Who is the biggest loser in cybercrime? In most cases, it's the victim - the business that was exploited. Cybercrime is a multi-trillion-dollar industry that's growing year by year. No aspect of daily life is immune. Hospitals and universities are being held hostage with ransomware, confidential information is being exploited through technical vulnerabilities, and user identities (username and password) are being compromised in phishing attacks. It is nearly impossible to function today without the internet. Because of this, cybercriminals are thriving, costing businesses billions of dollars per year.
Businesses are always responsible for the cost of recovery, whether they're paying in full, or using cybersecurity insurance to absorb some of the costs. But according to Cisco, 68% of businesses do not have cyber insurance or a recovery plan. This can lead to a prohibitively expensive recovery, forcing bankruptcy or closure. As such, states are starting to enact Safe Harbor laws that minimize damages resulting from data breaches. Ohio was the first state to establish a data breach Safe Harbor framework, followed by Utah, and soon-to-be joined by Connecticut.
Safe Harbor laws are often tied to existing IT Governance frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) 20, etc. However, just like cybersecurity insurance, Safe Harbor laws require businesses to follow security best practices in order to be eligible. The last thing a business owner wants to hear is that they "failed to maintain" security standards when filing a claim.
According to a Keeper Security survey, most SMBs (500 employees or fewer) lack dedicated cybersecurity staff or an incident response plan. The same survey pointed out other challenges including a lack of clear security priorities, implementation timelines, stakeholders, and project leaders. Without a clear plan, a commitment to cybersecurity, and oversight, your business may "fail to maintain" the standards necessary to benefit from Safe Harbor laws or cybersecurity insurance. Remember:
The first step towards eligibility is to hire a dedicated security professional. For companies that are unable to do so, consider partnering with a managed services provider that can outsource security professionals. When assessing a security expert, check their certifications. Common certifications include CISSP, CCSP, CISA, etc. These certifications reflect and add credibility to both the individual and your organization. Your security professional should also recognize opportunities to engage with departments and individuals across your company. The best security professionals are those who can apply their expertise in creative and interactive ways, whether they're supporting employee training programs, or collaborating with the Marketing department to create dynamic security content.
For more information about cyber insurance and Safe Harbor laws, reach out to iCorps for a free IT consultation.