The average cost of a data breach has risen to a record high, according to a new study by the independent research firm Ponemon Institute. The study found that the global average cost grew from $4.24 million per incident in 2021 to $4.35 million in 2022, an increase of roughly 2.6%. Moreover, the global average cost has increased 12.7% compared to the 2020 average of $3.86 million.
These trends are alarming. What’s your organization doing to fortify its defenses against cyberattacks?
Cyber data — including financial records, sensitive customer information and employee files stored on the cloud or on the company’s technology devices and networks — is one of the most valuable assets many organizations own. Each year, management should evaluate what’s being done to protect these intangibles, where vulnerabilities exist and how to make the assets more secure. Here are some cybersecurity best practices to consider.
Vet your vendors. Hacks are often perpetrated through the victim’s small or midsize vendors. That’s because smaller companies often lack the resources to put strong security measures in place — and hackers are ready, willing and able to take advantage.
Some companies limit outside access to their computer networks, refusing supplier and customer requests to share data. Others require vendors to verify their network security protocols. Some companies are establishing cybersecurity ratings — similar to credit scores — based on the amount of traffic to a company’s website coming from servers that are linked to cybercrime. As those ratings become more refined, managers may choose to avoid doing business with high-risk customers and suppliers.
Limit access. Companies often have more devices connected to the internet than management realizes. Moreover, when employees take devices out of the office or work from home, they expose data to less-than-secure home networks and public hotspots that provide wireless internet access.
Evaluate which devices need to be connected to the internet and take steps to minimize off-site risks. Consider limiting which employees can work from home, educating employees about the risks of cyberbreaches and installing encryption software on devices that link to external networks. Encryption may create compatibility issues when sharing data with other companies and slow down data transmission. But it can be a powerful and cost-effective tool in the battle against cybercrime.
Adopt a continuous-improvement mindset. Protecting against cyberthreats is an ongoing challenge, not a one-time event. Every time a software, hardware or application manufacturer releases an update or patch, install it immediately on every device in a systematic fashion. Why? Hackers constantly troll for the latest patches and updates because they show where vulnerabilities exist. If hackers are nimble, they can exploit these vulnerabilities to steal data before customers have a chance to install the fix.
Another useful prevention strategy is requiring periodic changes to log-in passwords. Hacked passwords can cause a domino effect, because people tend to use the same password for multiple accounts. Some companies also use a security question or require users to authenticate their identity using a smartphone as another layer of verification.
Cover your assets. Another popular security measure is cyber liability insurance. Professional and general business liability insurance policies generally don’t cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company’s electronic data and software.
Instead of purchasing a standalone cyber liability policy, you might be able to add a cyber liability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement isn’t as extensive as the coverage in a standalone policy.
Seek outside help. Cybersecurity is an important task that few organizations can handle exclusively in-house. Consider seeking outside resources to reinforce your current information technology (IT) policies and procedures. For example, a growing number of small and midsize companies use outside computer security companies to evaluate vulnerabilities in their networks and test how well in-house IT professionals are securing their networks.
For More Information
Risk assessment is also an important part of year-end audit procedures. Accountants are familiar with ways to identify and reduce cyber-risks. Failure to protect valuable intangibles against the risk of cyberattacks can turn these valuable assets into costly liabilities.