Information risk is an emerging concern for many businesses. Are you ready for the complicated and costly responses to Internet-based liabilities?
Though most business leaders acknowledge the risks, a recent poll suggests most are not ready for electronic security breach.
Some companies, such as those dealing with medical or financial information, must be particularly careful. Considering current cultural reliance on the Internet, however, it is unlikely that any business is free from risk.
Your exposure in cyberspace includes any electronic data stored on or accessible through the Internet. This would include clients, providers and employees that can be associated with you on the web.
Information risk can take many forms. Some of your potential exposures include:
Taking steps to limit your information risk is worth time, energy, and financial investment as it may save you much more of all three than it costs.
Cyberliability insurance is a must-have. Your existing liability coverage, including errors and omissions, will not cover most cyberliability incidents. This coverage can be tailored specifically for your company’s needs, and premiums are based on industry-specific risks.
A cyberliability policy will cover any liability that arises out of unauthorized use of electronic data or software within your network or business. Policies also may provide coverage for claims for spreading a virus or malicious code, computer theft, extortion, or any unintentional act, mistake, error, or omission made by your employees while performing their job.
In considering your response to information risk, insurance is a wise choice. But cyber risk is one of those wicked problems you can’t just write a check to make go away. Insurance only deals with the post-breach side of the issue, while prevention measures will reduce both your vulnerability and your premium costs. There are three primary areas you can focus on:
With information risk, it pays to be a skeptic, a cynic, and a worrier. Look for all possible ways you could be at risk. There are three areas in which issues arise: system glitches, malicious attacks, and negligent insiders.
Pay particular attention to your most sensitive information. Things like credit card and social security numbers are targeted and must receive the highest levels of protection. Develop a system to classify your data so proper protocol can be followed in each case.
Establish and document security practices that reduce your information risk. The primary focus should be on systematizing your electronic and Internet protocols and then training employees and keeping them accountable. No amount of software or brilliant procedures will protect you if employees do not implement them properly.
One of the most beneficial and underutilized security measures is password management. Set requirements for length and complexity that employees must meet. [Check out a recent post on the 25 Most Hacked Passwords.]
Implement appropriate protective software such as anti-virus and firewalls. These are constantly updated products which must be attended to. If you do not have someone in-house in charge of security, consider a consulting firm. The cost of outside consultants often reduces the overall cost of information risk management both before and after an incident.
Information risk is a significant field of battle for all businesses. The more you attract clients and meet their needs, the more likely you will be a target. Taking practical steps to reduce your collective exposure will be an increasingly beneficial investment in your company and those it serves.