6.If you suspected an intrusion in our network, how would the process work to remediate and who would make the decisions on what we should do?

All 50 states have breach notification requirements some with as little as 72 hours before significant penalties kick in. However, few businesses have an adequate plan in place to identify a system security breach and know what to do next. The IT department will rush to fix the problem possibly destroying important evidence pointing to the identity of the culprits and likely not finding the root source of the problem. Who will you call for help? Jumping the gun can be costly too if experts determine there was no incursion. A football team wouldn’t walk onto the field without a playbook, yet the folks that are managing your livelihood may be acting without a plan.

7.If an attack resulted in an outage, how long would it take to be fully functional with the affected systems?

If ransomware from an accidentally clicked phishing email was to encrypt the hard drives of your key systems and you were unable to process orders for days or weeks, how much would that cost you? It cost FedEx and its European affiliate, TNT Express, $300 million and resulted in a damaged reputation and lost business. The CEO said the attack “posed significant operational challenges”.

What “operational challenges” are you willing to accept?

8.How do we stay current on the cyber risks we face in our industry and the marketplace?

In 2005, researchers estimated that a new virus was created every 12 minutes. In 2015, they estimated that 4 pieces of malware were created every second. Experts believe antivirus software, although necessary, is still only typically 40% to 60% effective. With sophisticated nation-states, foreign intelligence services, organized crime syndicates, foreign universities and others actively pursuing American businesses, having access to up to date information and cybersecurity expertise in identifying the tactics, techniques, and procedures (TTP) of these adversaries is key to being successful. Most businesses try to do it on their own and often fail as a result.

9.Do we have cyber insurance to cover us if something was to happen? What would it cover? What would it not cover?

Cyber insurance is an important tool to transfer some of your cyber risk to a 3rd party but it doesn’t cover everything and it may cover nothing. Policies and coverage vary from carrier to carrier. There are few standards and evolving case law in how policies are interpreted. A detailed analysis of the amount and the types of coverage that you maintain, and how they work in conjunction with your other insurance policies is critical to analyze. Additionally, look to see who manages an “incident” if one is declared. It may not be you – even though it’s your business.

10.How do we know that the money we are spending is being used most effectively to secure the organization?

Businesses have rushed to improve their security by purchasing expensive technology and software, expecting that “it” will protect them from these adversaries. While these tools may have a role, their effectiveness may wane quickly as new attacks arise while costs continue to mount. A periodic thoughtful discussion with your IT management team and knowledgeable outside experts covering topics such as: current risks, the evolving threat environment, your current security posture, current capabilities (technology and people), future business requirements and the effectiveness of your security program will help you better prioritize needs and make more effective decisions.

1.Are you able to tell me about all of the communications occurring on our network right now?

With the plethora of devices employees bring to work (BYOD) and the surveillance cameras, thermostats, access control systems and sensors (IoT devices) connected to the corporate networks, few organizations understand what is actually communicating on their networks. Improving network visibility and monitoring network traffic are two proven steps to enhancing the security of your networks. These steps allow you to identify an attack early and minimize the amount of damage done.

2.How would we know if a rogue device was connected to our networks? Or attached to our wireless network?

The number of IOT and BYOD devices connected to corporate networks is expected to double again by 2020 placing even greater demands on corporate networks. Yet few organizations are able to inventory, track and control what devices are connected to their networks and identify rogue or unauthorized devices. The inability to control access is a significant problem in that an unauthorized device may be used to leverage access to other systems and sensitive materials. A few commonsense controls and monitoring at key locations can vastly reduce your risk while not encumbering your employees with Draconian measures.

3.How would we know if someone on our network sent out a sensitive list of our customers to a competitor?

4.What are the nature and types of cyber-attacks we are currently experiencing? How well are we catching/preventing them? How would we know if something got through our firewalls?

Nearly everyone has a corporate firewall in place and the hackers know it. That’s why they prefer to use other tactics like phishing, credential stuffing, and account hijacking to gain unauthorized access to your networks. With increasing sophistication, hackers use deception and social engineering to trick you and your employees into clicking on a link or accessing an infected website, bypassing your perimeter defenses. Once inside nothing is watching for telltale communications used by the malware to “check-in” with outside controllers or pivot and access to other internal systems. By continuously monitoring communications protocols and understanding the hackers’ techniques, latent malware can be detected and eradicated more quickly.

5.How do we protect sensitive information handled, stored, transmitted, or accessed by third-party vendors?

Nearly every business relies on a network of vendors, suppliers, advisors, consultants, and partners to perform their daily tasks. Very few have inquired as to what business information those 3rd parties maintain that you are responsible for and what steps they take to protect your information. Even fewer have written agreements assigning roles and responsibilities or creating the ability to audit the handling of your information. Would you want your supplier’s employees accessing your company network from their home computer? Or over a public network at the airport or coffee shop? More and more businesses will be asking you the same questions.