Extended Detection and Response Explained

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Extended detection and response (XDR) is a security solution that offers organizations end-to-end visibility, detection, investigation and response across multiple security layers. Unlike endpoint detection and response (EDR), XDR provides a holistic view of threats across the entire technology landscape rather than only those within managed endpoints. This article explains what XDR is and how it works, outlines the benefits of XDR and discusses how it compares to EDR.

What Is XDR and How Does It Work?

XDR uses data collected across multiple security layers to provide IT and security teams with real-time, actionable threat information. By utilizing extended visibility, analysis and response across endpoints, workloads, users and networks, XDR can help organizations reduce blind spots, detect threats faster and jump-start threat remediation. Essentially, XDR helps security teams:

  • Recognize advanced and hidden threats
  • Detect and follow threats in and across various systems
  • Improve the time it takes to detect and respond to threats
  • Improve the threat investigation process

There are several components of XDR that provide organizations with a wider grasp of threats via the following:

  • An analysis of internal and external traffic—XDR can identify cybersecurity threats even after they’ve bypassed system perimeters.
  • Integrated threat intelligence—XDR learns from attacks on other systems to detect similar events in its own environment.
  • Machine learning-based detection—XDR can detect zero-day and nontraditional threats that bypass signature-based methods.

The Benefits of XDR

XDR adds value to organizations by combining multiple security offerings into one incident detection and response product. Benefits of XDR include:

  • Greater visibility and context—Threats that utilize legitimate software, ports and protocols can often slip past system defenses undetected. With XDR, security analysts can see threats on any security layer. It can also offer insights into how an attack happened, who was affected and how it spread.
  • Improved prioritization—As cyberthreats become increasingly frequent, it can be difficult for IT and security teams to keep up with security alerts. XDR can help prioritize threats by grouping related alerts across the framework and presenting the most important ones.
  • Enhanced automation—XDR’s automation abilities allow IT teams to handle a large volume of data and consistently execute complex processes.
  • Faster detection and response—Since XDR is continuously monitoring the technology landscape, it enables organizations to detect and respond to threats faster than before.
  • More sophisticated responses—XDR can tailor specific systematic responses and leverage other control points to minimize the overall impact of the affected endpoint.

How Does XDR Compare to EDR?

XDR is an evolution of EDR—a cybersecurity solution that continuously monitors security-related threat information and endpoint data to detect and respond to ransomware and other types of malware. However, EDR can only detect and respond to threats inside managed endpoints, which limits the scope of threats that can be detected. In contrast, XDR goes beyond the capabilities of EDR by analyzing all security layers and offering organizations a more holistic view of threats.

Conclusion

In an increasingly complex threat landscape, XDR solutions can provide organizations with flexible and efficient security enforcement and remediation. For more risk management guidance, contact us today.

Read more
No Comments

No Holidays for Hackers: Higher Revenue Losses for Non-weekday Cyber Events

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Ransomware events that occur on holidays and weekends cause much higher revenue losses than cyber incidents occurring on weekdays—primarily due to lower staffing levels—according to a survey of over 1,200 cybersecurity professionals.

Security firm Cybereason found that nearly half (44%) of organizations drop security staffing levels on holidays by as much as 70% andnder a quarter of respondents reduce their security staff by 90% from normal weekday levels. Just 7% of organizations have at least 80% of their security professionals available on holidays and weekends.

The impact is clear: one-third of respondents said they saw a much greater financial toll from weekend and holiday attacks, up from 13% in 2021’s study. The losses were even higher in the transportation and education sectors, where the number of respondents reporting higher revenue losses jumped to 48% and 43%, respectively.

“Ransomware actors tend to strike on holidays and weekends because they know companies’ human defenses often aren’t as robust at those times,” said Lior Div, Cybereason CEO and co-founder. “It allows them to evade detection, do more damage and steal more data as security teams scramble to mobilize a response.”

The study also revealed slower risk assessment times during breaks, with 60% of respondents saying it took them longer to fully understand the scope of the attack. This, in turn, slows down recovery time and adds costs.

