Cybersecurity Pointers for Business Leaders

Michele Braun

Director, Institute for Managing Risk

Manhattanville School of Business

What can a company do to take advantage of the computer and Internet technology that helps it flourish while staying protected from cybercrime and cybersecurity threats?

We used to say “you only have to open a newspaper …” to find a frequent news topic.  Today, you don’t even need to open up the newspaper (either physically or digitally) to find yet another report about a cyber breach, a cyber fraud, hacking, ransomware, phishing, or spear fishing.  Today, these news reports are routine and “above the fold,” the subject of Congressional hearings, company announcements attorney general investigations.  It’s almost a cliché, unfortunately, to tell a business that the question is not “if but when” it will endure a cyberattack.

The Wall Street Journal quotes Cathy Bessant, Bank of America’s Chief Operations and Technology Officer, as saying “There is only one way to be fully protected, and that is to shut the place down.” (October 30, 2017, page R6).  Ms. Bessant also said that “The art of cyber is to keep the firm in business and continue to grow and serve the needs of the customer every day.”  This imperative applies equally at non-profit and for-profit enterprises.  

On November 9, 2017, a panel of cybersecurity experts gathered at the Manhattanville School of Business to explore this “art of cyber,” address the necessary balance, and answer many of the practical cybersecurity questions asked by business leaders.  [My October 30 article tees-up those questions.]

For Tom Morley, Director of the NY Small Business Development Center, preparedness starts with a risk assessment.  “Inventory your data,” he advised.  “Get granular, and catalog the risk:  what would have value to someone else [if stolen] and what’s the value to you if lost?”  Data files are important company assets and as worthy of protection as any physical asset. 

Planning and practice are key cyberprotection tools according to Michelle Mitrione, Manager in IBM’s Security Services Global Portfolio Management group.  “Assess your risks, plan your response, test your plan, and then do it again,” says Ms. Mitrione.  Testing, training, and practice are key to avoiding risks, surviving breaches, and recovering from set backs. 

Rob Rosenzweig, National Cyber Risk Practice Leader at Risk Strategies Company, advises businesses of all sizes to consider purchasing cyberrisk insurance.  As a growing market, there are many insurers offering this product, so a business should be able to shop around to get good coverage.  Then, if your systems are breached, Rob said to think of the insurer as your “one-stop source” for recovery services.  The insurance company should be able to arrange for specialists to investigate the breach, provide legal advice, monitor credit for customers (if appropriate), and assist in restoring corrupted files.

The first thing to do if you suspect a breach, says Andrew Kaplan, President of Ekapco, a computer network and systems solutions company, is to disconnect the computers from the Internet.  This might mean unplugging a communications cable or turning off the Wi-Fi.  Then, both Andrew and Rob advise that you call (1) your IT professional and (2) your lawyer in rapid succession.  Bringing in legal counsel early is important to insure compliance with consumer notification laws and other regulatory requirements that vary by industry. 

Now, even as your firm is recovering from the breach, start updating your plan and identifying problems that might be avoidable.  All the speakers warned that recovered data and computer applications must be screened before reloaded onto company computers—you don’t want to re-infect them if the backed-up version carries a virus or foreign program.

In evaluating risk, consider isolating certain systems.  Mssrs. Morley and Kaplan recommend keeping some computers away from the Internet.  They recommend that you assess whether your systems (inadvertently) expose internal data sets and proprietary information to the Internet, when they only need to be available for internal company use.  Speaking of internal use, Ms. Mitrione cited statistics on the risk of breaches from internal sources, either accidentally or maliciously.  Employees should be given access only to the internal systems required for their work—not everyone needs access to all systems. 

Importantly, all panelists spoke about creating a culture of awareness and quick response—train staff actively, make sure they understand the urgency to promptly report problems and suspicious activity, and work to see that everyone stays alert! 

Finally, the panelists provided the following important tips and successful strategies to enrich cybersecurity.  And, email me your business questions for cyber security [michele.braun@mville.edu] so we’re ready to answer them in future programs.  

Cybersecurity:  Readiness, Response & Recovery Tips and Best Practices from Expert Panel Manhattanville School of Business, November 9, 2017

Tom Morley, Director Small Business Development Center for Putnam, Rockland, Westchester Counties Information is an asset deserving protection. Cybersecurity is easier than some may think. Cybersecurity isn't optional.

Robert H. Rosenzweig, RPLU | National Cyber Risk Practice Leader Vice President, Risk Strategies Company It is not just a technology issue, people and processes are part of a problem. Train your employees! The organizations that are best positioned to minimize the cost and reputational impact of a data breach have an incident response plan and stress test it with table top exercises. Not all Cyber Insurance policies are created equally, make sure you are working with a true specialist broker and understand what you’re buying.

Michelle Baselice Mitrione, Manager IBM Security Services Global Portfolio Management Don't get comfortable. You ran your penetration test and now think you are done for the year.  This is an ever changing threat landscape and we must stay vigilant. Know your data.  Are your “crown jewels” classified as such? Where does your critical data reside? Who owns sensitive data? Know who to call.  Treat breaches as business critical situations and not just an IT problem.

Andrew Kaplan, President Ekapco LLC The END user is the final defense, and the defense is only as good as the weakest link in the chain. DO NOT OPEN ANY attachment/links without taking a moment to think is this VALID, if not sure ask someone, and there should be a Ask path, who asks who when not sure.    NEVER let anyone add anything to the network without default passwords being changed: camera systems, postage meters, copiers, printers. AKA a target.