W^H? The Holmes Murphy Blog

  • Cyber Risk Myths or Realities?

    I was doing some research a few days ago on cybersecurity and came across an article that piqued my interest. It was in Forbes magazine titled, “These Are 10 Cybersecurity Myths That Must Be Busted.” If you have a chance, I encourage you to read it.

    Basically, the article points out the following myths and then explains each:

    1. “Cyber risk” is a separate category of risk.
    2. Cybersecurity is just an IT issue.
    3. Protecting yourself is good enough.
    4. Digital and physical security are separate systems.
    5. Going back to paper (or disconnecting from the internet) minimizes risk.
    6. Getting hacked is an embarrassment.
    7. Using antivirus software is enough.
    8. Cybersecurity is just a form of defense.
    9. New features of IoT devices trump security.
    10. You’ll never get attacked or breached.

    OK, I know…some of you are thinking, “Of course those are myths.” I get it. Some are blatantly obvious. But others, maybe not so much until you read the text that comes along with the myths. In actuality, there’s a lot of misunderstanding when it comes to cyber risk besides just the 10 “myths” listed. And rightly so. It’s a very deep, far-reaching topic.

    In my field, I hear a lot of people claiming to be experts on cybersecurity or speaking to the topic when maybe they shouldn’t. It’s somewhat of a hazard, really. I would go out on a limb as to say no one is a full-proof expert on cybersecurity. I think a lot of people know “a lot” about the issue and great ways to protect businesses and people. But with rapidly evolving coverages and insurance and new techniques to break through firewalls and steal information, I’m not sure any one person could ever say they’ve got a full handle on all risk. It takes a team.

    That’s why at Holmes Murphy, for example, we have a Cyber Security Council. This team is comprised of members from all different areas of our business, including directors and officers. It’s important to include these directors and officers, as they’re responsible for the protection of our company’s, employees’, and clients’ sensitive data. It’s important to note, though, there’s a fine balance between ensuring we’re implementing security practices and procedures to keep things secure and not getting in the way of the business. This is a constant battle. How much is too much?

    For your own company, if you’re trying to figure out how to get a handle on cyber risk, I’d suggest starting with these few tips:

    • Create a cybersecurity team. At the very least, always have a group of people to discuss potential changes and effects they may have on the business.
    • Ensure 1-2 executives are included in that group.
    • Implement cultural security changes, not just Information Technology (IT) changes. For example: Do your employees know what to look for in an email that may indicate it’s a fraudulent email? Come up with a policy for employees and test them on it.
    • Involve your marketing team to develop messaging that creates a security culture and engages employees. The more buy-in you have from employees, the more apt they are to be watchdogs for your company.

    These are just simple, initial steps. You can also take our free Holmes Murphy Information Security Self Assessment. This is a personalized and anonymous self-risk assessment tool that helps identify your company’s potential risk exposures.

    And of course, we understand that even the words “cyber risk” can be chilling. Don’t ever think you’re alone in determining how to roll out programs within your company…and even what kind of insurance coverage you may need “should” something ever happen. Like I said, we have a team at Holmes Murphy and we’re more than happy and willing to help you put risk plans in place. Just reach out!

    Published on: 05.01.17

    Join the Discussion