Employees are the best defense against cyberattacks—if engaged properly.
With cybersecurity crimes expected to cost businesses an estimated $6 trillion annually in the coming years, companies of all sizes need to prioritize protecting themselves from potential breaches. While hackers tend to target financial companies more often than others, all industries are vulnerable—even mom-and-pop operations in the Midwest.
To stay safe, perhaps the first step a business should take is to cleanse itself of the idea that its operation is too small or unimportant to fall under attack. “You have to think a little more broadly than that,” says Jeff Schmidt, vice president and chief cybersecurity innovator at the Columbus Collaboratory, a rapid innovation company formed by AEP, OhioHealth, Battelle, L Brands, Huntington, Cardinal Health and Nationwide that's focused on cybersecurity and IT issues.
After all, almost all businesses keep computerized financial records or use email to communicate with employees, customers and suppliers. No matter the company, “you have IT information that supports your business,” says Rick Doten, chief of cyber and information security for the business management consulting firm, Crumpton Group in Arlington, Virginia.
Once you accept that reality, the company's top leaders need to meet with the IT department to assess the threat level and develop a cybersecurity plan. It's also necessary to engage the entire company to help stave off potential attacks. Education and training at all levels and in all departments is critical, experts say. The leadership team also needs to evaluate carefully the safety practices of its business partners to ensure they also are vigilant about cybersecurity.
Finally, companies should take advantage of resources designed by and for their industry that could protect them. While there is no set formula to determine how much of a company's budget should go toward cybersecurity, it's wise to stay abreast of industry standards and protocols.
The task of assessing and addressing the risks associated with cybersecurity can no longer fall to just the IT department, Doten says. The C-suite also must own the cybersecurity plan, understanding vulnerabilities, deciding on acceptable risks and determining how much money to spend. “IT experts are a lot like attorneys; they can provide knowledge and guidance to reduce the likelihood of a problem,” Doten says. “Managers make financial decisions. Technical people don't make financial decisions.”
The management team must be the ones to determine how long the company could be without the ability to accept orders, process paperwork or other key tasks without significantly affecting the bottom line, he says. “We need to elevate IT security from a technical problem to a risk management question,” Doten says.
If the company does not have someone empowered to make business decisions and engage with the IT department with a high level of understanding, it needs to hire someone with those skills—and then make sure the position is an executive level one, Schmidt says. To ensure more crossover between the fields, Helen Patton, chief information security off- icer for Ohio State University's Office of the CIOEnterprise Security, would like to see MBA and executive training programs address cybersecurity.
Just as the IT department should not set the company's cybersecurity policy, it should not solely shoulder the company's efforts to counter threats, Patton says. She encourages corporate leaders to talk regularly with the employees about their role in keeping the company safe from cyberattacks. Often, it involves helping workers on all levels develop a new mindset. “[Employees think], ‘I'm not an important person. I'm not going to be targeted,'” she says. The reality is if you have “a computer with access to the Internet,” you're a target, she says.
Employees should be made aware of seasonal phishing scams, she says. In the coming weeks, hackers will likely send fake emails regarding income tax issues. At the holidays, they focus on notices about packages and shipping.
Companies also should encourage employees to use password managers at home and at work, experts say. Password managers allow users to have unique passwords for all of their accounts while requiring them to remember only one password that provides access to all the others. It's dangerous to have the same password for multiple accounts because if criminals hack into one system and discover passwords, they will try them on other applications.
Sean A. Stoner, owner and president of the Columbus-based Title First Agency, prioritizes cybersecurity safety measures. The company offers regular training on the topic and makes a point to inform employees of breaches that have occurred within the title industry, which annually transfers billions of dollars.
He also launched a reward program that recognizes employees for identifying phishing emails and other potential scams. Every month, he gives gift cards to anyone who alerts the company to potential hazards. At the end of the year, he enters all of the gift card recipients into a drawing and sends one person on a trip.
Associates also are encouraged to keep cards offering a list of potential signs of a hack near their computer. They are asked to report anything that seems unusual, Stoner says.
The program, which has increased employee awareness, has had great results, he says. It works because “employees feel like they can make a difference,” he says. “It's a lot less expensive than paying for a threat.”
The company relies on other safety measures as well. None of the USB ports in the company computers work. The company restricts access to many websites. Employees working remotely must follow strict protocols in order to log into the system.
In addition to engaging employees, Stoner routinely invites his IT team into meetings with clients. The practice not only has made IT personnel more aware of what is at stake if a problem occurs, it has led to collaborative problem solving and demonstrates to customers the company's commitment to security, he says. “Now we hear [the IT department] say, ‘We'll figure out a way,' where in the past they might have said, ‘We can't do that; it's too expensive.'”
Stoner also relies on advice from industry experts. His company has undergone security audits, which keeps him informed of state and federal policies regulating his industry. Those practices make good sense, says David Stein, chair of Bricker & Eckler's banking and financial services group in Columbus. “There's no need to reinvent the wheel,” he says.
It's also wise to hold your suppliers and vendors to a high standard of accountability, Stein adds. When vetting partner companies, it's imperative to ask about their cybersecurity policies and deal with only those organizations with practices in line with yours, he says. In 2013, hackers accessed about 40 million debit and credit card accounts used at Target stores by breaching a company that provided HVAC services to the retailer. “Vendor management is a very big tool in dealing with data security,” he says. “Vendors are a big hole. Just like employees, vendors can't be ignored.”
Companies also should be sure to develop a plan for handling a breach should one occur, Stein says. The plans should address the many risk scenarios, how they will be dealt with and what roles key players will take, he says.
“Every business—large and small—needs to have [an] information security plan,” he says. “It ought to be reasonable for the size and scope of the business and their industry. Whether you're major multi-national company or a mom-and-pop store with one location, each of those companies needs to have a plan.”
Melissa Kossler Dutton is a freelance writer.