9 Cyber Risk Questions Every Board Should Ask
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, and serious financial losses. What’s more, cyber exposures impact businesses of all kinds, regardless of their size, industry, or status as a private or public entity.
In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members. To help oversee their organization’s cyber risk management, boards should ask the following questions:
-
Does the organization utilize technology to prevent data breaches?
Every company must have robust cyber security tools and anti-virus systems in place. These systems act as a first line of defense for detecting and preventing potentially debilitating breaches.
While it may sound obvious, many organizations fail to take cyber threats seriously and implement even the simplest protections. Boards can help highlight the importance of cyber security, ensuring that basic, preventive measures are in place.
These preventive measures must be reviewed on a regular basis, as cyber threats can evolve quickly. Boards should ensure that the management team reviews company technology at least annually, ensuring that cyber security tools are up to date and effective.
-
Has the board or the company’s management team identified a senior member to be responsible for organizational cyber security preparedness?
Organizations that fail to create cyber-specific leadership roles could end up paying more for a data breach than organizations that do. This is because, in the event of a cyber incident, a fast response and clear guidance is needed to contain a breach and limit damages.
When establishing a chief information security officer or similar cyber leadership role, boards need to be involved in the process. Cyber leaders should have a good mix of technical and business experience. This individual should also be able to explain cyber risks and mitigation tactics at a high level so they are easy to understand for those who are not well-versed in technical terminology.
It should be noted that hiring a chief information security officer or creating a new cyber leadership role is not practical for every organization. In these instances, organizations should identify a qualified, in-house team member and roll cyber security responsibilities into their current job requirements. At a minimum, boards need to ensure that their company has a go-to resource for managing cyber security.
-
Does the organization have a comprehensive cyber security program? Does it include specific policies and procedures?
It is essential for companies to create comprehensive data privacy and cyber security programs. These programs help organizations build a framework for detecting threats, remain informed on emerging risks and establish a cyber response plan.
Corporate boards should ensure that cyber security programs align with industry standards. These programs should be audited on a regular basis to ensure effectiveness and internal compliance.
-
Does the organization have a breach response plan in place?
Even the most secure organizations can be impacted by a data breach. What’s more, it can often take days or even months for a company to notice its data has been compromised.
While cyber security programs help secure an organization’s digital assets, breach response plans provide clear steps for companies to follow when a cyber event occurs.
Breach response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damage.
Board members should ensure that crisis management and breach response plans are documented. Specific actions noted in breach response plans should also be rehearsed through simulations and team interactions to evaluate effectiveness.
In addition, response plans should clearly identify key individuals and their responsibilities. This ensures that there is no confusion in the event of a breach and your organization’s response plan runs as smoothly as possible.
-
Has the organization discussed and formalized a cyber risk budget? How engaged is the board in terms of providing guidance related to cyber exposures?
Both overpaying and underpaying for cyber security services can negatively affect an organization. Creating a budget based on informed decisions and research helps companies invest in the right tools.
Boards can help oversee investments and ensure that they are directed toward baseline security controls that address common threats. Boards, with guidance from the chief security officer or a similar cyber leader, should also prioritize funding. That way, an organization’s most vulnerable and important assets are protected.
-
Has the management team provided adequate employee training to ensure sensitive data is handled correctly?
While employees can be a company’s greatest asset, they also represent one of their biggest cyber liabilities. This is because hackers commonly exploit employees through spear phishing and similar scams. When this happens, employees can unknowingly give criminals access to their employer’s entire system.
In order to ensure data security, organizations must provide thorough employee training. Boards can help oversee this process and instruct management to make training programs meaningful and based on more than just written policies.
In addition, boards should see to it that education programs are properly designed and foster a culture of cyber security awareness.
-
Has management taken the appropriate steps to reduce cyber risks when working with third parties?
Working alongside third-party vendors is common for many businesses. However, whenever an organization entrusts its data to an outside source, there’s a chance that it could be compromised.
Boards can help ensure that vendors and other partners are aware of their organization’s cyber security expectations. Boards should work with the company’s management team to draw up a standard third-party agreement that identifies how the vendor will protect sensitive data, whether or not the vendor will subcontract any services and how it intends to inform the organization if data is compromised.
-
Does the organization have a system in place for staying current on cyber trends, news, and federal, state, industry and international data security regulations?
Cyber-related legislation can change with little warning, often having a sprawling impact on the way organizations do business. If organizations do not keep up with federal, state, industry and international data security regulations, they could face serious fines or other penalties.
Boards should ensure that the chief information security officer or similar leader is aware of his or her role in upholding cyber compliance. In addition, boards should ensure that there is a system in place for identifying, evaluating and implementing compliance-related legislation.