Cybercriminals already know holidays and weekends are prime attack times, especially as the strain of relentless cyber events takes its toll on security professionals. In fact, multiple high-profile cyberattacks have occurred on holidays. In 2021, hackers made headlines on Mother’s Day weekend (Colonial Pipeline), Memorial Day weekend (meat supplier JBS Foods) and the Fourth of July (software vendor Kaseya). This year might be even worse, according to a few respondents.

 “This November/December is going to be particularly rough, as it’s going to be the first time some people have been able to see their families since the pandemic began. All of that means that people will be further from the office and less likely to check alerts,” said one security analyst in the legal sector.

The survey indicated a few areas where organizations can improve their resilience to off-hours cyber events. More than a third (36%) of organizations said they had no business continuity plan, despite observing other companies’ struggles to bounce back. Of those firms that have already experienced a ransomware event, nearly a quarter (24%) still don’t have a ransomware-specific contingency plan.

Some industries are better prepared than others. Specifically, the IT/telecommunications sector and construction firms were most likely to be prepared, with 84% and 81% of respondents indicating they have plans in place for weekend and holiday events. Manufacturing (67%) and health care (65%) were less prepared, despite these sectors’ potential for high revenue losses or loss of life.

Read more
No Comments

Credential Stuffing

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

If and when you get hacked, it’s easy to think cyber criminals used some high-tech program or code to gain access to your accounts. The truth is, however, that data breaches aren’t always this sophisticated, and all malicious parties need is a little trial and error to steal your personally identifiable information. This tactic is known as credential stuffing, and it’s becoming a common tool for cyber criminals of all kinds.

Simply put, credential stuffing attacks are when a malicious party takes a stolen username and password and tries it on a variety of different websites. For example, a hacker may have purchased your Google username and password from the dark web.

Assuming that you use the same password for multiple accounts, the hacker would test these credentials on other platforms (e.g., banking or social media websites) using botnets (groups of computers tasked with various commands). Essentially, by using information from one account, criminals can potentially access data from a variety of platforms, draining bank accounts or gathering information they can sell to other malicious parties.

Credential stuffing can affect everyone, from individual users to the biggest companies. In fact, a Yahoo breach that impacted approximately 500 million users was largely carried out using credential stuffing.

Thankfully, because credential stuffing relies on victims having the same password for multiple accounts, there are some simple ways to protect yourself:

  • Avoid using the same password for multiple accounts—Credential stuffing works because many users use the same password for multiple accounts. Be sure to change your passwords often and never use the same password across different accounts.
  • Use two-factor authentication—While complex passwords can deter cyber criminals, they can still be cracked. To prevent cyber criminals from gaining access to your accounts, two-factor authentication is key. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate or personal applications, networks and servers. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account, even if they have the password in hand.
  • Create strong password policies—For employers, ongoing password management can help prevent attackers from compromising your organization’s password-protected information. You’ll want to create a password policy that requires employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular as well, and may be a good option for your organization.
  • Provide security training—Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond. Your employees should also know your cyber security policies and know how to report suspicious activity.

For additional cyber risk management guidance and insurance solutions, contact us today.

Read more
No Comments

Patch Management Explained

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Patch management is the process of acquiring and applying software updates to a variety of endpoints, including mobile devices, computers, servers and embedded devices. Installing patches regularly is necessary to correct errors, help protect data and optimize system functions. This article provides information on how a consistent approach to patching and updating software can limit exposure to various exploits.

What Are Patches?

Patches modify operating systems and software to improve security, fix bugs and improve performance. They are created by software developers and address vulnerabilities attackers may target.

Why Is Patch Management Necessary?

Patch management is necessary for the following reasons:

  • Security—Hackers look to exploit cybersecurity weaknesses. Installing patches fixes software vulnerabilities and therefore reduces an organization’s cybersecurity risks.
  • Compliance—Regulatory bodies or government agencies may require organizations to adhere to patch management standards. Meetings those requirements can help businesses avoid sanctions, fines or penalties.
  • Feature improvements—In addition to addressing security issues and fixing bugs, patches can also offer feature and functionality improvements to help software run smoothly.
  • Minimize downtime—With the enhancements that patches provide, programs may run more efficiently. This can increase production by helping minimize downtime and improving the user experience.

