Cyber-Defense: The Cost of Doing Business
Bankers hate talking about cyber-security issues, but once in a while, hints emerge. Last year, in testimony before a congressional panel, Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security, made news when he reported a major U.S. bank told him it faced 30,000 attacks – including 22,000 from criminal groups and 400 from nation states – in the week before he testified. “This amounts to an attack every 34 seconds, each and every day,” Cilluffo said.
Another case: J.P. Morgan Chase still got hacked in 2014 despite spending about $250 million on cyber-security. It now plans to spend $500 million.
Spending on cyber-defense is like spending on a security alarm system – except the costs keep rising, upgrades are frequent, the nature of the threat changes and it’s widely said that hackers will break in anyway.
Cyber-defense is a frustrating cost of doing business but a necessary one. “Security adds to the bottom line just as much as electricity add to the bottom line,” says James Parrish, chair of Nova Southeastern University’s Department of Information Systems and Cybersecurity in Davie.
“You have to secure these systems to use them,” he says. “What’s the alternative? You have to go back to handwritten letters and wax seals?”
Cyber-Security Tips
Businesses today face cyber-threats from criminals, terrorists, nation states, hackers for profit, hackers for a cause, saboteur employees and ex-employees. Here are the top cyber-security tips from experts in Florida.
- Do a risk assessment. What do you have? Where is it stored? Which employees and vendors can access it?
- Insiders are the greatest threat, whether it’s a careless employee or a disgruntled one. The maxim: People are the weakest link. Read through lists of data-breach cases in Florida and you’ll find a hefty share come from an employee who clicked on the wrong thing and let in malware or an employee who downloaded customer information onto a laptop, smart phone or thumb drive and then lost the device. Rare is the case of a hacker breaking into a company’s system like a safecracker opening a vault. Employees have to be trained effectively on security policies. “Any email you get in your inbox, you have to stop, look and think before you click and take a second or two to make sure it’s not a scam,” says Stu Sjouwerman, founder of KnowBe4, a Clearwater-based security awareness training company.
- Encrypt important data. Having data encrypted provides a measure of liability protection.
- Purge old records no longer needed. Don’t be liable for a breach of data that’s unneeded.
- Backup everything. Ransomware only works if you don’t have backups.
- Outsource when you can, says Jorge Rey, director of information security and compliance at accounting firm Kaufman Rossin in Miami. Cloud service providers build their business on security, and given the economies of scale, can provide protection superior to that found in small- and medium-sized businesses. “Trust is a major part of their sales pitch,” Parrish says.
- Create a breach response plan and practice its implementation.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.