Managing Cyber Risk: Steps Your Business Can Take

7th November 2017

1. RECOGNISE AND KNOW YOUR RISK

 A data security breach in your organisation may lead to significant financial loss (from fraud, theft, business interruption), disrupt your ongoing business operations, affect your reputation and ultimately your bottom line. Given the potential consequences, good risk definition is a worthwhile investment. Understand the nature of the data you hold. Identify the risks that this data faces from a data security incident.

The spectrum of data security breaches is wide, both in terms of size and significance. They range from minor security events such as unauthorised attempts to obtain data from your organisation (eg. A phishing email caught in a spam filter), to more serious security incidents, where data breaches are likely (but not certain) to have occurred and the scale and scope is initially unknown (eg. An employee inadvertently emailing a file containing confidential information to the wrong party).

The sources of a potential data breach are equally wide-ranging, and include deliberate breaches by professional hackers; calculated disclosures by disgruntled former employees; an inadvertent breach by current employees. The likelihood of a full scale data security breach happening in your organisation is increasing at an exponential rate. No system is perfect and no business is immune.

2. PROACTIVELY MANAGE YOUR RISK

There are a range of steps your business could take. The following are key:

• Make everyone an “accidental cyber expert”. Engage your entire organisation in understanding the risks of data security breaches and the value of taking care in digital communications. This is assisted by top down leadership including from the board and executive management. Where appropriate you should consider making your Chief Information Officer responsible for developing, implementing, and maintaining an organisation-wide data protection programme. 
• Invest in risk strategies, procedures and protocols to protect the data you need, and dispose of the data you do not. Limit the data you store to the minimum necessary for your business purposes (and for legal compliance). Over-collection and over-retention tends to increase the burden of managing and controlling the data you hold.
• Consider your insurance needs and existing coverage in the event of a data security breach and whether your organisation may need specialised data security breach or cyber risk insurance coverage. See our list of preferred Insurance Advisors. Keep your important insurance documents safely stored in the 'My Financial' section of your LifeLot account.
• Assess the protective data security measures taken by business partners and service providers. Limit third-party access to your computer network and ensure third party suppliers have the requisite standard of IT security (for example, through contracts that require third parties to protect your business data, and allow you to audit their compliance with the required security standards). 
• Consider restricting use of moveable storage media, assessing the vulnerabilities of remote access points, and using data encryption, back up and retrieval processes.
• Engage in routine testing for system failure. 

3. PREPARE FOR AN INCIDENT – AND A CRISIS – BEFORE IT OCCURS

Robust risk management includes planning for system failure – in this case through a data security incident and breach response plan. Preparation is everything. Have a standing incident-ready and crisis-ready response team and plan in place. The plan should:

• Be led by your CEO, COO or CIO, and include escalation procedures appropriate to the type/extent of breach;
• Focus initially on containing the breach and data recovery, and on restoring confidence in your systems;
• Address critical decisions about internal and external communications including for the management team, legal advisors, forensic experts, regulators, insurers, affected customers, the wider public, banks, and contractual parties. Best practice includes establishing good relationships with key relevant actors in advance of any incident or breach. This will propel a timely engagement process following an actual incident and/or breach, when there is usually some urgency involved; 
• To the extent possible, develop a purpose specific set of communication and notification documents to address the base level communication needs;
• Be capable of immediate activation and be scalable across your business;
• Be subject to regular testing, and review/revision as necessary – including following actual events.

4. HAVE A READY RESPONSE PLAN SPECIFICALLY DIRECTED AT CYBER SECURITY BREACHES

Your ability to decisively manage a data security breach may save your organisation millions of dollars and irrecoverable damage to your reputation.

It could also give your organisation a competitive edge. 

The first 24 hours are crucial. Immediately activate your response team and plan:

• Notify your internal or external legal advisors at the inception of the response. 
• Seek to contain the breach/restore confidence as a priority.
• Retain cyber security and/or forensic experts as necessary. Forensic expertise is likely to be essential to recovering system integrity, to evidence integrity and preservation, and to minimising the prospects of alerting hackers to your response activities, allowing them time to hide their trail or embed back door access at a later date.
• Implement the wider communications and notifications plan.
• Preserve evidence / document steps taken. Engaging legal counsel experienced in data security breach response may save your organisation's reputation and its bottom line. An experienced legal team will immediately initiate investigation confidentiality and evidence preservation procedures and be in a position to utilise all legal avenues for data containment and recovery.

Source: https://minterellison.co.nz/our-view/managing-cyber-risk-steps-your-business-can-take-right-now