How Is Patch Management Performed?

The patch management process can be carried out by a company’s IT team, an automated patch management tool or a combination of both. Steps in the patch management process include:

  • Identifying IT assets (inventory) and their locations—Taking stock of IT assets and where they are located is a crucial first step in the patch management process. This is especially important as employees increasingly work remotely.
  • Identifying critical systems and vulnerabilities—Being aware of critical systems and identifying and tracking vulnerabilities are also key aspects of patch management. It is important to take note of existing security features (e.g., firewalls and antivirus software) and what they are protecting against. With this information, an IT team can more readily determine which systems need to be patched when vulnerabilities are discovered or reported.
  • Testing and applying patches—Before applying the patches to all systems, it is best to test them on a representative subset of IT inventory. This can help ensure the updates will not create unforeseen issues. Once testing is complete, begin rolling out the patches to the rest of the assets. It is advisable to do this in batches, as this can help identify potential issues before they become too widespread.
  • Tracking progress and maintaining records—During the rollout, it is advisable to keep track of the progress being made. After the patches have been successfully installed, it is essential to keep accurate documentation that notes which assets have been updated.

Conclusion

Having a comprehensive patch management process not only increases a company’s cybersecurity posture and helps keep the business running smoothly, but it also is a practice frequently required by insurance underwriters in order to obtain cyber insurance. Contact us today for more information.

Read more
No Comments

Double Extortion Ransomware Attacks

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

In recent years, ransomware attacks have steadily been on the rise. These incidents—which entail cybercriminals compromising a device or server and demanding a large payment be made before restoring the technology (as well as any data stored on it) for the victim—are one of the most damaging cyberattack methods, incurring an average of $1 million in total losses per incident.

As these attacks become increasingly common, numerous ransomware techniques have also emerged. Specifically, double extortion ransomware attacks are now a potential cybersecurity concern for organizations across industry lines. This technique follows a similar protocol to that of a typical ransomware attack, but comes with an extra threat—the victim must pay a ransom not only to regain access to their technology and data, but also to keep that data from being uploaded publicly online.

Double extortion ransomware attacks are particularly concerning, seeing as these incidents can further pressure organizations to comply with ransom demands in order to keep their data private. Review the following guidance to learn more about how double extortion ransomware attacks work and what your organization can do to prevent such an attack.

How Double Extortion Ransomware Attacks Work

To outline the general framework of a double extortion ransomware attack, this technique starts out like most other ransomware incidents, in which a cybercriminal first gains access to their target’s device or server—often via phishing scams, nonsecure websites or malicious attachments. From there, the cybercriminal is able to compromise the victim’s technology and encrypt data stored on it. Then, the cybercriminal delivers their ransom demand and accompanying consequences for noncompliance.

Contrary to a typical ransomware incident, however, these consequences are twofold. That is, failing to pay the ransom could result in the cybercriminal both permanently restricting the victim’s access to their technology and sensitive data, as well as sharing this data publicly on the internet. Although double extortion ransomware attacks can occur at any organization, these incidents are most common within establishments that store a considerable amount of sensitive data. This includes health care facilities, financial institutions, government organizations and large retail businesses.

Double extortion ransomware attacks can be significantly more damaging for affected organizations than typical ransomware incidents. This is because even if organizations have protocols in place (e.g., storing data in multiple secure locations) that allow them to recover their compromised information without paying a ransom, they may still be pressured to do so in order to keep their data from going public. After all, a data breach can lead to further ramifications—including reputational damages, regulatory fines and class action lawsuits.

What’s more, cybercriminals who conduct double extortion ransomware attacks are known to demand higher ransom payments, sell or trade stolen data to other attackers for future extortion attempts and still move forward with sharing data publicly even after the ransom is paid (whether on purpose or by accident)—making these attacks all the more damaging.

