So you suspect — or worse, you’re sure — your business has experienced a data breach.
To help answer that question for local business and community leaders, insurance brokerage and consulting firm Sterling Seacrest Partners, Inc. assembled a panel of industry experts Thursday in the Savannah Morning News auditorium to share ways to plan for and mitigate cyber risk as well as how to respond when a breach occurs.
The panel — Tyler O’Connor, a founding member of CRC Insurance Services’ Cyber and Technology Risk group; Bryan F. Thornton of Net Reaction, LLC, a Nashville-based information security planning firm; and Diana McKenzie, chair of HunterMaclean’s Technology and Outsourcing practice — fielded questions from moderator Ryan Sewell of Sterling Seacrest and the audience.
Among the panel’s advice:
The best way to deal with a cyber breach is long before it happens.
“If a breach happens and your first response is to get your management team together with your legal counsel and call me to formulate a plan, you have lost control of this incident and you will not regain it,” Thornton said. “You are either prepared before it happens or you will be prepared next time.”
“In our current economy, no business operates as an island,” he said. “Everyone, from vendors to source providers is interconnected; so, even if a breach occurs above or below you in the chain, it’s still something you have to deal with.”
Sewell pointed out that cyber insurance shouldn’t care who caused the breach or how it occurred.
“Over 50 percent of breaches happen when smart people make stupid mistakes inside the organization,” he said. “You may not find out about it until later.
“Then there are rogue employees, actual hacks or it may be that an upstream vendor has been breached and, as a result, you are breached. A proper policy shouldn’t care how the breach occurred, it should just respond.”
One issue with cyber security, Thornton said, is that people tend to assume the internet is fully evolved, but that’s not even close.
“Just look at password security,” he said. “For starters, 70 percent of people use the same password for everything. But here’s the situation in America today. Computing power has moved to an extent where, if your password is eight characters or less, involves any word or proper noun in any dictionary followed by either a numeral of special character, I can try every possible combination of those in less than one second.”
Hacking into hospital records is a particularly lucrative cyber crime, and it happens millions of times a day, McKenzie said.
“You get more money on the black market for hospital records than any other. Think of how valuable it is to be able to pretend you’re someone else if you don’t have medical insurance.
“There is a lot of valuable data out there and it’s getting easier and easier to access.”
According to the 2017 Cyber Incident and Breach Response reported by the Online Trust Alliance, “the true number of incidents is “over 20 times that of consumer data breaches publicly reported.” More than 82,000 incidents were documented last year, but the real number could in fact exceed 250,000.
McKenzie said one of her favorite quotes is from former FBI Director James Comey, who said “There are two kinds of companies — those that have been hacked and those that just don’t know they’ve been hacked.”
So, what’s a company supposed to do?
All three panelists agreed that advance preparation is the key.
“It’s no different than holding fire drills, which every company does,” McKenzie said. “You need to know what your protocol is before the building catches on fire. Otherwise, you waste precious time trying to decide what to do.”
Panelists also noted the importance of investing in a cyber liability insurance policy as it provides multiple resources to a business should a breach occur; specifically noting it allows a business to respond in a matter of minutes and hours, rather than days or weeks.
ABOUT STERLING SEACREST
Sterling Seacrest Partners, Inc. is a privately held insurance brokerage and consulting firm serving a wide range of clients with complex property, casualty, employee benefit and personal insurance needs. For more information, visit www.sterlingseacrest.com.