Half of Fortune 500 companies would face “serious harm” or be “adversely impacted” by a cyber-attack. The greatest perceived harms are loss or theft of confidential information, loss of reputation and direct loss from malicious acts (hackers, virus), according to the Willis Fortune 500 Cyber Disclosure Report. The report was compiled from information the Securities and Exchange Commission requires publicly traded companies to disclose.
A “cyber-attack,” is gaining or attempting to gain unauthorized access to a computer system or its data. It can also be unwanted disruption to a network (denial of service attack) or installation of malicious code (virus, malware, etc).
Despite the significant risks posed by cyber-attack, just more than half of the Fortune 500 companies admitted to having protective technical solutions in place, and 15% also indicated they do not have the resources to protect themselves against critical attacks, the report said. This, even though directors of publicly traded companies could face liability for not properly protecting companies from cyber-attack.
What does this mean for privately held businesses? Cyber-attacks are a real danger that could cause significant monetary and reputational damage to a company. So, as with any perceived risk, the best practice is to allocate resources to understand the threat and prevent what you can.
Here are some steps every business could and should take to prevent cyber-attacks and mitigate the risks:
-
Have firewalls, anti-virus and other security measures in place at the company level (servers) and on laptops, smartphones and other devices that access company servers or client information.
-
Use passwords to prevent unauthorized access to company networks, including wireless routers.
-
Have company policies about security on personal devices and what information can be shared via social media. This is a complex area with implications in both technology and employment law.
-
Don’t forget about your copier. It has a hard drive that needs to be wiped when selling it or trading it.
-
Choose passwords carefully. The best ones don’t have any connection to your life, including old addresses, family birthdays, anniversaries, pet names, sibling names or other information that could be found on the public record.
-
Change passwords frequently. Do not write them down and keep them in your desk drawer or under your keyboard.
-
Keep software properly updated, especially for privacy or security updates.
-
Be aware of what information you are sending on public or unsecured networks. Do not use public computers or wifi hotspots for transmitting sensitive information or transactions.
-
If your company sends wires electronically or stores financial information, consider using a dedicated computer for these tasks that is disconnected from the company’s network and turned off when not in use.
-
Investigate the privacy and security policies of vendors and other partners. Here is more detailed information on vetting cloud computing providers.
-
Be careful about emails from banks or other companies that ask you to click a link and sign on. These may be a “phishing” emails, where internet fraudsters impersonate a business to trick you into giving out your personal information. Don’t reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through insecure channels. For more information, check out the Federal Trade Commission.
-
Be careful about what information you share on social media. Fraudsters have evolved to sift through company and employee social media accounts to use publicly available information to make phishing emails seem more credible. The email may be personalized instead of “Dear Sir” and reference a recent transaction you made or conference you attended. This is called “spearfishing.” It may have caused a security breach at the Associated Press that allowed the AP Twitter feed to be hacked. (The resulting Tweets that were sent on the AP Twitter feed caused a short-term stock market dip.)
-
Investigate whether cybersecurity insurance makes sense for your business.
-
Know what your liabilities are if your systems are breached. Do you need to notify any governmental agency or customers?