Preventing Double Extortion Ransomware Attacks

When it comes to combatting double extortion ransomware attacks, it’s important to prioritize standard ransomware prevention measures. This includes conducting routine employee training on how to detect potential ransomware risks (e.g., suspicious emails or attachments), implementing policies that prohibit browsing nonsecure websites on organizational servers or devices, and installing adequate security features on all workplace technology (e.g., a virtual private network, antivirus programs, data encryption software, email spam filters, an internet firewall and a patch management system).

In addition to these key prevention measures, the best course of action for reducing double extortion ransomware attack risks is to establish an effective cyber incident response plan for your organization. This plan should explicitly address double extortion ransomware attack scenarios and outline steps that employees should take to limit the damages during such an event.

Lastly, it’s vital to secure appropriate insurance coverage for ultimate peace of mind in the event of a ransomware attack. A dedicated cyber insurance policy can offer much-needed support and resources when an attack occurs, minimizing the potential damages and financial impact on your organization.

For additional risk management guidance and insurance solutions, contact us today.

Read more
No Comments

Creating a Cybersecurity Culture

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Employees are an organization’s first line of defense against cybercriminals. For this reason, they are also commonly targeted. In fact, the vast majority (88%) of data breaches are caused by employee mistakes, according to Stanford University. Unfortunately for organizations, a single mistake can result in costly losses, reputational damage and lost or stolen data.

In order to keep your organization safe from cybercriminals, cybersecurity must become an integral part of company culture—something that is valued and upheld by every member of the organization. Cybersecurity should be top of mind for every employee when choosing whether to click a link, open an email or download documents from the web.

This article contains tips for improving employee engagement and creating a cybersecurity culture that will help protect your organization against cybercriminals.

Cybersecurity Culture Explained

An organization’s security culture will not grow on its own. To transform security training into everyday practices, organizations must invest in their security culture and constantly nurture it. A strong and resilient cybersecurity culture can benefit an organization in a number of ways, including:

  • Protects the organization against cyberthreats and data breaches
  • Strengthens customer trust and loyalty
  • Improves brand reputation

Although many organizations recognize the benefits of having a cybersecurity culture, they may fail to successfully create one for multiple reasons. One of the most common reasons is a lack of employee buy-in. In fact, one survey found that 60% of organizations don’t believe they have successfully achieved employee buy-in for cybersecurity practices. Lack of executive buy-in is also a common cause of failure. This may result from outdated thinking that cybersecurity only belongs to the IT department or a lack of understanding about the pervasiveness of the issue.

Fortunately for organizations, the main stumbling blocks to creating a thriving cybersecurity culture can also guarantee success if leveraged effectively.

Best Practices

When cultivating a cybersecurity culture, organizations should consider the following best practices:

  • Engage the C-suite. Senior executives are sometimes resistant to adopting good cyber hygiene. This has to change if your organization is going to create a successful cybersecurity culture. Employees need to see management leading by example if they’re going to buy into a healthy cybersecurity culture. Encourage leaders to join the conversation and reinforce that cybersecurity is every employee’s responsibility.

Additionally, senior executives are one of the biggest targets for cybercriminals. Ensure they are doing their part in upholding cybersecurity values by teaching them how to identify and defend against targeted cyberattacks.

  • Inspire ownership of cybersecurity. Clearly communicate what’s at stake to your employees and explain that your organization needs their help. It’s not enough to simply explain changes to security protocols. Ensure employees understand why these changes have been made and what you’re trying to do to protect the organization. It’s imperative that employees understand that no security system is foolproof and, therefore, it’s up to them to minimize threats and avoid unnecessary risks.
  • Create engaging cybersecurity programs. Cybersecurity training should not be presented as a one-off occurrence. If you want your employees to embrace cybersecurity as part of their culture, provide fun training based on real experiences. Consider leveraging discussion forums, online games, in-person training and mock phishing exams as part of your holistic approach to cybersecurity learning. Brief and frequent lessons will also be more digestible and remind employees that cyber awareness is part of their corporate life.
  • Bring back the basics. When discussing cybersecurity, many organizations make the mistake of skipping basic training. This can cause confusion and prevent core cybersecurity values from resonating with employees. According to one survey, 50% of all employees haven’t had formal cybersecurity training, and 96% keep passwords saved on their devices for easy access. When creating and teaching good cyber hygiene, don’t forget basic principles such as strong password policies, two-factor authentication and limits on security, downloads and network access.
  • Make it easy. Ensure employees know where to report suspicious emails and how to check the authenticity of work-related communications. Whenever possible, encourage open lines of communication between your employees and the IT department. This will help encourage employees to proactively reach out to IT for help or to report mistakes.
  • Celebrate success. Make cybersecurity part of performance reviews and reward systems. It is also beneficial to acknowledge employee successes one-on-one by expressing appreciation or offering rewards for their commitment to your organization’s cybersecurity goals.

