Cyber Risk - Now, It IS the Daily News (article)
“The United States faces unprecedented cyber security threats.”
-Tom Ridge, former Homeland Security Secretary
“Cyber risk is growing exponentially.”
-Ray Kelly, former NYPD Commissioner and former leader of
risk management services at Cushman & Wakefield
Cyber intrusions are no longer one-off events. Cyber issues are a fact of doing business. Cyber risk should be top of mind for business owners and executives across all business sectors and industries – retailers, service providers, financial institutions, property managers – there is no safe haven.
According to Ryan Vela, Dallas-based regional director of North America reactive and proactive cybersecurity services at Fidelis Cybersecurity, “70% of security professionals think they have done enough with respect to security, but 40% still expect to be breached.”1
While the threat is acknowledged, directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue, according to the National Association of Corporate Directors.
How vulnerable are you? Well, let’s begin with email. Vela recalled an incident where a hacker who was already in a large oil company's system noticed that one work group ordered takeout from a Chinese restaurant every Friday. The hacker created a PDF labeled as an updated menu. When workers clicked on the menu, the hacker was able to download code to user PCs, giving them access to business data.
But email is hardly the only way in. Printers, thermostats and video conference equipment – even VPN connections – can provide entrée to your system.
In his exclusive November 2015 interview with GlobeSt.com, Kelly discussed specifically how the commercial real estate community is at risk. He noted that while the growing trend of conducting operations through the internet offers clear cost and control advantages, there are also clear vulnerabilities. Important services like HVAC can be tampered with or shut down; contractors and vendors holding key data may be vulnerable.
While suggesting that employee training and clear security policies can close the door to nearly 80% of intrusions caused by employee carelessness, Kelly advocates establishing “multi-disciplined teams” with C-suite leadership that can respond to both online and onsite security events.
From “Best” Practice to “Essential” Practice
When cybersecurity is not part of the business process, it leaves a company vulnerable to a range of security issues. Prevention and protection measures are critical. These should include both risk analysis through assessment and risk mitigation through the growing pool of cyber-focused insurance products and internal operational safeguards. If this topic is within your sphere of responsibility, you may want to check out our Cybersecurity Quick Assessment and will find articles of interest on our blog (search “cyber”).
For additional information, contact Chris Roach, National IT Practice Leader for CBIZ Risk & Advisory Services, or Damian Caracciolo, Vice President, CBIZ Executive Risk.
1Cyber hackers often target equipment, systems that are never checked, Business Insurance, 10/27/15.