Additionally, boards should constantly seek opportunities to bring expert perspectives into boardroom discussions. Often, authorities from government, law enforcement and cyber security agencies can provide invaluable advice. Building a relationship with these types of entities can help organizations evaluate their cyber strengths, weaknesses and critical needs.
-
Has the organization conducted a thorough risk assessment? Has the organization purchased or considered purchasing cyber liability insurance?
Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover.
The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. As such, boards, alongside the company’s management team, need to conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.
How We Can Help
Asking thoughtful questions can help boards better understand the strategies management uses to prevent, detect and respond to data breaches. When it comes to cyber threats, organizations need to be diligent and thorough in their risk prevention tactics, and boards can help move the cyber conversation in the right direction.
Cyber exposures impact organizations from top to bottom, and all team members play a role in maintaining a secure environment. However, managing personnel and technology can be a challenge, particularly for organizations that don’t know where to start. Contact us today to learn more about cyber risk mitigation strategies you can implement today to secure your business.
- Published in Blog
Mitigating BYOD and E-discovery Risks
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
The prevalence of employee-owned smartphones and other devices in workplaces across the country has grown considerably in the last few years and shows no sign of stopping.
A recent study by Bitglass found that 85% of organizations surveyed allowed their employees to use their personal devices for work functions. If it wasn’t obvious already, the “bring your own device” (BYOD) era is here to stay.
While there are numerous benefits of implementing a BYOD policy at your workplace, it can be problematic from an e-discovery standpoint, should your company enter litigation.
E-discovery Basics
Electronically stored information, or ESI, can be subject to discovery, which means it can be requested as evidence in court cases.
ESI is a category of discoverable information separate from print documents, and includes both structured and unstructured data such as emails, instant message logs, Word® documents, PowerPoint® presentations and scanned documents.
In litigation, e-discovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents as evidence. Determining which ESI is relevant is not simple due to the lack of precedence and established standards; however, it is important to be able to quickly access the right ESI.
While failing to produce all required ESI can be considered negligence, handing over too much data could mean disclosing privileged competitive information and jeopardizing corporate strategy or product plans.
BYOD’s Skyrocketing Popularity
Allowing employees to use their personal phones, laptops, tablets or other devices for work purposes has quickly become the new norm. Employees enjoy being able to use their own devices for several reasons:
- They can get more work done on their own devices with a more flexible schedule.
- They may prefer the operating systems of their own devices.
- Company-provided devices may lack the functionality that employees desire.
- Bringing personal activities into their work lives can lead to happier employees and more productivity.
Employees aren’t the only satisfied party. Employers can save money by not having to buy company-owned devices for employees to use, including technical support costs associated with diagnosing problems employees may have.
In addition, many employers can save on telecommunication costs, as employees are often willing to self-fund their own mobile plans.
BYOD Litigation Risks
Allowing employees to bring their own devices can seem like a pretty good deal for both sides. However, there are inherent risks with the practice, especially from a legal standpoint.
Employers must consider the following risks that may hinder the e-discovery process:
- Since you do not own employees’ devices, you do not have total control over the devices and how they’re used.
- There are many different types of data on devices, depending on the operating system, applications used, etc., and separating personal data from business data may be difficult.
- Data on devices can be stored in several locations.
- It is difficult to protect data on employees’ devices from harm, including theft and hacking.
- Employers cannot just seize an employee’s device for discovery—they need consent from the employee.
Best Practices for BYOD Policies and the E-discovery Process
If you have a BYOD policy at your workplace, or are planning to implement one, consider the following to ensure it is comprehensive and e-discovery-friendly:
- Have employees sign an agreement that lets them know how e-discovery requests will be handled, should the need arise.
- Consider using Mobile Application Management (MAM), which allows employers to control how applications perform on employee devices. It can control application encryption and even wipe sensitive data off the phone of a former employee.
- Consider purchasing and implementing one of the many applications capable of separating business data and personal data, making it easy for employers to locate discoverable data.
- Mandate that employee devices be configured to save certain information directly to the company servers.
- Create an acceptable use policy that lets employees know how you want them to handle company data on their personal devices.
- Prohibit employees from uploading sensitive company data to any third-party cloud storage system, such as Dropbox, Google Drive or Box.
- Sync data between employee devices and company servers regularly.
- Educate employees on best practices for keeping all data on their devices safe—the devices may contain sensitive company information.
- Mandate that employee devices be password-protected.
- Ensure that your BYOD policy is forthright and outlines the exact process for e-discovery, including a clear chain of custody.
