Keeping your data and electronic systems safe is critical to the success of your business. A panel of experts was assembled from the following three perspectives to guide us on protecting our businesses:
- Legal and Policy – Allison M. Adams, cyber security attorney from Schenk Annes Tepper Campbell, Ltd.
- Cyber Insurance – Mike Richmond, a Risk Adviser and Cyber Expert from The Horton Group
- Technical / Governance – Bruce Ward, a security expert from Peters & Associates
What type of questions were asked?
Using business risk as the common thread, the CFOs, board execs and influencers wanted to know:
- How should a company compare the cost effectiveness of protecting itself versus the risk of loss?
- Assuming a data breach or a fraudulent transaction has been detected, what actions should a company undertake?
- What process exists or do not exist within a company that can allow for employees to steal or to destroy company assets?
What did the experts say?
Several compelling statements and questions were addressed. A few highlights are below:
Some of the following thoughts were shared:
- Allison discussed recent court judgments where class action filings have standing regarding consulting pay of an hourly rate with a portion of that rate intended to protect data. This provides a framework for legal decisions to be made now that standing has been established.
- Mike stated that data IS your organization’s asset and it is not only logical to inventory your data, but also quantify your organization’s data significance to gauge security measures required. $221 per record was the referenced yardstick. Beyond the number, another $600+ / record exists in reputation damage, contract reduction, and revenue loss. How many records is your organization chartered to protect? Bruce added that significant data can usually be found in the following locations:
|Human Resources – personnel files||Research and Development – patents|
|Operations – customer accounts, production||IT – passwords, security architecture|
|Financials – past / present / future reporting||Third Party – outsourced vendors|
- Bruce shared several stories on findings from the field. The biggest thing he has seen is the need for mid-size businesses to have capability to address questionnaires, compliance objectives, or even respond to RFPs with a documented security architecture. Other shared thoughts included the need for:
- Managed Incident Response plans, including documented plans, system preparation (logging), forensic teams, and even Bitcoin payment capabilities
- Technical controls to prevent malicious, as well as accidental data losses
For a free consultation with a security compliance professional, contact us at firstname.lastname@example.org or 630.832.0075.