Conclusion

When workplace cybersecurity is treated as a simple check-the-box exercise, costly mistakes can occur. Teaching employees to value and take responsibility for their actions can help organizations reduce their chances of becoming a victim of a cyberattack.

Contact us today for more cyber guidance.

Read more
No Comments

General Cybersecurity Best Practices for Modern Vehicles

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Modern vehicle technology has transformed in the past several years as autonomous driving, vehicle electrification and car connectivity features have become more common. While these digital innovations in the automotive industry have added significant customer value, they have also exposed vehicles to cybercriminals attempting to gain access to critical in-vehicle electronic units and data. This article discusses cybersecurity threats modern vehicles face, the importance of the automotive industry providing protections against those risks and best practices for minimizing cybersecurity threats.

Cybersecurity Threats in Modern Vehicles

These days, vehicles are becoming increasingly dependent on connectivity and technology that runs complex software. There are about 100 million lines of software code in today’s vehicles, and by 2030, they’re expected to have roughly 300 million. The overabundance of complex software code within vehicles offers ample opportunity for cyberattacks.

Cyberattacks on modern vehicles could endanger vehicle inhabitants and others, and they may also be used to track vehicles or related data. Hackers can accomplish these attacks through physical or remote avenues:

  • Physical access—When hackers gain physical access to a vehicle’s internal communication system, they can affect vehicle operations, such as steering, acceleration and braking.
  • Remote access—Modern vehicles utilize Bluetooth technology, remote start applications and GPSs. Once hackers gain remote access, they can transfer knowledge from computers to vehicles and vice versa.

Importance of Cybersecurity in Modern Vehicles

While in-car cybersecurity threats are still relatively new, they are an ongoing concern. It is now the responsibility of automakers to consider cybersecurity an integral part of their core business functions and development efforts. Systems and components that govern vehicle safety features must be protected from harmful attacks, unauthorized access, damage or other threats that might interfere with safety functions.

Best Practices

A layered approach to vehicle cybersecurity can help reduce the probability of an attack’s success and mitigate the ramifications of unauthorized system access. The following are general best practices for modern vehicle cybersecurity:

  • Leadership priority on product security—An emphasis on mitigating cybersecurity challenges associated with motor vehicles and motor vehicle equipment should be a priority for automotive industry suppliers and manufacturers. By stressing the importance of cybersecurity from the leadership level down to the staff level, corporations can emphasize the seriousness of managing cybersecurity risks and prioritize cybersecurity throughout the product development process.
  • Vehicle development process with explicit cybersecurity considerations—The entire lifecycle of a vehicle—conception, design, manufacture, sale, use, maintenance, resale and decommission—should be taken into consideration when addressing cybersecurity risks, especially since there is more flexibility to design and implement protective measures early in the development process.
  • Information sharing—In late 2014, the National Highway Traffic Safety Administration (NHTSA) encouraged the automotive industry to establish Auto-ISAC, an industry-driven community for sharing and analyzing intelligence about emerging cybersecurity risks to vehicles. Vehicle manufacturers, automotive equipment suppliers, software developers, communication services providers, aftermarket system suppliers and fleet managers are strongly encouraged to join Auto-ISAC and share timely information concerning cybersecurity issues.
  • Security vulnerability reporting program—Members of the automotive industry should make information reporting easy for the security research community and the general public to help identify cybersecurity vulnerabilities.
  • Organizational incident response process—While it’s not possible to predict all future attacks, organizations can prepare their responses, processes and staff to handle incidents effectively. Organizations should develop a product cybersecurity response process that includes:
    • A documented incident response plan
    • Roles and responsibilities that are clearly identified within the organization
    • Communication channels and contacts outside of the organization that are clearly identified
    • Procedures for keeping information up to date
  • Self-auditing—To establish a clear and controlled process for managing software and related vulnerability risks, organizations must ensure documentation and document controls are in place. For process management documentation, members of the automotive industry should:
    • Document the details related to their vehicle cybersecurity risk management process
    • Retain documents through the expected lifespan of the associated part
    • Implement and follow a control protocol

