Strategic Cost-Saving Opportunities Volume II | Page 8

Protecting Your System from Intruders Guarding your company’s data requires a continual focus on five core functions, according to a set of industry standards and best practices developed in part by the National Institute of Standards and Technology (NIST). These six functions require your company to: 1. Identify the risks your business faces, and ascertain the cybersecurity approach that reflects the company’s overall needs and risk management strategy. 2. Protect your company’s infrastructure by limiting or containing security breaches. One crucial part of this function is to ensure that you’re keeping up to date with the patches, the fixes and the latest release of your software, says Tony Munns, Partner in Charge, IT Audit and Security Services at Brown Smith Wallace. Businesses, particularly those with a relatively small team in charge of cybersecurity, may want to work with outside vendors to perform external penetration tests and internal vulnerability assessments of the company’s systems to identify overlooked entry points. 3. Detect attacks in a timely manner. Hackers may quietly slip past your system’s defenses – and you might not immediately know that they’re inside. “Cyberattackers are being much more stealthy. The amount of time they’re actually resident in your systems is increasing,” Munns says. 5. Respond appropriately to breaches when they occur by having a comprehensive and tested incident response plan. This includes limiting the damage from an attack and improving your defenses. 6. Recover from an attack, which may require communications strategies to disclose information about the attack and a public relations campaign to repair the company’s reputation. To the degree that it would reduce your risk while remaining cost-effective, your company should develop “an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes and procedures to address potential cybersecurity events,” according to the NIST framework. In a recent survey of more than 500 corporate risk professionals, most said that their IT departments were tasked with the primary responsibility of leading their companies’ information security risk management. However, IT should not bear this responsibility alone. Consider creating a team from across your company that also includes members from legal, human resources, sales and risk management, as well as your CIO. Also discuss with your corporate legal counsel your company’s regulatory obligations for protecting data, such as HIPAA or GLBA. Your responsibilities will vary depending on your location and your industry. For a video overview of the key steps to mitigate the risk of a cyberattack, view below or click here. 1 1 4. Prevent data exfiltration by deploying data leak prevention tools that block the copying and loss of critical files outside of the organization. Anthem learned the value of these tools the hard way. Cybersecurity // 08 bswllc.com