Managing your organization’s cyber security
Organizations continue to expand their use of technology. Whether it is posting pictures through social media, electronic signatures or utilization of third-party vendors for managing data resources, it is vitally important that you take steps to manage the risks that come with the expanding opportunities technology offers.
If you utilize third-party organizations to support your data management, be sure to conduct your due diligence. According to The National Institute of Standards and Technology (NIST) Roadmap for Improving Critical Infrastructure Cyber security, not all critical infrastructure organizations have a mature program and the technical expertise in place to identify, assess, and reduce cyber security risk. Many have not had the resources to keep up with the latest cyber security advances and challenges as they balance risks to their organizations.
Research provides three opportunity areas to help support a camp cyber security loss control program.
1. Conduct due diligence on all third-party vendors
Mitigating and Managing Vendor Security Risks – Outsourcing to third-party vendors means increased benefits and increased vulnerabilities without sound security and risk strategies
- Conduct due diligence on all third-party vendors
- Maintain a Written Information Security Program (WISP)
- Strengthen password protection to reduce vulnerability
suggests, at a minimum, an organization should obtain the following information as part of its due diligence process:
2. Maintaining a Written Information Security Program
- References and experience
- Financial information
- Security expertise of its personnel
- Background checks on it personnel, if required by applicable law
- Specific means and methods used to protect data, including privacy and security policies
- Any past privacy or security-related complaints or investigations
- Audit reports or security testing by your company or independent third parties
- Security incident response policies, including assurances that security incidents will be communicated promptly if systems or data are potentially compromised
- Contractual assurances regarding security responsibilities and controls
- Nondisclosure agreements covering company systems and data
Outlining how you want to manage your organization’s technology helps establish a framework for your staff to follow. This is where a Written Information Security Program (WISP) can be effective.
Combating cyber risks with a Written Information Security Program
provides that a WISP should include the following:
3. Strengthen password protection to reduce vulnerability
- Designation of one or more employees to maintain the WISP
- Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any records containing personal information
- Identification of locations where personal information is stored (e.g. paper records, electronic records, computer systems, and portable devices)
- Limitations on the amount of personal information collected, the time such information is retained, and access to such information for those persons who are reasonably required to know such information
- Implementation of ongoing employee training
- Imposition of disciplinary measures for violations of WISP rules
- Verification and contractual assurances that third-party service providers are capable of protecting personal information
- Regular monitoring of the effectiveness of the program and adjustments as may be necessary
- Review of the program at least annually
- Documentation regarding responsive actions to breaches
The National Institute of Standards and Technology (NIST) further outlines, poor authentication mechanisms are a commonly exploited vector of attach by adversaries; the 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials. Multi-Factor Authentication (MFA) can assist in closing these attack vectors by requiring individuals to augment passwords (“something you know”) with “something you have,” such as a token, or “something you are,” such as a biometric.
These steps should help make your passwords easier for users to remember, yet difficult for hackers to figure out.
If you have a safety or risk management question or a suggestion for a topic, please contact Markel’s Risk Management Department at firstname.lastname@example.org.
The information provided in this article is intended for general informational purposes only and should not be considered as all encompassing, or suitable for all situations, conditions, and environments. Please contact us or your attorney if you have any questions.