To assist companies in better understanding their cybersecurity practices and how to improve them, procedures for internal management and documentation review should also be established.

  • Education—Continuous education of existing and future workforces can assist in improving the cybersecurity of motor vehicles. NHTSA encourages vehicle manufacturers, suppliers, universities and other stakeholders to work together to support the educational efforts of the workforce.
  • Aftermarket/user-owned devices—Aftermarket devices, such as insurance dongles, and user-owned devices, such as cellphones, could present unique cybersecurity challenges. Before these devices are connected to vehicle systems through interfaces provided by the manufacturer, they should be authenticated and provided with appropriate, limited access.
  • Serviceability—The average motor vehicle requires regular maintenance and occasional repair to operate safely. The automotive industry should consider the serviceability of vehicle components and systems since vehicles can remain in use for over a decade.

Conclusion

The automotive industry can work towards protecting electronic systems, communication networks, control algorithms, software, users and underlying data from malicious attacks, damage, unauthorized access or manipulation by implementing cybersecurity best practices. Contact us today for more risk management guidance.

Read more
No Comments

9 Cyber Risk Questions Every Board Should Ask

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, and serious financial losses. What’s more, cyber exposures impact businesses of all kinds, regardless of their size, industry, or status as a private or public entity.

In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members. To help oversee their organization’s cyber risk management, boards should ask the following questions:

  1. Does the organization utilize technology to prevent data breaches?

Every company must have robust cyber security tools and anti-virus systems in place. These systems act as a first line of defense for detecting and preventing potentially debilitating breaches.

While it may sound obvious, many organizations fail to take cyber threats seriously and implement even the simplest protections. Boards can help highlight the importance of cyber security, ensuring that basic, preventive measures are in place.

These preventive measures must be reviewed on a regular basis, as cyber threats can evolve quickly. Boards should ensure that the management team reviews company technology at least annually, ensuring that cyber security tools are up to date and effective.

  1. Has the board or the company’s management team identified a senior member to be responsible for organizational cyber security preparedness?

Organizations that fail to create cyber-specific leadership roles could end up paying more for a data breach than organizations that do. This is because, in the event of a cyber incident, a fast response and clear guidance is needed to contain a breach and limit damages.

When establishing a chief information security officer or similar cyber leadership role, boards need to be involved in the process. Cyber leaders should have a good mix of technical and business experience. This individual should also be able to explain cyber risks and mitigation tactics at a high level so they are easy to understand for those who are not well-versed in technical terminology.

It should be noted that hiring a chief information security officer or creating a new cyber leadership role is not practical for every organization. In these instances, organizations should identify a qualified, in-house team member and roll cyber security responsibilities into their current job requirements. At a minimum, boards need to ensure that their company has a go-to resource for managing cyber security.

  1. Does the organization have a comprehensive cyber security program? Does it include specific policies and procedures?

It is essential for companies to create comprehensive data privacy and cyber security programs. These programs help organizations build a framework for detecting threats, remain informed on emerging risks and establish a cyber response plan.

Corporate boards should ensure that cyber security programs align with industry standards. These programs should be audited on a regular basis to ensure effectiveness and internal compliance.

  1. Does the organization have a breach response plan in place?

Even the most secure organizations can be impacted by a data breach. What’s more, it can often take days or even months for a company to notice its data has been compromised.

