Common Myths About Cyber Security
High-profile breaches at Target, Home Depot, and JPMorgan Chase have put cyber security on the front agenda for companies large and small. Despite the ongoing “best practices” memos and much media commentary, consultant Adam Epstein of Third Creek Advisors argues that board members of small companies and others that are considering initial public offerings are still stumped by constant myths of this topic. Epstein, the author of a how-to book for corporate boards, provides us with the basics on what directors or managers think they know about cyber threats but really don’t. His free advice includes:
Cyber Breaches Are Preventable
1. In reality, they are not. Breaches are a matter of when, not if. Tom Ridge, known as a “security guru,” recently noted that your networks have likely already been breached. If Fortune 50 companies with nine-digit annual cyber security budgets can’t prevent breaches, neither can you. Successful cyber security should be focused more on identifying the corporate’s “most prized possessions” making it as difficult as possible for them to leave the building and having plan for post-breach resilience.
The IT Team Is On It
2. No, probably not. Unfortunately, cyber security is only partially an IT issue. It is also a matter of corporate culture, employee training, and physical security. You need to be concerned about disgruntled employees and your supply chain. This is one of the most common myths about cyber security. Never let your guard down and never take someone’s word that the issue is covered. Always have redundancy.
Cyber Theft is About Credit Cards
3. Not exactly. Cyber thieves have diverse goals, ranging from semi-benign mayhem, to espionage, to misappropriation, to terrorism. Credit card information is certainly a target, but so is personal information, intellectual property, strategy memos, customer lists, and other nonpublic information.
Always disclose cyber incursions immediately
4. This can sometimes put a board at a disadvantage while it is admirable to want to get out in front of breach incidents and voluntarily disclose them. For example, in the Target breach, where the size and nature of the crisis expanded increased with each press release. Mallarme can wreak further havoc. It is also often unlikely that the information received by the board about a breach will be 100% accurate and comprehensive so be advised to not complicate a crisis by voluntarily misrepresenting it.
“No Worries, We’ve Got Insurance for This.”
5. A lot of “cyber coverage” results from a three-age application that barely addresses the quality and extent of your company’s computer-network architecture, physical and data security protocols, and corporate risk culture. Thus the resulting cover usually comes up short. Usually cyber policies exclude more than they cover. Make sure the policy is underwritten after extensive, informed security assessment of your company, not just a completed standardized form..
These 5 common myths about cyber security provide valuable insight and should be used to review your small businesses’ own data protection process.