Cybersecurity: Employees pose the greatest risk

Most cyber attacks are caused by mistakes made by employees.
Photo: Fotolia

With almost daily reports of cyber attacks resulting in the theft of data, operational disruption and financial loss, more businesses are implementing risk strategies.

Success hinges on how well manufacturers engage their people.

Most cyber attacks are caused by mistakes made by employees as a result of ignorance or negligence.

You can’t prevent cyber attacks from ever occurring, but you can mitigate the impact following an incident by engaging everyone in the organization and taking these basic steps:

Engage senior management and the board. Risk managers ensure senior management and the board have all of the relevant facts to allocate resources for cybersecurity. Awareness will prepare them to respond quickly and accurately in the event of an attack and mitigate the potential for lawsuits alleging a breach of duty of car.

Invest in regular employee training. According to a study conducted by Wombat Security Technologies and the Aberdeen Group, increased investment in employee training reduces risks by 45% to 70%. Education and training should be frequent – at least twice a year. Test them on their ability to detect risks and follow the security protocol. Those who fail should undergo more training and their access limited.

Have clear cyber reporting protocols. Know when to report an incident and to whom, including when senior management and the board should be notified, as well as a regulator or law enforcement.

Create a vendor of record list of cyber incident experts. Include forensic, law, public relations, credit monitoring and insurance firms, and law enforcement. Companies covered by cybersecurity insurance may need to report the risk to the insurer as soon as possible to avoid being denied coverage for waiting until the breach is official. If a risk is “material” in accordance with the Canadian Securities Administrators’ guidance, organizations you’ll also need to report the risk to the public and decide who will make the public statement.

Supply chain management. Third parties including contractors, suppliers and distributors get access to information systems. Ensure their supply chains are secure. In the 2013 Target case, hackers stole network information from one of Target’s vendors and gained access to the retailer’s network where they stole customer data

Stipulate security requirements in their third-party contracts to co-ordinate effort internally and externally. Monitor and test third parties regularly to ensure they’re following requirements, such as having their own cybersecurity insurance. When a third-party relationship ends, so too does its access to the network.

Risks in the cloud. Many companies are investing in cloud computing to store data because it lowers costs and increases productivity. That doesn’t mean the data is secure. Cloud service providers offer their own security tools, but security of the data remains the responsibility of the organizationCarefully negotiate cloud agreements and assess security architecture, including the need to employ additional tools such as encryption, strong passwords and multifactor authentication to verify identity.

The standard for addressing cyber risks isn’t perfection, it’s diligence. Investing time and resources to prevent or mitigate a breach demonstrates diligence to the courts.

Imran Ahmad is a partner at the law firm Miller Thomson and practices in the areas of cybersecurity, privacy and technology law. E-mail iahmad@millerthomson.com or call (416) 597-6031. Ashley-Rose Gillespie is a lawyer practicing personal injury law at Gillespie Law Office. E-mail ashley@gillespielawyers.ca or call (905) 666-2221.