Cybersecurity and risk management go hand in hand

Recently Paul Bornemann, vice president of consulting for Entre Computer Services, was at a Disney store in Orlando when he got a heads-up text from a friend that said it appeared one of his personal social media accounts had been hacked. Thankfully his account was not compromised.

However, the situation is a good reminder that anyone can have their information penetrated at any time and the potential impact can be devastating, especially for businesses.

“It’s not a matter of if you’ll get attacked, but when,” Bornemann said. “The bad actors and hackers used to be bored college kids and now they’re professional cyber criminals that present real risk to your brand and dollars.”

Baking in risk management

One of the big ways businesses can protect themselves from security breaches is to integrate cybersecurity into all aspects of their risk management.

“Risk management has to be baked into everything you do,” said David Wolf, vice president of Just Solutions, Inc., a provider of managed IT services with offices in Rochester and Buffalo. “It has to be part of your culture.”

Making risk management part of our culture begins with acknowledging that cybersecurity must go much deeper than simply protecting a laptop or email account. Ultimately, we are protecting a company’s reputation, brand, assets, customers and employees.

“It’s not only computers, servers, applications and data; it’s also cell phones, smart home devices and the technology in cars and appliances,” Bornemann said.

“Today more systems are connected to the internet and each other than ever before ‑ this all creates cybersecurity risk along with the many benefits this connectivity brings.”

When Bornemann is working with a client he assesses the severity of each risk (ex. a ransomware attack) by gaging how likely it is to occur and how significant the impact might be (the average payout for a ransomware attack is 1.2 million, he said); evaluating how each risk fits within the company’s risk appetite; prioritizing the risk and deciding how to respond to it.

“There are four choices to respond to the risk: Treat it, typically by implementing security controls; tolerate it; terminate it by avoiding the risk entirely by ending or completely changing the activity causing the risk; or transferring the risk to another party by outsourcing or obtaining insurance,” Bornemann said.

Outsourcing the risk

Wolf, who has worked in the field for 35 years, is a proponent of outsourcing IT services in general.

“I’m not a big fan of in-house IT services because you want objectivity,” Wolf said. “If you do have IT in-house then someone should also be auditing and assessing their work. It’s a very good idea to have checks and balances.”

Wolf also suggests companies make sure that any IT firms or professionals they contract with have their own monitoring services in place.

“Providers should be protected as well,” Wolf said. “Our systems are being monitored too. Companies shouldn’t assume their vendors are doing a good job with their own cybersecurity either; up and down the supply chain should be looked at.”

Andrew Gleasman, director of business development for CETech, a Rochester-based IT support company, points to the dramatically increased level of responsibilities in-house IT professionals have faced during the past few years in part due to the COVID-19 pandemic shifting the physical nature of the workplace to often include remote locations.

“It has gotten more complex that one person can handle,” Gleasman said. “Augmented IT is an important service because sometimes IT professionals don’t get enough support in their own company.”

All the cybersecurity experts interviewed here made it clear, though, that cybersecurity risk prevention should never fall solely on the IT professional or department, whether in-house, outsourced or both. Staff should be trained in cybersecurity threats and trends, encouraged to verify anything suspicious and not be ashamed to report any incidents to their IT leader.

“IT security is everyone’s responsibility,” Gleasman said. “We can put all the hardware and software policies and protection in place, but if you don’t train your employees about the threats, they won’t work.”

While a security breach can have detrimental consequences to all businesses, it can be particularly damaging to smaller ones. Small to mid-sized businesses account for 60% of all cyberattacks.

“Bigger businesses can try to weather the storm, but small to moderate businesses can go out of business because of a breach,” said Wolf, who also notes cyberattacks happen to businesses of all sizes in the Rochester area daily, but rarely make the news because companies are embarrassed and don’t want the bad publicity.

A seat at the table

Experts also say it is paramount for businesses to consult their security leaders on most decisions.

“If you’re not talking to your cybersecurity team you might be making changes that put you at risk,” said Michael Wurz, security team lead for ProArch, a global company with a Rochester office, specializing in cloud, infrastructure, data analytics, cybersecurity, compliance, and software development.

He recommends consulting with the IT department whenever purchasing a new piece of equipment that connects to the internet, buying a new piece of property with electronic locks, or acquiring a company and selecting vendors.

“There’s not much in business today where you don’t need IT involved,” Bornemann said. “IT should be looked at as enabling and not as the problem.”

IT also plays a crucial role in making sure a company upholds the requirements of their cybersecurity insurance policies, the SHIELD Act New York and other regulatory policies related to private information and cybersecurity.

“Cyber liability companies want to see companies follow best practices and have frameworks for cybersecurity,” Bornemann said. “They want people to be accountable and are not willing to insure you without these basic things in place because the risk is too high.”

SHIELD (which stands for the Stop Hacks and Improve Electronic Data Security Act) went into effect in March 2020. It applies to businesses of all sizes and imposes significant data security requirements on any business that owns or leases the private information of New York residents.

To comply with SHIELD, a business must have completed a risk assessment, be assigned an information security officer, and have created a written information security plan accompanied by administrative policies and physical and technical controls.

“If you aren’t following proper procedures you’ll face fines, penalties and reputational consequences,” Wurz said. “It highlights the need for cybersecurity and a lot of businesses saw it and said, ‘We need to get our ducks in a row now.’.”

Experts are constantly looking ahead and trying to get ahead of cybersecurity threats — something they expect will only continue to grow in the year ahead.

“Changes in the IT field have been fast and furious and you have to be two steps ahead of the cybercriminals,” Wurz said. “Threats have exponentially grown across every industry right now and it’s a critical time not just for security leaders, but everyone in business.”

Caurie Putnam is a Rochester-area freelance writer.