In today's data-driven world, no organization, large or small, is immune to the cybercrime threat.
Consider the statistics:
- According to the Identify Theft Resource Center Annual Data Breach Report, cyberattacks increased 72% in 2023 compared to the previous record year.
- IBM reports that the average cost of a data breach surged to $4.45 million in 2023, marking the highest average on record.
Despite these alarming figures, many financial executives still consider cybersecurity an IT issue. However, addressing cybersecurity breaches involves multiple stakeholders and diverse decision-making processes and often requires expertise from external sources.
To beat the odds, organizations must adopt a proactive and all-hands-on-deck approach to cybersecurity, acknowledging that it's not a matter of "if" but "when" a breach may occur. Cultivating a culture that prioritizes cybersecurity readiness is critical, but knowing how to begin can be daunting.
To guide organizations in taking the right steps, CBIZ recently hosted a seminar in Kansas City titled "Lessons & Recommendations on Cybersecurity Trends." Moderated by Tiffany Garcia, managing director of CBIZ Cybersecurity Services, the seminar featured insights from the following panelists:
- Kayleigh Shuler, Cybersecurity Attorney, Polsinelli
- David Mauer, Director of Information Security, Children’s Mercy Hospital
- Sean Mackey, Chief Operating Officer, NetStandard
The presenters shared strategies for preparing for cyberattacks, working with legal to respond effectively and managing cloud-based and AI risks. By applying this knowledge, organizations can strengthen defenses and minimize cyber threats.
How to Prepare for a Cybersecurity Incident
To prevent cybercrime, organizations must consider business impacts beyond systems. Mackey recommends a comprehensive risk analysis or crisis simulation exercise to identify vulnerabilities. This helps build a clear response plan and helps identify key external partners, like incident response firms, who can help with backup and recovery strategies.
He noted that a well-defined plan minimizes risk even in complex attacks. Teams working long hours and enduring constant updates during incidents highlight the value of predetermined procedures and clear decision-making frameworks.
It’s also important to pre-identify your cyber insurance carrier for faster response during incidents. Since legal counsel is often included in this coverage, this ensures proper procedures are followed to protect attorney-client privilege and minimize liability.
Working With Legal During a Cybersecurity Incident
When a cybersecurity incident strikes it’s critical to work closely with your legal team from the start. This means open communication with your attorney, keeping those discussions confidential in case of future litigation.
For example, after a disruptive incident, organizations may need to communicate with impacted employees or customers. Legal involvement in this communication is crucial. While well-intentioned, organizations should avoid prematurely labeling incidents as breaches on social media and assuring customers their data is uncompromised unless legally determined. Overcommunication can also exacerbate issues and prompt backlash from service providers. Legal guidance ensures truthful yet cautious messaging, especially considering potential obligations to notify affected individuals or regulatory bodies, particularly in highly regulated sectors like healthcare.
Strategies to Handle Cybersecurity Risks
Mauer emphasized that while basic cybersecurity measures offer a good foundation, cybercriminals are constantly evolving along with technology, necessitating a more nuanced approach to safeguarding our systems.
Cloud-Based Cybersecurity Strategies
The growing reliance on cloud services creates challenges for securing sensitive data. However, best practices can help businesses overcome these hurdles.
Cloud storage simplifies data management but introduces security risks. Understanding data location and associated risks is key for proper mitigation. Don't assume the cloud is inherently secure — evaluate vendor practices and your own response protocols to close any security gaps.
And it’s important to realize that cloud security starts with understanding your provider's responsibilities for data protection and breach notification. Equally important are strong controls to prevent unauthorized data movement from your cloud environment.
Strategies to Tackle AI Risks
AI, once a source of fear, is now a common technology. While offering significant benefits, it also empowers cybercriminals. With federal AI regulations still evolving, organizations are establishing their own governance frameworks. But the question remains: how can we leverage AI's potential while mitigating AI-related cyber threats?
Shuler highlighted the growing use of AI by cybercriminals to craft sophisticated attacks, like personalized phishing emails that mimic trusted voices. There is also concern regarding the security of data inputted into AI chatbots. She advises organizations to critically evaluate their AI practices: What happens to the data fed into these systems? Are sensitive inputs properly filtered and protected?
Privacy should be the main concern when implementing any AI solution. In case of a breach, it's important to determine whether the AI tool in use is at fault, possibly due to misconfiguration. The company providing the tool likely has a legal obligation to notify you of any incidents, including breaches, putting at risk the data stored within the tool, potentially including sensitive HR information of your employees.
When integrating such tools, consider both the security aspect and contractual agreements. Explore opportunities to transfer some legal responsibilities to the service provider, minimizing the burden on your organization in the event of an incident.
While blocking AI tools within your organization might seem like a tempting solution, it's not necessarily the most effective approach. Employees will find ways to utilize AI, which can have positive outcomes. Instead, the best response involves deploying AI responsibly. Proactively establish policies, procedures and frameworks to govern its usage. Ensure that all AI tools undergo thorough evaluation for adherence to best practice security standards and consistently apply these standards throughout their implementation.
Cybersecurity Strategies to Keep in Mind
During the seminar's conclusion, the panelists and moderator shared parting advice for organizations embarking on their cybersecurity journey:
David Mauer
Establish a cybersecurity risk register, whether through a simple spreadsheet or a comprehensive risk management system, to tackle cyber threats. Focus on high-impact vulnerabilities with minimal disruption to operations. The register tracks risks over time, detailing their likelihood, potential consequences and mitigation strategies for a stronger security posture.
Kayleigh Shuler
Purge unnecessary data. Collaborate with legal and operations to determine data retention needs. Eliminate what's not essential. Less data means less loot for attackers.
Sean Mackey
Create a written response plan and keep it easily accessible. Many free resources are available to help you begin, so cost shouldn't be a barrier. You don't need to achieve perfection immediately, but starting the process is key because it will point you in the right direction.
Tiffany Garcia
Invest in staff training, recognizing that human error is often the weakest link in cybersecurity. Despite having advanced technology and multiple security layers, if individuals within your organization overlook cybersecurity or fail to recognize its relevance, these measures are rendered ineffective.
How CBIZ Can Help
Ready to fortify your cybersecurity defenses? Partner with CBIZ, where our expert cybersecurity team offers tailored strategies to suit your unique needs. From consulting and assessments to risk management and compliance services — including SOC, HIPAA, PCI DSS reports and beyond — we've got you covered. Connect with us today to learn more and safeguard your organization against cyber threats.
Copyright © 2024, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly traded and privately held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).