Don’t Wait for a Cyber Threat to Address Your Data Security Challenges

Read

IT resources are limited, information is everywhere, and cyber threats seem to be growing more sophisticated by the day. Sound familiar?

Many private companies struggle with similar data security challenges, and much larger organizations than yours have been victims of cyber attacks. There is no such thing as a perfect data security system. However, you can take a proactive approach in managing your risk and addressing your vulnerabilities in order to help protect your company from data security threats.

I recently had the opportunity to participate on a panel about “The Challenges of Data Security and Privacy,” which shared lessons learned from legal, accounting and IT compliance perspectives. Kaufman Rossin co-hosted the event with law firm Bilzin Sumberg, and Philip R. Stein, Esq., a partner with Bilzin Sumberg, moderated the discussion. My fellow panelists were:

  • Marc Stone, Esq., Chief Legal Officer, General Counsel and Secretary, TradeStation Group
  • Jared M. Strauss, Esq., Assistant U.S. Attorney, Computer Hacking and Intellectual Property Coordinator, Southern District of Florida
  • James Ward, Esq., Litigation Attorney, Bilzin Sumberg

The discussion centered around data security and privacy concerns in the private sector, as well as best practices for minimizing exposure and liability. Today’s companies need to worry about protecting customer information, protecting trade secrets, complying with regulations, managing the fiduciary responsibilities and liability of officers and directors, and avoiding litigation, among other concerns.

Growing threats and trends to watch

Understanding the types of threats that are out there and keeping an eye on trends can help you to protect your company.

Panelists highlighted three data security trends to watch:

  1. Phishing – Phishing threats targeted at businesses typically involve fraudulent emails sent to employees. The emails may appear to be from a vendor, client or even from the CEO of the company, and employees can compromise the business’ IT systems and data if they download an attachment or click on a link within the email. Phishing and other social engineering attacks have been responsible for more than $2.3 billion in reported losses since 2013 and have affected more than 17,000 reported victims, according to Strauss. Download our Social Engineering FAQ to learn more.
  2. Ransomware – Another type of cyber threat that is becoming more prevalent is ransomware, in which an organization’s computer system is effectively taken hostage by cybercriminals looking for a payout. In one high-profile case earlier this year, a major U.S. hospital paid a $17,000 ransom to hackers to regain control of its computer system. These types of attacks are difficult for law enforcement to prosecute, and are often not even reported to the government.
  3. Regulatory scrutiny – Regulators, including the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC), are increasing scrutiny related to data security, especially in regards to what directors and officers are doing to protect their companies.

Be proactive about data security

So what can you do to help protect your data? While there’s no such thing as a bullet-proof system, you can take steps to mitigate your risk. “You need to take a holistic, firm-wide approach to this,” said Stone, who recommended a top-down approach to enterprise risk management.

A few important areas to consider include:

  • Training – If you’re not training your employees on phishing and spear-phishing, your company may be at risk. These types of social engineering attacks try to exploit your employees to gain access to your IT system. Don’t let your employees be your weakest link. A qualified consulting firm can conduct phishing testing at your company. In these tests, an email with a fake link is sent to targeted employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management. The greater an employee’s awareness, the less likely he or she should be to fall victim to social engineering attacks.
  • Policies and procedures – Establish and document policies and procedures surrounding data security, educate employees about those policies and hold them accountable for adhering to the rules. Keep a paper trail to show what is being done from a data security standpoint and review or audit what is being done.
  • Risk assessment – If you don’t know what your weaknesses are, you can’t work to correct them. Engaging an independent third party to perform a risk assessment can help you identify vulnerabilities in your IT system – before the cyber criminals do.
  • Two-factor authentication – Two-factor authentication adds an extra layer of security by requiring another form of confirmation in addition to a password. Text messages, phone calls and emails can all be used for two-factor authentication.
  • Strong passwords – Strong passwords don’t have to be difficult to type and difficult to remember, said Ward. He shared an example of using a relatively hard to crack passphrase (“ihadpastelitosandcafecitoforbreakfast”) instead of a password.
  • Data backup – Backing up your data on a regular basis is always a good idea; it can prevent you from losing everything if a hacker takes your system hostage or if your system fails.
  • Incident response plan – You should have an incident response plan in place in the event of a data security incident. Involve teams from across the organization (e.g., IT, compliance, management) in creating the plan.
  • Key contacts – Who are you going to call if something goes wrong? Keep a readily available list of key contacts (law enforcement, outside IT consultants, attorney, etc.) in case of a data security incident.
  • Cyber insurance – Cyber insurance may be a worthwhile investment, but keep in mind that it may only cover a small percentage of the full cost of a data breach. When you consider the potential costs of litigation, reputation damage, regulatory penalties, and more, the total adds up quickly. It may also be harder to get a cyber insurance policy now than it used to be. Insurers are getting better about managing their risk, and they may ask to see a data security assessment, incident response plan, documented policies and procedures, etc., in place before they will even grant you a policy.

Most criminals are going after soft targets, Ward said. “There’s no shortage of opportunities for cybercriminals to take advantage of soft targets,” he added. “Don’t leave too many of them out there.”

Contact me or another member of Kaufman Rossin’s IT security consulting team to learn more about managing your company’s data security challenges.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.