While cyber security programs help secure an organization’s digital assets, breach response plans provide clear steps for companies to follow when a cyber event occurs.

Breach response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damage.

Board members should ensure that crisis management and breach response plans are documented. Specific actions noted in breach response plans should also be rehearsed through simulations and team interactions to evaluate effectiveness.

In addition, response plans should clearly identify key individuals and their responsibilities. This ensures that there is no confusion in the event of a breach and your organization’s response plan runs as smoothly as possible.

  1. Has the organization discussed and formalized a cyber risk budget? How engaged is the board in terms of providing guidance related to cyber exposures?

Both overpaying and underpaying for cyber security services can negatively affect an organization. Creating a budget based on informed decisions and research helps companies invest in the right tools.

Boards can help oversee investments and ensure that they are directed toward baseline security controls that address common threats. Boards, with guidance from the chief security officer or a similar cyber leader, should also prioritize funding. That way, an organization’s most vulnerable and important assets are protected.

  1. Has the management team provided adequate employee training to ensure sensitive data is handled correctly?

While employees can be a company’s greatest asset, they also represent one of their biggest cyber liabilities. This is because hackers commonly exploit employees through spear phishing and similar scams. When this happens, employees can unknowingly give criminals access to their employer’s entire system.

In order to ensure data security, organizations must provide thorough employee training. Boards can help oversee this process and instruct management to make training programs meaningful and based on more than just written policies.

In addition, boards should see to it that education programs are properly designed and foster a culture of cyber security awareness.

  1. Has management taken the appropriate steps to reduce cyber risks when working with third parties?

Working alongside third-party vendors is common for many businesses. However, whenever an organization entrusts its data to an outside source, there’s a chance that it could be compromised.

Boards can help ensure that vendors and other partners are aware of their organization’s cyber security expectations. Boards should work with the company’s management team to draw up a standard third-party agreement that identifies how the vendor will protect sensitive data, whether or not the vendor will subcontract any services and how it intends to inform the organization if data is compromised.

  1. Does the organization have a system in place for staying current on cyber trends, news, and federal, state, industry and international data security regulations?

Cyber-related legislation can change with little warning, often having a sprawling impact on the way organizations do business. If organizations do not keep up with federal, state, industry and international data security regulations, they could face serious fines or other penalties.

Boards should ensure that the chief information security officer or similar leader is aware of his or her role in upholding cyber compliance. In addition, boards should ensure that there is a system in place for identifying, evaluating and implementing compliance-related legislation.

Additionally, boards should constantly seek opportunities to bring expert perspectives into boardroom discussions. Often, authorities from government, law enforcement and cyber security agencies can provide invaluable advice. Building a relationship with these types of entities can help organizations evaluate their cyber strengths, weaknesses and critical needs.

  1. Has the organization conducted a thorough risk assessment? Has the organization purchased or considered purchasing cyber liability insurance?

Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover.

The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. As such, boards, alongside the company’s management team, need to conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.

How We Can Help

Asking thoughtful questions can help boards better understand the strategies management uses to prevent, detect and respond to data breaches. When it comes to cyber threats, organizations need to be diligent and thorough in their risk prevention tactics, and boards can help move the cyber conversation in the right direction.

Cyber exposures impact organizations from top to bottom, and all team members play a role in maintaining a secure environment. However, managing personnel and technology can be a challenge, particularly for organizations that don’t know where to start. Contact us today to learn more about cyber risk mitigation strategies you can implement today to secure your business.

Read more
No Comments

Mitigating BYOD and E-discovery Risks

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

The prevalence of employee-owned smartphones and other devices in workplaces across the country has grown considerably in the last few years and shows no sign of stopping.

A recent study by Bitglass found that 85% of organizations surveyed allowed their employees to use their personal devices for work functions. If it wasn’t obvious already, the “bring your own device” (BYOD) era is here to stay.

While there are numerous benefits of implementing a BYOD policy at your workplace, it can be problematic from an e-discovery standpoint, should your company enter litigation.

