4 key takeaways from CPBJ’s 2020 cyber security symposium

Matthew Quirin, director of security and information with Highmark Health, and Michael Schrader, director of information security with WellSpan Health, spoke on CPBJ’s cyber security panel this week. – PHOTO/Charlie McClanahan

Cyber security persists as one of the most pressing concerns among small businesses when it comes to negotiating third-party vendor contracts and filling holes in a company’s security infrastructure.

PriceWaterhouseCooper’s latest survey of U.S. CEOs reported more than half of them were “extremely worried” about the effects cyber threats have on growth prospects.

Cyber security experts at the Central Penn Business Journal’s symposium this week agreed that any business that holds customer information is a candidate target for data breaches, and they should consider a security plan that fits their needs. Here are four things to consider when assessing your organization’s cyber security risks.

Security infrastructure may be expensive, but it’s cheaper than recovering from a data breach

Panelists said companies frequently tell them they can’t afford cyber security enhancements, to which Kaizen Approach’s Chief Technology Officer Melissa McCoy responds, “Can you afford a security breach?”

“The cost of cyber security has to be weighed against the cost of losing your data, losing your customers, losing your reputation, losing your ability to do business period,” she said.

A company’s data security can be an asset to their public appearance, especially among industries with strict regulations and certification standards, she said. “Particularly if you are in a regulated environment, the fact that you can show you are compliant will allow you to attract customers because they know that you have a certain level of certification and compliance,” McCoy said. “Yes, it’s going to cost more money to do things, but that’s the cost of doing business.”

Brandon Keath, cyber security architect with Appalachia Technologies in Mechanicsburg, said Appalachia conducts security tests via simulated “ethical hacking” to assess a client’s susceptibility to hacks. Blind spots about login credentials and back-end security among workers can prevent companies from preemptively defending against hacks, he said.

“We see issues with people, technology and processes, and it’s really important that you’re making sure all three of those things are up to par,” he said.

Striking a balance between convenience versus security is key to a solid plan

For businesses, finding the appropriate cyber security infrastructure is a cost-benefit balance between convenience and security level, Keath said.

“Your risk assessment needs to involve some type of threat analysis for your organization specifically,” he said. “You’re not Fort Knox and you don’t need the level of Fort Knox security, but you do need a level of security that’s appropriate for your organization.”

Frank D’Angelo, an IT assurance manager with Lancaster-based RKL, said cyber security risk assessments are used to evaluate a company’s “inherent risk profile,” which accounts for gaps in security, and cyber security “maturity level,” which are standards set by the Federal Financial Institutions Examination Council (FFICE).

Some of D’Angelo’s clients have come to him already equipped with firewall protection, although the company doesn’t regularly monitor it, he cited as a common flaw.

“We suggest that this is an area that we might want to look at, even with something as simple as password and network security,” he said.

Read between the lines of third-party vendor contracts

Professor Angel Kern of Penn State Harrisburg said businesses should seek transparency from third-party vendors with whom they negotiate contracts.

“I find a lot of companies don’t really understand what data they’re giving to third-party vendors, and then does the contract with that third party vendor really establish how they’re protecting that data and what rights you have to investigate whether they’re protecting that data,” she said.

A contract between a business and a third-party vendor is principally an assignment of risk, said Don Geiter, partner and chair of the cybersecurity service team of Barley Snyder, and businesses should understand where the risk falls when it comes to the information they share.

“Those contracts are priced in such a way sometimes to provide the most risk to you, the customer, and the least amount of risk to the vendor,” Geiter said.

Cyber insurance may not cover human error

Cyber insurance is an emerging industry with inconsistency in what insurers offer in their plans, Geiter said. Many plans only cover IT infrastructure to the exclusion of other technology-related breach risks.

“It doesn’t cover everything that just has to do with a computer,” he said, citing business-email compromises as an example of a hack that might not be covered even if it results in a significant revenue loss.

“Many cyber insurance companies won’t cover that sort of thing, even though a computer was used, that’s not what those policies are set up to do,” he said. “Most of those policies are there to cover compromises and vulnerabilities on the actual IT side, not the people side.”

Kern said cyber maturity could play role in how insurers price their services. A company with a lower-tier ranking with the FFIEC Cybersecurity Assessment Tool maturity assessment is probably going to pay more for cyber insurance than a tier-five company, according to Kern.

“We shouldn’t bet on that we’re going to use [cyber insurance] as one of our risk management strategies,” Kern said.