“There are two kinds of companies. Those that have been hacked and those that have been hacked and don’t know it yet.” – Mike Rogers, Former Chairman of the House Intelligence Committee
The December KRS Insights Breakfast featured guest speaker Michelle Schaap, an attorney and cybersecurity expert with Chiesa Shahinian & Giantomasi, who spoke about how to protect your company from cyber-attacks. For those who missed the breakfast, we wanted to share some of Michelle’s eye-opening insights and recommendations.
Here are some of the many reasons why it is important for your company to start paying attention to cybersecurity:
- More than 70% of cyber-attacks are against small to medium-sized companies.
- IRS and other regulations across multiple industries require that you have cyber-insurance.
- If your company gets hacked, you’re in breach of confidentiality clauses in contracts you have with other entities.
- Getting hacked can put you in breach of your website’s privacy policy and FTC statutes.
As Michelle pointed out in her talk, timing is everything in detecting a security breach. The average time it takes a company to detect and identify a breach is 20 to 582 days and the average time to contain a breach is 7 to 175 days. “That leaves your company’s ‘Crown Jewels’ exposed for far too long,” she noted.
Data breaches are costly
In 2015, reported losses totaled over $1 billion, according to the Internet Crime Complaint Center. In the U.S., the average cost of a data breach was $217 per record. That means for a breach that involved 5,000 records, your company is looking at $1 million in tangible costs. There are intangible costs as well, such as the cost of business interruption, lost customers and lost trust.
Not surprisingly, 50% of small businesses that experienced a data breach are out of business within the following year.
Preparedness is from the top down
“You should be doing this yesterday,” said Michelle. “The bad actors update malware all the time and you need to keep up with the storm. It’s not once and done.”
She emphasized that the best way to get and stay prepared is to have the commitment to cybersecurity start with your organization’s senior executives. From there, it can work down through the organization from the Chief Information Security Officer (CISO) through the IT department and out to employees and third party vendors. “If your company doesn’t have a CISO, consider bringing in an outside consultant to fill this role. You need to invest in this,” she commented.
Data is everywhere – and needs to be protected
You need to be prepared and protected anywhere you receive, create, store, access, manage, transmit or use confidential or otherwise sensitive data. This includes locations outside your office.
“Wherever sensitive information will be accessed – whether it’s a hotel, Starbucks, or an airport – you need to protect it. The bad actors travel with devices that skim off computers,” said Michelle. “So you need to be mindful about where you are when you access data on your laptop.”
You also need to protect equipment such as copiers, cell phones and other devices, as well as the physical environment and technology which may store sensitive data and be vulnerable to hackers.
Have a plan
Today, more companies are required to have cyber-insurance coverage. To get coverage, you need to have a cybersecurity plan in place that includes policies and procedures for identifying and assessing vulnerabilities, mitigating risk, monitoring and detecting breaches, and responding and recovering from them.
“The day you discover you have been hacked is not the day to figure out how to respond,” said Michelle.
The good news is that you don’t have to figure this all out on your own. There are risk frameworks, such as ISO 27001 and the PCI Security Standards, which can help you prepare your cybersecurity plan. Third party consultants can also assist your firm in planning.
We’ve got your back
At KRS CPAs our goal is to make it as easy as possible for you to get the advice and counsel needed, so you can focus on what matters most to you. The KRS Insights Breakfast Series offers timely and relevant information from experts like Michelle Schaap, who can help you stay knowledgeable and prepared.
Visit our Insights page to subscribe to our newsletter and you’ll be notified about upcoming breakfasts plus other KRS news, events and resources.
Michelle Schaap practices primarily in the areas of cybersecurity preparedness and technology, construction law, corporate and commercial transactions, and franchising.
Whether large or small, organizations in every industry are vulnerable to attack. The stories that make the news headlines are usually about theft of credit card data or personal identity information. As a result, companies that don’t handle this type of data often believe they are not a target. All companies need to recognize this risk and work to detect and prevent the devastating damage cyber-attacks can cause. While developing your plan, consider your organization’s response if it does happen to you. This will help you react faster and potentially minimize the negative effect of a data breach.