Share this article

Author:

Randall Davis

Randall Davis

When asked to share a professional passion, Randall responds without hesitation: “Getting to the truth,” “Solving difficult problems,” “Teaming with smart people,” and “Challenging the corporate status quo.” Randall joined Risk International in 2002 and oversees its risk management practice. He’s smart and serious when it comes to risk strategy, insurance program optimization, quantitative modeling, competitive and organizational dynamics, business continuity planning, and enterprise risk management (ERM). And he’s rock-solid when it comes to delivering value to clients, having achieved an average return on investment of more than 1200% for them.

Randall Davis

In our modern society, each of us is at an increased risk of becoming a victim of cyber crime. If you’re carrying a cell phone, surfing the Internet, using email and making purchases with a credit card, you are a target, in one form or another.

Companies of all kinds are at risk for cyber attack. While some organizations are much more exposed to cyber crime due to the nature of their business, such as retail, banks and healthcare companies, other industries are considered soft targets to criminals (which is exactly what cyber attackers are looking for), and the crimes can be detrimental to business.

For example, manufacturers are becoming a target of cyber criminals. But the problem is that many manufacturing companies don’t take the threat seriously because they believe that the cyber criminals are not interested in their Personally Indentifiable Information (PII), as most manufacturers have far less exposure to PII losses than those in the news. Many companies are simply operating with a head-in-the-sand mentality regarding risk, and the longer they ignore the problem, the more catastrophic the results will be when they are hit by cyber criminals.

The real concern for manufacturers may not be loss of PII, but rather unauthorized access to critical business systems or intellectual property. In addition,many more manufacturing companies are linking their production systems via a public network. For example, many companies are now using ERP systems to control/support production.  When a company’s inventory gets to a certain level, the orders are automatically placed to a supplier for new raw materials. Many of these new linked systems are cloud-based, making their work more efficient, yet more vulnerable to cyber crime.

Tips for Minimizing Risk of Cyber Crime:

1. Assess where your company is most exposed.

If you are a CEO, you need to have someone on staff, such as a chief information officer, who can identify and evaluate your company’s cyber risk.

Ask your CIO what the impacts of a cyber attack are, and if you haven’t done so yet, develop a plan to address each identified risk. Develop a process to inform company leadership on the business impact of cyber risk.

2. Find the best cyber security program for your company.

There are many industry standards and best practices available when it comes to cyber and information security, such as the NIST and COBIT. But one standard does not fit all companies and levels of exposure. In order to find the cyber security program that’s right for your company’s circumstances, recognize and study the standards, and then apply the best one.

3. Determine your company’s crisis point.

Think about the types of cyber activity your company is currently experiencing. What types of cyber incidents do you detect, and how many of them occur in a given week? Use this information to determine the threshold that will cause you to notify leadership that there’s a crisis.

4. Ensure that your cyber incident response plan is aligned with your business continuity plan.

Integrate your IT, disaster recovery or cyber incident response plan into your overall business continuity plan. The next step would consist of integrating that into your company’s overall enterprise risk program.

5. Insure cyber risks as appropriate.

The insurance market is rapidly changing in this area, and some insurance policies are better than others.  For non-traditionally-exposed industries, the key coverage isn’t reimbursement of PII loss notification coverage.  Rather, the critical coverage is business interruption from a cyber event.