The Boy Scouts' famous motto – be prepared – could just as easily apply to IT consultants and their clients. Studies consistently show that having a cyber security policy is the one of the most effective ways to reduce the cost and likelihood of a data breach or security incident.
The 2014 Cost of a Data Breach Study reports that companies can reduce data breach expenses by 17 percent if they…
- Have an incident response plan (i.e., documents that outline how the company will respond to a data breach).
- Designate an employee as the CISO (chief information security officer).
- Maintain a strong security posture.
It's worth pointing out how much the cost of a data breach is determined by human factors and not just the technology. In addition to installing the best IT for your clients, remember that 17 percent of their data breach expenses come from the company's approach to security. In order for your IT to be truly effective, a client may need to change their workplace culture.
As companies look to upgrade security this year, remind them it won't be enough to merely invest in secure technology. They'll also need a comprehensive cyber security policy.
What Your Clients Still Don't Get about Data Security in 2015
PricewaterhouseCoopers' 2015 Global State of Information Security survey reveals that significant gaps remain in data security. Many businesses still don't have basic data security procedures and training in place:
- Roughly 50 percent of companies don't have a security awareness training program.
- 25 percent of companies don't have a CISO (this number is probably much larger among your small-business clients).
Remember that these statistics aren't just numbers. They represent the unfortunate truth that many companies simply take their security for granted. In the news, we've seen some devastating examples of what happens when companies don't have a cyber security policy.
Forget about all the celebrity gossip surrounding the Sony Pictures hack – here's the real story. Executives were hacked because of how lax security was. Employees had emailed passwords to each other, and the company's most important data wasn't encrypted in secure locations.
Weak password standards, poor employee training, and imprudent data storage made it easy for hackers to break insider Sony's networks and take whatever data they wanted.
5 Things Your Client's Cyber Security Policy Needs to Have
While every company is different and should have a cyber policy customized to its risks, these five rules are a good starting point. Client cyber security policies should…
- Limit "access creep" and restrict data access only to necessary users. "Access creep" refers to when users get more and more access to data. This is a common problem because employees expand their roles and earn promotions, which leads them to get additional access privileges. Cyber security policies have to limit privileged user access so that data is only available to those who absolutely need it for their work. Regular audits of the network directory keep access slim and your risks limited.
- Have contact information and coverage details for the company's Data Breach Insurance. If your clients have Cyber Risk Insurance, they'll have coverage for some of the costs of a data breach. As with any insurance claim, it's vital to contact the insurance provider immediately if the client suspects their data has been breached.
- Institute data security training. Spear phishing attacks these days are sophisticated and tend to target small businesses (see: Re: Your Recent Spear Phishing Attack). That means your clients need to train their users on what a spear phishing email looks like and how they can avoid them.
- Have a plan that outlines what businesses need to do in case their data is breached. After a cyber attack, accidental disclosure, or other data breach, your clients will have to contact customers about the breach and follow their state data breach laws. Make sure your client's cyber security policy outlines their legal requirements after a breach (see TechInsurance's outline of State Data Breach Laws to learn more).
- Identify the company's data security personnel. A hazard of outsourcing all your IT is that you can forget that someone inside your organization needs to oversee data security practices, user training, and education. Cyber security policies should designate one person at the company to take the lead.
If you're looking for more resources to share with your clients, check out TechInsurance's Customer Education Packet. Use this free packet to teach clients what they need to do on a daily, weekly, and monthly basis to improve their security.