Skip to main content

Cybersecurity Pointers for Business Leaders



Michele Braun
Director, Institute for Managing Risk
Manhattanville School of Business

What can a company do to take advantage of the computer and Internet technology that helps it flourish while staying protected from cybercrime and cybersecurity threats?

We used to say “you only have to open a newspaper …” to find a frequent news topic.  Today, you don’t even need to open up the newspaper (either physically or digitally) to find yet another report about a cyber breach, a cyber fraud, hacking, ransomware, phishing, or spear fishing.  Today, these news reports are routine and “above the fold,” the subject of Congressional hearings, company announcements attorney general investigations.  It’s almost a cliché, unfortunately, to tell a business that the question is not “if but when” it will endure a cyberattack.

The Wall Street Journal quotes Cathy Bessant, Bank of America’s Chief Operations and Technology Officer, as saying “There is only one way to be fully protected, and that is to shut the place down.” (October 30, 2017, page R6).  Ms. Bessant also said that “The art of cyber is to keep the firm in business and continue to grow and serve the needs of the customer every day.”  This imperative applies equally at non-profit and for-profit enterprises.  

On November 9, 2017, a panel of cybersecurity experts gathered at the Manhattanville School of Business to explore this “art of cyber,” address the necessary balance, and answer many of the practical cybersecurity questions asked by business leaders.  [My October 30 article tees-up those questions.]

For Tom Morley, Director of the NY Small Business Development Center, preparedness starts with a risk assessment.  “Inventory your data,” he advised.  “Get granular, and catalog the risk:  what would have value to someone else [if stolen] and what’s the value to you if lost?”  Data files are important company assets and as worthy of protection as any physical asset. 

Planning and practice are key cyberprotection tools according to Michelle Mitrione, Manager in IBM’s Security Services Global Portfolio Management group.  “Assess your risks, plan your response, test your plan, and then do it again,” says Ms. Mitrione.  Testing, training, and practice are key to avoiding risks, surviving breaches, and recovering from set backs. 

Rob Rosenzweig, National Cyber Risk Practice Leader at Risk Strategies Company, advises businesses of all sizes to consider purchasing cyberrisk insurance.  As a growing market, there are many insurers offering this product, so a business should be able to shop around to get good coverage.  Then, if your systems are breached, Rob said to think of the insurer as your “one-stop source” for recovery services.  The insurance company should be able to arrange for specialists to investigate the breach, provide legal advice, monitor credit for customers (if appropriate), and assist in restoring corrupted files.

The first thing to do if you suspect a breach, says Andrew Kaplan, President of Ekapco, a computer network and systems solutions company, is to disconnect the computers from the Internet.  This might mean unplugging a communications cable or turning off the Wi-Fi.  Then, both Andrew and Rob advise that you call (1) your IT professional and (2) your lawyer in rapid succession.  Bringing in legal counsel early is important to insure compliance with consumer notification laws and other regulatory requirements that vary by industry. 

Now, even as your firm is recovering from the breach, start updating your plan and identifying problems that might be avoidable.  All the speakers warned that recovered data and computer applications must be screened before reloaded onto company computers—you don’t want to re-infect them if the backed-up version carries a virus or foreign program.

In evaluating risk, consider isolating certain systems.  Mssrs. Morley and Kaplan recommend keeping some computers away from the Internet.  They recommend that you assess whether your systems (inadvertently) expose internal data sets and proprietary information to the Internet, when they only need to be available for internal company use.  Speaking of internal use, Ms. Mitrione cited statistics on the risk of breaches from internal sources, either accidentally or maliciously.  Employees should be given access only to the internal systems required for their work—not everyone needs access to all systems. 

Importantly, all panelists spoke about creating a culture of awareness and quick response—train staff actively, make sure they understand the urgency to promptly report problems and suspicious activity, and work to see that everyone stays alert! 

Finally, the panelists provided the following important tips and successful strategies to enrich cybersecurity.  And, email me your business questions for cyber security [michele.braun@mville.edu] so we’re ready to answer them in future programs.  


