In today's data-driven world, no organization, large or small, is immune from the threat of cybercrime.
Consider the following statistics:
- Cyberattacks increased 72% in 2023 compared to the previous record year, according to the Identify Theft Resource Center's annual data breach report.
- IBM reports that the average cost of a data breach soared to $4.45 million in 2023, the highest average in history.
Despite these alarming numbers, many financial executives still view cybersecurity as an IT issue. However, responding to cybersecurity breaches involves multiple stakeholders and diverse decision-making processes, and often requires expertise from external sources.
To overcome the challenges, organizations need to take a proactive and pragmatic approach to cybersecurity, recognizing that it's not a matter of if, but when a breach will occur. there is. Cultivating a culture that prioritizes cybersecurity preparedness is important, but knowing how to get started can be difficult.
To help guide organizations in taking appropriate steps, CBIZ recently held a seminar in Kansas City titled “Cybersecurity Trends Lessons and Recommendations.” Moderated by Tiffany Garcia, Managing Director of CBIZ Cybersecurity Services, the seminar featured insights from the following panelists:
- Kayleigh Shuler, Cybersecurity Attorney, Polsinelli
- David Mauer, Director of Information Security, Children's Mercy Hospital
- Sean Mackey, Net Standard Chief Operating Officer
Presenters shared strategies for preparing for cyberattacks, partnering with legal departments to respond effectively, and managing cloud-based and AI risks. By applying this knowledge, organizations can strengthen their defenses and minimize cyber threats.
How to prepare for a cybersecurity incident
To prevent cybercrime, organizations must consider the business impact beyond their systems. McKee recommends conducting a comprehensive risk analysis or crisis simulation to identify vulnerabilities. This will help you create a clear response plan and identify key external partners, such as incident response companies, who can assist with your backup and recovery strategy.
He pointed out that with a clearly defined plan, even complex attacks can minimize risk. Having teams work long hours and endure constant updates during an incident emphasizes the value of predetermined procedures and clear decision-making frameworks.
It is also important to identify a cyber insurance company in advance so that you can respond quickly in the event of an incident. This coverage often includes attorneys, ensuring proper steps are followed to protect attorney-client privilege and minimize liability.
Collaboration with legal personnel during cybersecurity incidents
When a cybersecurity incident occurs, it is important to work closely with your legal team from the beginning. This means open communication with your attorney and keeping that discussion confidential for future litigation.
For example, after a disruptive incident, an organization may need to communicate with affected employees and customers. Legal involvement is essential to this communication. Although well-intentioned, organizations should avoid prematurely classifying incidents on social media as breaches or assuring customers that their data will not be compromised unless legally determined to do so. Over-communication can make matters worse and lead to pushback from service providers. Legal guidance ensures truthful and prudent messaging, especially in highly regulated sectors such as healthcare, taking into account potential obligations to notify affected individuals and regulatory bodies.
Strategies to address cybersecurity risks
Mauer emphasized that while basic cybersecurity measures provide a good foundation, cybercriminals are constantly evolving with technology and a more nuanced approach is needed to protect systems. .
Cloud-based cybersecurity strategy
Increasing reliance on cloud services creates challenges in protecting sensitive data. However, best practices can help companies overcome these hurdles.
Cloud storage simplifies data management but introduces security risks. Understanding the location of your data and the associated risks is key to proper mitigation. Don't assume the cloud is inherently secure. Evaluate vendor practices and proprietary response protocols to close security gaps.
It's also important to recognize that cloud security starts with understanding your provider's responsibilities for data protection and breach notification. Strong controls to prevent unauthorized data movement from cloud environments are equally important.
Strategies to address AI risks
Once a source of fear, AI is now a common technology. While offering great benefits, it also empowers cyber criminals. As federal AI regulations continue to evolve, organizations are establishing their own governance frameworks. However, the question remains: how can we harness the potential of AI while mitigating AI-related cyber threats?
Shuler highlighted the increasing use of AI by cybercriminals to create sophisticated attacks, such as personalized phishing emails that mimic trusted voices. There are also concerns about the security of data entered into AI chatbots. She advises organizations to critically evaluate their own AI practices. What happens to the data fed into these systems? Is sensitive input properly filtered and protected?
Privacy must be a key consideration when implementing AI solutions. If a breach occurs, it's important to determine if the AI tool in use is at fault, which could be due to misconfiguration. We believe that companies that provide tools have a legal obligation to notify customers of incidents, such as breaches, that put data stored within the tool, which may include sensitive employee personnel information, at risk. You can
Consider both security aspects and contractual agreements when integrating such tools. Consider opportunities to shift some legal responsibility to service providers to minimize the burden on your organization when an incident occurs.
While blocking AI tools within your organization may seem like an attractive solution, it's not necessarily the most effective approach. Employees can find ways to leverage AI to drive positive outcomes. Instead, the best response involves responsibly deploying AI. Proactively establish policies, procedures, and frameworks to govern its use. All AI tools undergo a thorough assessment for compliance with best practice security standards, and we apply these standards consistently throughout the implementation.
Cybersecurity strategies to keep in mind
At the end of the seminar, panelists and moderators shared parting advice for organizations beginning their cybersecurity journey.
David Mauer
Establish a cybersecurity risk registry through a simple spreadsheet or a comprehensive risk management system to address cyber threats. Focus on high-impact vulnerabilities with minimal operational impact. This registry tracks risks over time and details their likelihood, potential impact, and mitigation strategies to strengthen your security posture.
Kayley Shuler
Delete unnecessary data. Work with legal and operations departments to determine data retention needs. Eliminate what is not essential. Less data means less loot for attackers.
Sean Mackey
Create a written response plan and keep it for easy access. There are plenty of free resources to help you get started, so cost shouldn't be a barrier. You don't need to achieve perfection right away, but it's important to start the process. This will keep you moving in the right direction.
Tiffany Garcia
Invest in staff training, recognizing that human error is often the weakest link in cybersecurity. Despite advanced technology and multiple layers of security, these measures become ineffective when individuals within an organization overlook cybersecurity or fail to recognize its relevance.
How CBIZ can help
Ready to strengthen your cybersecurity defenses? In partnership with CBIZ, our team of cybersecurity experts will provide you with a strategy tailored to your unique needs. From consulting and assessments to risk management and compliance services including SOC, HIPAA, PCI DSS reporting, and more, we're here to help you. Contact us today to learn more and protect your organization from cyber threats.
Copyright © 2024, CBIZ, Inc. All rights reserved. The contents of this document may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting, or other professional advice. Readers are encouraged to consult their tax professional before taking any action based on this information. CBIZ assumes no responsibility for the use of this information and does not undertake any obligation to inform readers of changes in tax laws or other factors that may affect the information contained herein.
CBIZ MHM is the brand name of CBIZ MHM, LLC. CBIZ MHM, LLC is a national professional services firm providing tax, financial advisory, and consulting services to individuals, tax-exempt organizations, and a wide range of public and private companies. CBIZ MHM, LLC is a wholly owned subsidiary of CBIZ, Inc. (NYSE: CBZ).
