Given the impact that breaches can have and the level of sophistication shown by hackers in recent breaches, it is not a matter of if a breach will occur, but when and how it will occur.

Cyber data — including financial data, sensitive customer information and employee records stored on the cloud or on the company’s technology devices and networks — is one of the most valuable assets many companies own. Each year, management should evaluate what is being done to protect these intangibles, where vulnerabilities exist, and how to make the assets more secure.

Think Big (and Small)

Many hackers operate overseas, making them harder to identify and prosecute. So, think globally when assessing your cyber breach risks.

However, hacks are often perpetrated through the victim’s small or midsize vendors. That is because smaller companies often lack the resources to put strong security measures in place — and hackers are ready, willing, and able to take advantage.

Consider the 2017 breach of the Equifax credit bureau when hackers gained unauthorized access to sensitive personal information on more than 143 million individuals in the United States, Canada, and the United Kingdom. The theft was accomplished though a vulnerability in a website application.

That was just one high-profile hack. Other big-name victims have included the Securities and Exchange Commission, JP Morgan, Target, eBay, Home Depot, and Yahoo.

In the Target case, hackers reportedly obtained information through a third-party heating and air conditioning vendor, which had access to the retailer’s computer network. The stolen credit and debit card data was then moved to a server in Russia. Many other cyber crime incidents have also reportedly been linked to vendors with lax security.

Some companies limit outside access to their computer networks, refusing supplier and customer requests to share data. Others require vendors to verify their network security protocols. Some companies are establishing cyber security ratings — similar to credit scores — based on the amount of traffic to a company’s website coming from servers that are linked to cybercrime. As those ratings become more refined, managers may choose to avoid doing business with high-risk customers and suppliers.

Engage in “Cyber Hygiene”

Protecting against cyber threats is an ongoing challenge, not a one-time event. Every time a software, hardware, or application manufacturer releases an update or patch, install it immediately on every device in a systematic fashion. Why? Hackers constantly troll for the latest patches and updates because they show where vulnerabilities exist. If hackers are nimble, they can exploit these vulnerabilities to steal data before customers have a chance to install the fix.

Another useful prevention strategy is requiring periodic changes to log-in passwords. Hacked passwords can cause a domino effect, because people tend to use the same password for multiple accounts. For example, when Adobe lost 33 million customers’ log-in credentials, other websites discovered that their accounts were being accessed using passwords stolen from Adobe. Some companies also use a security question or require users to select a preferred image to add another layer of identity verification.

Limit Access

Companies often have more devices connected to the internet than management realizes. Moreover, when employees take devices out of the office, they expose data to less-than-secure home networks and public hotspots that provide wireless internet access. Evaluate which devices need to be connected to the Web and take steps to minimize off-site risks. Consider limiting which employees can work from home, educating employees about the risks of cyber breaches, and installing encryption software on devices that link to external networks.

Encryption may create compatibility issues when sharing data with other companies and slow down data transmission. But it can be a powerful and cost-effective tool in the battle against cybercrime.

Seek Outside Help

Cyber security is an important task that few organizations can handle exclusively in-house. Consider seeking outside help to reinforce your current information technology (IT) policies and procedures. For example, a growing number of small and midsize companies use outside computer security companies to evaluate vulnerabilities in their network and test how well in-house IT professionals are securing their networks.

Another popular security measure is cyber liability insurance. Professional and general business liability insurance policies generally do not cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company’s electronic data and software.

Instead of purchasing a standalone cyber liability policy, you can add a cyber liability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement is not as extensive as the coverage in a standalone policy.

In addition, external auditors can help companies evaluate their exposure to cyber breach risks. Risk assessment is an important part of year end audit procedures. Failure to protect valuable intangibles against the risk of cyber breaches can turn this valuable asset into a costly liability.

We’re Here to Help

Our forensic accountants work with you to help identify and reduce cyber breach risks. Get started by taking our Cybersecurity Diagnostic risk assessment.

Contact Us

© Copyright 2022 Thomson Reuters. 

Disclaimer of Liability
Our firm provides the information in this article for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisors. Before making any decision or taking any action, you should consult a professional advisor who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this blog are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.

 

Blog

 

Nonprofit Insights

 

Valuation Report