Cybersecurity:  Readiness, Response & Recovery
Tips and Best Practices from Expert Panel
Manhattanville School of Business, November 9, 2017

Tom MorleyDirector
Small Business Development Center for Putnam, Rockland, Westchester Counties

Information is an asset deserving protection.
Cybersecurity is easier than some may think.
Cybersecurity isn't optional.

Robert H. Rosenzweig, RPLU | National Cyber Risk Practice Leader
Vice President, Risk Strategies Company

It is not just a technology issue, people and processes are part of a problem. Train your employees!

The organizations that are best positioned to minimize the cost and reputational impact of a data breach have an incident response plan and stress test it with table top exercises.

Not all Cyber Insurance policies are created equally, make sure you are working with a true specialist broker and understand what you’re buying.

Michelle Baselice Mitrione, Manager
IBM Security Services Global Portfolio Management

Don't get comfortable. You ran your penetration test and now think you are done for the year.  This is an ever changing threat landscape and we must stay vigilant.

Know your data.  Are your “crown jewels” classified as such? Where does your critical data reside? Who owns sensitive data?

Know who to call.  Treat breaches as business critical situations and not just an IT problem.

Andrew Kaplan, President
Ekapco LLC

The END user is the final defense, and the defense is only as good as the weakest link in the chain.

DO NOT OPEN ANY attachment/links without taking a moment to think is this VALID, if not sure ask someone, and there should be a Ask path, who asks who when not sure.
  
NEVER let anyone add anything to the network without default passwords being changed: camera systems, postage meters, copiers, printers. AKA a target.

Comments

Popular posts from this blog

Happy Holidays Newsletter from SPS - Make 2021 Count!

"An investment in knowledge pays the best interest" - Benjamin Frankli n Congratulations to all of our students who completed another semester. You made the best of a difficult situation by sticking with your goals and working on your education. Some of you added a few more credits to your program, some of you completed your final project and some of you completed your final classes and are graduating! I applaud you all! I invite you to read this newsletter highlighting our fall accomplishments, student achievements, and upcoming events. In SPS we have been working hard to stay connected and expand our network with engaging virtual programs. Hopefully, you have experienced this effort, if not please consider joining us for a class or our next Power Lunch series.  I hope you stay strong and healthy during these trying times. We need to continue to be vigilant for ourselves and our families. Try to find some good in each day and help others find the same. Keep in touch and e

SPS Prof Richard A. Montanaro: Covid-19 resume gaps will become commonplace, yet still need explaining

Richard A. Montanaro: Covid-19 resume gaps will become commonplace, yet still need explaining As posted on Westchester & Fairfield County Business Journals January 4, 2021 By School of Professional Studies Professor  Richard A. Montanaro B inge watching Netflix is not a valid explanation for gaps in your resume. While a prospective employer may understand, and even sympathize with an unexplained period of inactivity in your employment, you will need to put a positive spin on these gaps even given the pandemic. As an HR practitioner who has overseen the hiring process for over a thousand applicants during my career, I can say that it’s not uncommon for there to be employment gaps: periods without employment during a professional career. Given the pandemic, business downturn and related organizational downsizing, these gaps may be more prevalent now. Yet, regardless of the difficult times organizations and individuals are facing, gaps in employment and how to best represent them rema

2020 Sports...It's a Wrap!

On the Eve of 2021 SPS Professor Dave Torromeo Posted on Latin Business Today. As we approach the end of 2020—one of the strangest years known to mankind—we once again turn our attention to the things that make us happy, the things that bring us joy in the face of sadness and despair: live sporting events. We know the leagues and TV broadcast partners are happy, or maybe relieved? While the world tries to return to normal, we can be grateful that sports, although different, have at least given us an outlet. That is what sports have always done—provided us with a release! That is why when people attend or tune into a sports event they do not want to be reminded of their problems, politics, or other incendiary touch point issues. The sports world continues to roll on, albeit with various of stops and starts due to COVID-19. Teams are affected or infected, and then games are postponed or canceled. However, let us focus on the positives as we have live sporting events almost every day and