- Ensure your IT and legal teams are on the same page. Your IT team should be able to advise the legal team on exactly what kinds of data are stored on employee devices and the best way to retrieve the data. The legal team, whether employed or contracted, should be familiar with the e-discovery process to advance the procedure as quickly as possible.
- Require compliance with your BYOD policy. In addition, keep the policy flexible to keep up with the ever-changing data landscape.
- Determine how you will handle the data on phones of former employees. Some companies remotely wipe former employees’ devices, but that can bring up questions about the ethics of deleting personal data from a device.
- Carefully decide which employees can use their own devices. BYOD may not be relevant or useful for all employees.
- Consider listing what devices are and are not acceptable. BYOD does not mean employees are free to use whatever device they wish. Employers may not want to offer support for certain devices due to the particular operating system or inherent security issues.
- Always put data security ahead of employee device security. Your company’s data should always be your number one concern.
Contact RISQ Consulting today for more ways to help make sure your BYOD policy properly protects your company’s data.
- Published in Blog
We’ve Gone Soft on Soft Skills
By Jennifer Outcelt, Creative Content Architect
Covid gets a lot of the blame for everything we don’t like about our current society. While no one could claim Covid as beneficial without first being berated for such a callous insinuation, perhaps Covid does deserve a few props for exposing some existing societal gaps that might have otherwise snuck under the radar. I’m talking about the dwindling emphasis on soft skills in the classroom.
This week my father sent me a link to the article, COVID has revealed the soft skills gap among America’s youth: It’s time we address it. The context of this article within his email was regarding his pride for how I turned out as a working adult and how he believed my mastery of these endangered soft skills were directly correlated with my successes. After reading the article I immediately felt a terrible sadness for the upcoming generations. My dad was right; honing soft skills were a huge part of my schooling and extracurricular actives. Without that emphasis I’m not sure I would have carried myself as far as I have.
Please don’t read my above statement as synonymous with the stereotypical sentiment of the elderly that, (to be read in a wilting aged voice) “this generation of young whippersnappers is inferior compared to my generation!” Indeed, I do not hold this belief. Each new generation builds forward from the hard work and sacrifices of the previous one and deserves to create a world that belongs to them. As our societies evolve, so do our perceptions of what is important. Many of these changes can be justified, yet some can be detrimental. We may not realize which is which until it’s too late.
Sometimes technology renders previously important skills obsolete for the majority of people. For example, darning socks. What used to be a necessary skill for the upkeep of a scarce commodity, is now relatively unnecessary based on convenient and cheap access to new socks.
What technology will not take away is the need for leadership, interpersonal communication, empathy, time management, and creative thinking skills. Unfortunately, these are not formally taught skills in the public school curriculum. These skills are fostered in extracurricular activities like sports, debate, theatre, JROTC, Odyssey of the Mind, scouts, and any other program that brings together a group of youths to accomplish common goals. The pandemic (and let’s face it, a bit of laziness on societies part as a whole) has taken away these extracurricular activities and rendered millions of children deficient in these soft, yet invaluable, skills.
Check out this article to read more about why this has happened and what toll it could take on our future.
https://www.foxnews.com/opinion/covid-revealed-soft-skills-gap
- Published in Blog
Expectation vs. Reality – The Digitization Dilemma
By Andrew Kupperman, Employer Services and Workforce Technology Consultant
When an Employee starts working with an Employer, there are a variety of different expectations that go into forming that Employee/Employer relationship. For example, the Employer is going to expect the Employee to show up to their job and do the work asked of them. Correspondingly, the Employee is going to expect to be compensated for the work that was asked of them. These are the basic expectations at the heart of every Employee/Employer relationship, but they set a very important tone for all other expectations derived from this ongoing relationship.
Additional relationship building expectations include the Employer providing the Employee the tools, resources, and training to be able to do the work that is asked of them. In many organizations, one tool in particular – technology – often creates friction in the Employee/Employer relationship. There are a lot of reasons why this occurs.
CAPABILITIES
Workplace technologies don’t typically have comparable capabilities to the technology we all use daily in our personal lives. In fact, when looking at some capabilities in workplace technology, you could probably go back 5, 10, or even 15 years to see those capabilities being released for personal use. Don’t get me wrong, I know there are thousands (yes thousands) of technology vendors trying to close this gap for workplace technology, but because these gaps still exist, there is a gap that exists in what the Employee expects from their Employer, which can strain the relationship. This is especially true for younger workers just entering the workforce.
BRIGHT SHINY OBJECT SYNDROME
More often than I’d personally like to see, organizations decide to purchase and implement new technology just because of a cool demo someone saw. A word to the wise: the demo isn’t how your organization is going to receive that technology out of the gate – it needs to be built and implemented in order to eventually get there.