E-discovery Basics

Electronically stored information, or ESI, can be subject to discovery, which means it can be requested as evidence in court cases.

ESI is a category of discoverable information separate from print documents, and includes both structured and unstructured data such as emails, instant message logs, Word® documents, PowerPoint® presentations and scanned documents.

In litigation, e-discovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents as evidence. Determining which ESI is relevant is not simple due to the lack of precedence and established standards; however, it is important to be able to quickly access the right ESI.

While failing to produce all required ESI can be considered negligence, handing over too much data could mean disclosing privileged competitive information and jeopardizing corporate strategy or product plans.

BYOD’s Skyrocketing Popularity

Allowing employees to use their personal phones, laptops, tablets or other devices for work purposes has quickly become the new norm. Employees enjoy being able to use their own devices for several reasons:

  • They can get more work done on their own devices with a more flexible schedule.
  • They may prefer the operating systems of their own devices.
  • Company-provided devices may lack the functionality that employees desire.
  • Bringing personal activities into their work lives can lead to happier employees and more productivity.

Employees aren’t the only satisfied party. Employers can save money by not having to buy company-owned devices for employees to use, including technical support costs associated with diagnosing problems employees may have.

In addition, many employers can save on telecommunication costs, as employees are often willing to self-fund their own mobile plans.

BYOD Litigation Risks

Allowing employees to bring their own devices can seem like a pretty good deal for both sides. However, there are inherent risks with the practice, especially from a legal standpoint.

Employers must consider the following risks that may hinder the e-discovery process:

  • Since you do not own employees’ devices, you do not have total control over the devices and how they’re used.
  • There are many different types of data on devices, depending on the operating system, applications used, etc., and separating personal data from business data may be difficult.
  • Data on devices can be stored in several locations.
  • It is difficult to protect data on employees’ devices from harm, including theft and hacking.
  • Employers cannot just seize an employee’s device for discovery—they need consent from the employee.

Best Practices for BYOD Policies and the E-discovery Process

If you have a BYOD policy at your workplace, or are planning to implement one, consider the following to ensure it is comprehensive and e-discovery-friendly:

  • Have employees sign an agreement that lets them know how e-discovery requests will be handled, should the need arise.
  • Consider using Mobile Application Management (MAM), which allows employers to control how applications perform on employee devices. It can control application encryption and even wipe sensitive data off the phone of a former employee.
  • Consider purchasing and implementing one of the many applications capable of separating business data and personal data, making it easy for employers to locate discoverable data.
  • Mandate that employee devices be configured to save certain information directly to the company servers.
  • Create an acceptable use policy that lets employees know how you want them to handle company data on their personal devices.
  • Prohibit employees from uploading sensitive company data to any third-party cloud storage system, such as Dropbox, Google Drive or Box.
  • Sync data between employee devices and company servers regularly.
  • Educate employees on best practices for keeping all data on their devices safe—the devices may contain sensitive company information.
  • Mandate that employee devices be password-protected.
  • Ensure that your BYOD policy is forthright and outlines the exact process for e-discovery, including a clear chain of custody.
  • Ensure your IT and legal teams are on the same page. Your IT team should be able to advise the legal team on exactly what kinds of data are stored on employee devices and the best way to retrieve the data. The legal team, whether employed or contracted, should be familiar with the e-discovery process to advance the procedure as quickly as possible.
  • Require compliance with your BYOD policy. In addition, keep the policy flexible to keep up with the ever-changing data landscape.
  • Determine how you will handle the data on phones of former employees. Some companies remotely wipe former employees’ devices, but that can bring up questions about the ethics of deleting personal data from a device.
  • Carefully decide which employees can use their own devices. BYOD may not be relevant or useful for all employees.
  • Consider listing what devices are and are not acceptable. BYOD does not mean employees are free to use whatever device they wish. Employers may not want to offer support for certain devices due to the particular operating system or inherent security issues.
  • Always put data security ahead of employee device security. Your company’s data should always be your number one concern.

Contact RISQ Consulting today for more ways to help make sure your BYOD policy properly protects your company’s data.

Read more
No Comments