.
Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center at Salve Regina University and member of the state’s Cybersecurity Commission said, “It is the responsibility of the board to oversee risks – cybersecurity has to be considered one of the risks in managing an enterprise. C-suite managers have a responsibility to talk about this, and try to align their business objectives with their security needs.”
A major area of concern for cybersecurity specialists is the increased potential for security breaches when dealing with outside contractors. Ziplow encourages clients to have a conversation with any outside vendor the company works with to ensure a secure protocol is in place to protect your company’s valuable information.
As larger companies begin to bulk up on their cybersecurity, hackers have pivoted to targeting the supply chain, said Stephen Ucci, counsel from Adler Pollock & Sheehan P.C. and member of the R.I. House.
“Smaller businesses are the low-hanging fruit,” said Timothy J. Edgar, a fellow at Brown University’s Watson Institute for International and Public Affairs.
Some businesses never recover from a data breach. In fact, 60 percent of small businesses close down within six months of a cyberattack. On average, it takes a company 200 days to detect an attack.
To make matters worse, it’s estimated 70 percent of cyberattacks go undetected.
Fortunately, said Ucci, Rhode Island is ahead of the curve on many cybersecurity issues. Ucci worked to amend the state’s Identity Theft Protection Act last year, repealing and replacing outdated legislation to set new standards for protecting valuable information.
“We wanted to make clear that this was not to be an additional burden on the businesses, but that we wanted to provide a clear course of action for Rhode Island businesses on exactly what steps to take if a breach happens,” said Spidalieri.
One method of evaluating your company’s security needs is to perform a risk assessment. Ziplow also encourages companies to have a backup system in place that they trust.
Spidalieri advises companies to do their homework before hiring an outside contractor, to educate and train employees on recognizing red flags and to constantly monitor systems for potential breaches.
Above all, each panelist stressed the importance of having a cyberattack response and recovery plan in place long before a security breach occurs.
“You need a strategy that looks at the issues and asks the right questions,” said Edgar.
In the event of a cyberattack, Edgar said a company should notify its board of directors, general or outside counsel and bank, then assemble a diverse team that will address the attack. After assessing what information has been breached, companies should come up with a plan to recover and prevent another attack.
Cybersecurity breaches will cost companies an average of $4 million in 2016, growing to $150 million in 2020, according to Spidalieri. Companies also must consider the consequences of losing customer confidence, dropping stock value and a diminished reputation following a security breach.
“Companies need to consider these costs and plan ahead,” she said. •