If you’ve ever seen Jason Averbook speak (the CEO and Founder of Leapgen, an organization that consults around workforce technology with Fortune 500 and very large global organizations as well as a thought leader in workforce technology space), he often discusses the difference between implementing technology and an organization successfully digitizing its processes. He uses a formula to describe that the digital equation for success includes 20% organizational mindset about digitizing, 25% of the people (ie: Employees) involved in using technology, 45% of understanding and aligning processes, and only 10% of the actual technology system, which is just the tool being used.
I know organizations want to be able to adopt and use technology like we do in our personal lives. But most organizations are big, clunky, and slow moving, so it’s hard to just try out a new technology tool and then scrap it a few days later because you don’t like it (like we do with apps on our phone). In most organizations, operating in such a manner would be fiscally irresponsible and cost them tens of thousands of dollars annually, if not more.
OWNERSHIP
Lastly, an organization leadership often owns the technology selection, implementation, and workflow processes. Again, there is an expectation in the Employee/Employer relationship here, as the Employer provides the Employee with the technology. There will be times that the leadership delegates these components to different areas of the business (for example when looking at finance, HR, or operational technologies). However, in doing so, they unknowingly create silos within the organization and don’t strategically think about how adopting these new technologies can impact other areas of a business.
An even more unfortunate scenario is when only one or two of those components are delegated (maybe the implementation or workflow processes). By not including key stakeholders in the selection process, an organization opens itself up in failing to meet the goals set out for adopting that technology. I understand and agree that the leadership often needs to be involved from a budgetary standpoint, but by not looping in those stakeholders to help select the technology they’ll be working in, it can be like forcing people to use those bloatware apps that come preinstalled on your new smartphone… but that no one ever end up using. This too can strain in the Employee/Employer relationship.
SOLUTION
There are definitely other reasons why the expectations around workplace technology can create friction, but the crux of the issue (at least as I see it), involves Employers not being strategic enough in considering the people and processes currently involved when they first set out to adopt new technology. They naively expect an instant and miraculous return on investment from their Employees who are using that technology. Employers need to remember that most people are innately change adverse, and not considering them when forcing change upon them is more likely to end in poor experiences for everyone.
The solution seems simple. Employers should find ways to involve and empower their Employees when it comes to providing technology to them. If Employers can find a way to give Employees the opportunity to be involved in selection and allow them to experiment with technology like they do in their personal lives (if the Employer’s budgetary needs are considered), this will create buy in and will lead to success when meeting organizational goals relative to adopting new technology. It is a bit of a mind shift based on the expectations as part of the predicated Employee/Employer relationship, but by creating the ownership and accountability for Employees, you’re also creating more ENGAGED Employees.
- Published in Blog
Getting Smart About Your Risk
By Joshua Weinstein, Employee Benefits President
Without risk, life would be a drab. Without the opportunity to fail, success, and even life, loses its luster and meaning. For example, if a cliff dive ensured absolutely no harm, would it be quite as thrilling or appealing? If presenting in front of others had a 100% chance of going flawlessly, what significance would your preparation and “learning from mistakes” have? Life is not defined by the easy, but rather by slogging through some suffering. That being said, humanity can generally plan toward good outcomes by acknowledging and addressing life’s unseen, “slippery banana peels” as best as possible. Risk isn’t an inherent problem. It’s not unexpected. It’s quite manageable, and it can teach all of us boatloads. The best run businesses have figured out how to manage risks so they can focus on growth and not on threats.
RISQ Consulting will help you be smart about risks through our proprietary Business HealthIQ™ (BHIQ) process. The BHIQ is a collaborative journey that assesses and inventories your organizations risks across key areas, such as: workforce, compliance, technology, employee benefits, and general risk management. You will be working with a strategic consultant, and a plan will be constructed that encompasses the goals of your organization in conjunction with the most suitable approaches to address risk wisely.
Want to learn more? Try out a mini, self guided, version of the BHIQ to see how the planning begins. You’ll get a summary in a few minutes that provides some tangible next steps on how to be strategic with your risks.
Short samples:
We can mutually decide how best to prevent the unwanted things from happening, such as high rates of employee turnover.
We can mitigate risks such as data loss and errors by advising on consolidated technology platforms and tools that are right for your industry and mission.
We might choose to transfer risks, to a third-party, when doing so adds efficiencies, reduces exposures and costs, and improves your ability to focus on your business’ core mission
Sometimes, retaining or assuming risk is the smart play, even up to a specified amount. Keeping some liability on your financials can reduce premium costs and often improves leadership involvement in creating great outcomes for your business.
- Published in Blog
- 1
- 2