We all read the news; we know that companies’ data are being breached regularly these days. According to a study by the Ponemon Institute and Experian Data Breach Resolution published in March, 52% of U.S. companies have experienced more than one breach in the past two years. It also revealed some key issues that all organizations need to address.
If your company is like the overwhelming majority of those that responded to the study, there’s a great deal you can do to be better prepared. For example, you should require employees’ mobile devices (including smartphones and tablets) to be tested for security purposes before allowing them to be connected to the company’s systems. The Ponemon study found that although 78% of companies allowed employees to bring their own devices to work, one-third didn’t require they be tested; another 28% said they were not sure if they have such a requirement.
Nearly half (44%) of the respondents said their organization effectively authenticates and otherwise ensures appropriate access to their information systems. Only 43% said their organization promptly changes network access rights when an employee leaves the company. This becomes even more alarming when only one-third of companies are reportedly actively monitoring for unusual traffic and other risk indicators.
Following a breach, most organizations could improve how well they communicate the incident to their customers, according to the study. Just 30% of companies actually train their customer service representatives on how to answer questions about a breach.
“Based on the findings of this research, many organizations are losing opportunities to reduce the risk of negative opinion and loss of customer trust by not focusing on communications with victims,” the survey report concluded.
Clearly there is a lot of room for improvement in the majority of U.S. companies. A good place to start, according to Corporate Counsel, is by addressing many of the gaps highlighted here.
Cyber-liability insurance may be advisable as well, especially for smaller companies. Symantec reported in April that cyber attacks on businesses with fewer than 250 employees increased 31% in 2012 following an 18% increase in 2011. This is testament to the reality that small businesses typically don’t have adequate security infrastructure for protecting financial information, intellectual property, or customer data.
An article in CFO magazine reported that small businesses in high-risk industries – such as high technology, financial services, and health care – are “taking out insurance policies to bolster their protection from the potentially crippling costs that can accompany data breaches and other cyber attacks.”
Larger organizations tend to have a risk manager and a strong IT department to help reduce the risk and liability. Smaller companies, on the other hand, may only have a chief financial officer or chief operating officer that doubles as a risk manager.
According to Ethan Miller, an attorney at Hogan Lovells, cyber-liability insurance policies usually cover costs incurred by first-party claims, such as the loss of trade secrets and intellectual property. They also cover damages a company pays when involved in a third-party claim. Miller told CFO that most policies also include business-interruption coverage in the event of a denial-of-service attack whereby the insurance company would provide payment reimbursement for expenses related to such an attack. Such costs, he said, “can sometimes be a life-or-death issue for smaller companies.”
Cyber-liability insurance policies are not a solution, however, they are only a way of minimizing the financial damage. Companies still need to diligently and proactively manage their cybersecurity risk, including implementing sound data-protection protocols and employee education. “[T]he insurance company is going to demand you take these protections as part of the application, so as a practical matter you can’t become complacent or you’ll violate the policy,” Miller stressed.