By STEVE YAHN, who has been a reporter and editor for national publications
When the U.S. government, Apple, Microsoft or some other large organization gets hacked, that's national news.
But when there's an everyday breach at smaller-sized companies around the country, it often goes unreported unless a company's reputation is harmed.
In terms of overall impact of data breaches it is everyday "human mistakes" which are causing significant damage to U.S. business. Verizon's 2012 Data Breach Investigations Report highlights some very alarming statistics in this realm -- like in 2011 that 97 percent of breaches reported were considered "avoidable" (that is, "human mistakes").
"When I was speaking recently at a RIMS chapter event in Minneapolis, most breach scenarios we were talking about -- eight out of 10 of them -- were tied to human error, mostly an insider who caused or perpetuated the breach," said John Gambale, head of professional liability, AIG, and Lexington Financial Lines executive, U.S. and Canada. "We feel the human error factor is a huge exposure that is not getting proper attention. This exposure could be easily addressed without spending a lot of money, without people saying, 'I don't have a large IT budget.' "
"IT continues to fight the good fight, but the vast majority of breaches involve a human factor failure of some kind," she said. "Simply stated, people make mistakes."
Like other cyber security experts, Nugent said that of course you need to make sure IT is involved, but you also need people from regulatory compliance, as well as somebody from each operating unit in the company who is cyber aware.
"If there's a breach situation that involves a particular operation they have to have a basic understanding of what's going on so that the operating unit isn't learning about cyber security in the context of a live breach," Nugent observed.
Involving a cyber-aware person from each operating unit argues for an enterprise-wide risk management approach.
"Having an enterprise management approach is key," said Tracy Tenorio, San Mateo, Calif.-based senior vice president in the tech group of ABD insurance and financial services brokerage. "You have to have your management invested in protecting data. It all starts from the top. A response plan must be led by a senior executive and that response team should include members of major departments such as finance, legal, IT, sales, human relations and public relations."
In addition to internal contacts, you should know who your outside legal adviser is who specializes in data breaches, Tenorio said, and what outside firm handles PR if a crisis reaches a stage where that help is needed.
Because of the great potential risk of cyber breaches, every employee must take an active interest and role in safeguarding data, said Robert G. O'Shea Jr., New York-based managing director, executive liability practice for Beecher Carlson.
More and more, the role of the C-Suite is becoming of paramount importance in establishing cyber security policies and procedures, said AIG's Gambale.
"The role of the C-Suite should be to raise the level of awareness corporate-wide, to raise the priority within the organization to make sure the overall checks and balances are in place with regard to the cyber security human factor," he said.
That's going to send the message to the overall organization that this is a top priority, Gambale continued. Whether you single out the IT guy, the risk manager, the general counsel or the board of directors, the message has to be clear about what is being done to prevent a breach from happening and who's accountable if one happens.
O'Shea said that the Securities & Exchange Commission is making suggestions that cyber security is indeed the responsibility of the C-Suite. "As a result," he said, "they too have begun to take a more active role."
Barry Cohen, New York-based president of Cohen Partners LLC, noted that a company that is well prepared from an enterprise risk management standpoint will be in a favorable position when purchasing cyber insurance.
"We believe that insurance companies will be especially inclined to underwrite companies that have good cyber preparedness training with an enterprise philosophy. We think this will be a very integral part of the underwriting process in eligibility and pricing", Cohen said.
A dissenter to the enterprise risk management majority is Andrew Maul, White Plains, New York-based executive director, IT applications for Avon Products.
"To me, enterprise risk management can suffer from trying to be too general," Maul said. "It isn't focused enough. It doesn't say what matters to us as a company. It needs to be managed, just like your financial portfolio."
What's the exposure if somebody makes a small mistake?
"With all the time spent focusing on something small, often you miss situations where you have holes where attention hasn't been paid," said Maul. "I think you should focus on elements of risk that matter instead of generalizing things."
Daniel Cohen, account executive at Cohen Partners LLC, said: "In looking at what it is protecting from a risk standpoint, one department might see risk much differently than another department. You might have your marketing team only worried about the social media side, while the IT team might be much more concerned with software and online security applications."
But like his brother Barry, he sees an enterprise risk management framework as essential to a company's overall cyber security. "What's important is reaching out to everybody in the company. Information sessions are important to keep everybody up to date," he said.
For all of these cyber experts, beyond making employees aware of cyber security issues the next step is training.
"The simplest step is training, training, training," said Nugent from Wilson Elser's. "Most companies do a fairly good job of developing policies and procedures, but they sometimes fall down in terms of helping employees in a company to understand expectations."
It's one thing for a privacy officer or a lawyer familiar with the privacy space to understand the obligations companies have and the efforts that are underway to protect sensitive information, said Nugent. "But it can be quite another for people who don't regularly deal with privacy and security issues to understand what they can do in their day-to-day jobs to assist the company in protecting information."
She observed that every division in a company needs a cyber-aware person so that if there's a breach situation that involves an operation they have a basic understanding of what's going on so that the operating unit isn't learning about cyber security as a breach is happening.
Beecher Carlson's O'Shea agreed that eliminating "human mistakes" begins with training. "They need to recognize the evolution in the way in which their businesses are conducted, who has access to their company's data," O'Shea said. "They must be made to fully understand what data is obtained, used and maintained, as well as the need to protect that data. They must also be made aware of the tragic results when such data is breached."
Many employees incorrectly think IT is able to control all of a company's security challenges, said Avon Products' Maul. "But no IT environment, for example, will stop you from, let's say, leaving a manual at a competitor's place or leaving a printout of your product prices lying on the counter at a Starbuck's," he said.
Gambale at AIG noted that human error breaches can occur when an employee accidentally or purposely exposes personally indentifiable information. He cited the example a university employee who mistakenly sent out an e-mail with a file that contained personal information for all its students.
Also the issue of employees bringing their own devices to the workplace (Bring Your Own Device) is adding further complications to corporate cyber security matters. Observed Tenorio: "Human resources has to have strong internal policies and procedures for employees' bringing their own equipment into the workplace, especially IT."
On another front, Tenorio underscored that having a breach preparedness plan before an incident happens will trigger all of the internal departments to work together so they know what to do in case of a live breach.
"If a company is not prepared, there's a lot of lost time when a breach occurs," said Tenorio. "The bad press comes really quickly if you're not prepared. If a company is not prepared, how will they ever recover from the reputational damage? It can be catastrophic for a company if it is not prepared."
Tenorio advised companies that are breached to notify their insurer post-haste. "If the insurance company is not notified right away and the company goes to the insurer only after incurring all the costs associated with a data breach then there could be a problem with getting these things reimbursed."
Looking to the future, Gambale said: "I don't see how this topic of training and compliance in human error in the cyber realm can be ignored anymore, especially in light of President Obama's Cyber-Security Executive Order. When you look through the executive order, the third point calls for the collaboration and development of a "framework" for organizations to follow."
That infrastructure is going to be created jointly by the government and the private sector for certain industries and critical infrastructure across the United States to address that human factor, Gambale said. "What type of training should there be?" he said. "What type of compliance? What type of regulatory action?"
Gambale said he believes cyber laws are going to get tougher and tougher as that framework develops.
"So when you look at the factor of human mistakes in the cyber area of corporations and how that framework develops, it's going to be more and more important for the C-Suite to say, 'Here's the framework. Do we have the right policies and procedures and training in place so we're compliant with the Cybersecurity Executive Order framework?'"
May 7, 2013
Copyright 2013© LRP Publications