10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 2)

10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 2)

Blog

Cyber Security

Cyber Security Questions | Part 2

This is Part 2 of our post to help business owners understand which cyber security questions should be the basis of a readiness discussion with their IT Team. If you have any concerns or doubts, please give us a call. We offer an in depth Network Security Assessment that will improve your risk and vulnerability visibility and a Managed Detection and Response service that will protect your network with continuous packet-level analysis and proactive threat hunting. 

Here are questions 6 through 10. Be sure to visit Part 1 or download the PDF below to see all 10 questions.

6.If you suspected an intrusion in our network, how would the process work to remediate and who would make the decisions on what we should do?

All 50 states have breach notification requirements some with as little as 72 hours before significant penalties kick in. However, few businesses have an adequate plan in place to identify a system security breach and know what to do next. The IT department will rush to fix the problem possibly destroying important evidence pointing to the identity of the culprits and likely not finding the root source of the problem. Who will you call for help? Jumping the gun can be costly too if experts determine there was no incursion. A football team wouldn’t walk onto the field without a playbook, yet the folks that are managing your livelihood may be acting without a plan.

7.If an attack resulted in an outage, how long would it take to be fully functional with the affected systems?

If ransomware from an accidentally clicked phishing email was to encrypt the hard drives of your key systems and you were unable to process orders for days or weeks, how much would that cost you? It cost FedEx and its European affiliate, TNT Express, $300 million and resulted in a damaged reputation and lost business. The CEO said the attack “posed significant operational challenges”.

What “operational challenges” are you willing to accept?

8.How do we stay current on the cyber risks we face in our industry and the marketplace?

In 2005, researchers estimated that a new virus was created every 12 minutes. In 2015, they estimated that 4 pieces of malware were created every second. Experts believe antivirus software, although necessary, is still only typically 40% to 60% effective. With sophisticated nation-states, foreign intelligence services, organized crime syndicates, foreign universities and others actively pursuing American businesses, having access to up to date information and cybersecurity expertise in identifying the tactics, techniques, and procedures (TTP) of these adversaries is key to being successful. Most businesses try to do it on their own and often fail as a result.

9.Do we have cyber insurance to cover us if something was to happen? What would it cover? What would it not cover?

Cyber insurance is an important tool to transfer some of your cyber risk to a 3rd party but it doesn’t cover everything and it may cover nothing. Policies and coverage vary from carrier to carrier. There are few standards and evolving case law in how policies are interpreted. A detailed analysis of the amount and the types of coverage that you maintain, and how they work in conjunction with your other insurance policies is critical to analyze. Additionally, look to see who manages an “incident” if one is declared. It may not be you – even though it’s your business.

10.How do we know that the money we are spending is being used most effectively to secure the organization?

Businesses have rushed to improve their security by purchasing expensive technology and software, expecting that “it” will protect them from these adversaries. While these tools may have a role, their effectiveness may wane quickly as new attacks arise while costs continue to mount. A periodic thoughtful discussion with your IT management team and knowledgeable outside experts covering topics such as: current risks, the evolving threat environment, your current security posture, current capabilities (technology and people), future business requirements and the effectiveness of your security program will help you better prioritize needs and make more effective decisions.

Next Steps

What level of risk are you willing to accept? Sit down with your IT team and discuss these key questions to determine your comfort level today and into the future.  If you would like a second opinion on your security posture, be sure to engage a knowledgeable team of cybersecurity experts to help identify and fill the gaps in your strategy and operations.

Be sure to read Part 1 for the first 5 questions:
10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 1)

 

10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 1)

10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 1)

Blog

Cyber Security

Cyber Security Questions | Part 1

With daily revelations of new cyber threats and data breaches, business owners are looking to better understand and manage the risks and vulnerabilities that exist with their:

  • Information Technology (IT) Assets
  • Employees
  • Supply Chain Partners
  • Processes

They hear stories of the potential damage a breach can cause, but they struggle in understanding how it could happen to their company.

Business owners can no longer deny the problem and need to talk forthrightly with their IT management team by asking the right questions about their preparedness.

This post will cover the first five (5) questions business owners should be asking their IT managers about their cyber security posture. Be sure to read Part 2 for five more questions that are essential to the conversation.

1.Are you able to tell me about all of the communications occurring on our network right now?

With the plethora of devices employees bring to work (BYOD) and the surveillance cameras, thermostats, access control systems and sensors (IoT devices) connected to the corporate networks, few organizations understand what is actually communicating on their networks. Improving network visibility and monitoring network traffic are two proven steps to enhancing the security of your networks. These steps allow you to identify an attack early and minimize the amount of damage done.

 

“…the majority of IT managers cannot even identify 45 percent of the traffic… 84% agree that this lack of network visibility is a critical issue.”

2.How would we know if a rogue device was connected to our networks? Or attached to our wireless network?

The number of IOT and BYOD devices connected to corporate networks is expected to double again by 2020 placing even greater demands on corporate networks. Yet few organizations are able to inventory, track and control what devices are connected to their networks and identify rogue or unauthorized devices. The inability to control access is a significant problem in that an unauthorized device may be used to leverage access to other systems and sensitive materials. A few commonsense controls and monitoring at key locations can vastly reduce your risk while not encumbering your employees with Draconian measures.

3.How would we know if someone on our network sent out a sensitive list of our customers to a competitor?

Many organizations unknowingly allow their employees access to remote management software (i.e. TeamViewer or GoToMyPC), file-sharing programs (i.e. DropBox), messaging applications (Facebook, WhatsApp) and personal email accounts (i.e. Gmail) while connected to their company network. These tools can facilitate the leakage of sensitive information outside of your organization without you even knowing. Some business owners have a policy against the use of such programs but have no way to know for sure if these programs are being used. By monitoring and actively looking for these programs, business owners can more effectively stop the leakage of sensitive data.

4.What are the nature and types of cyber-attacks we are currently experiencing? How well are we catching/preventing them? How would we know if something got through our firewalls?

Nearly everyone has a corporate firewall in place and the hackers know it. That’s why they prefer to use other tactics like phishing, credential stuffing, and account hijacking to gain unauthorized access to your networks. With increasing sophistication, hackers use deception and social engineering to trick you and your employees into clicking on a link or accessing an infected website, bypassing your perimeter defenses. Once inside nothing is watching for telltale communications used by the malware to “check-in” with outside controllers or pivot and access to other internal systems. By continuously monitoring communications protocols and understanding the hackers’ techniques, latent malware can be detected and eradicated more quickly.

 

“Having tools that heighten detective or forensic capabilities can significantly reduce data breach cost.”

5.How do we protect sensitive information handled, stored, transmitted, or accessed by third-party vendors?

Nearly every business relies on a network of vendors, suppliers, advisors, consultants, and partners to perform their daily tasks. Very few have inquired as to what business information those 3rd parties maintain that you are responsible for and what steps they take to protect your information. Even fewer have written agreements assigning roles and responsibilities or creating the ability to audit the handling of your information. Would you want your supplier’s employees accessing your company network from their home computer? Or over a public network at the airport or coffee shop? More and more businesses will be asking you the same questions.

Next Steps

Every business owner needs to schedule a time to sit down and ask their IT management team these essential questions and decide on the level of risk they are willing to accept now and in the future.  If the answers are not what you expect, engage with a knowledgeable team of experts to help fill the gaps and get to an acceptable level of risk.

Be sure to read Part 2 for 5 more questions:
10 Cyber Security Questions Business Owners Should Ask Their IT Department (Part 2)