Cybersecurity risk is an omnipresent issue today for all business types and sizes. Cybersecurity worries typically focus on their electronic systems’ ability to resist hackers or hijackers for many business owners and managers.
However, the issues and potential risks for cybersecurity problems are broad. They require a comprehensive understanding of cybersecurity from a business management perspective, involving all facets of operations.
Nearly all business activities rely on their connectivity to cyberspace. The five most critical cybersecurity concerns for business managers are:
- Security of electronic systems
- Supply chain security
- Privacy of customer and corporate data
- Employee activities
- Legal issues
Security of Electronic Systems
Business managers must assume a cybersecurity breach is inevitable. According to the Harvard Business Review, management from the board level to individual team members must know what assets need to be protected and respond to security problems.
Leaving the defense against cyberattacks solely to the company’s IT person or department is like sitting in a dark room and hoping someone else remembers where the light switch is. Ideally, business owners and managers should have a documented approach to security questions, such as:
- How will a breach affect each part of our company’s activities?
- What is the response plan to a cybersecurity breach?
- Is it regularly updated?
- Are all systems routinely tested?
- Are all employees properly trained?
Supply Chain Security
Cybersecurity in supply chains reaches far beyond IT management. They include product sourcing, supply chain interruption, transportation functions, communications, and customer service.
A recent colossal example was the ransomware attack on the Colonial Pipeline. To protect pipeline operations, the company had to shut down one of the largest pipelines in the nation, affecting the delivery of refined gasoline and jet fuel to its sources.
The ransomware attack on the Colonial Pipeline is just one example. The U.S. government’s National Institute of Standards and Technology (NIST) identifies these areas as key supply chain cybersecurity risks:
- Third-party service providers or vendors ranging from janitorial services to software engineers who have physical or virtual access to your information systems, software code, or Internet Protocol (IP) addresses
- Poor information-security practices by lower-tier suppliers
- Compromised software or hardware purchased from suppliers
- Software security vulnerabilities in supply chain management or supplier systems
- Counterfeit hardware or hardware with embedded malware
- Third-party data storage or data aggregators
NIST also suggests several best practices for avoiding these problems. These best practices should be a part of every business owner’s and manager’s toolkit to conduct business as usual.
In particular, NIST recommends that business owners and managers should ensure contracts with suppliers includes:
- Contingencies for supply chain interruption
- Security requirements and remedies for software purchase and use
- Use or sharing of third-party systems
Privacy of Customer and Corporate Data
Cybersecurity expert Bruce Schneier said, “Surveillance is the business model of the internet. Everyone is under constant surveillance by many companies, ranging from social networks like Facebook to cellphone providers. This data is collected, compiled, analyzed, and used to try to sell us stuff. Personalized advertising is how these companies make money and are why so much of the internet is free to users. We’re the product, not the customer.”
While Mr. Schneier’s concern was directed primarily to individual users so that they would be aware of corporate surveillance, his warning is equally relevant for business owners and managers. The privacy of corporate data and personal private data for which a business is a custodian (such as customer identity information) are of paramount importance in cybersecurity.
Just ask Facebook, who confronted several data dump accusations in 2021 alone. The company is also dealing with potential class action litigation under consideration in Ireland.
Employees utilize their employer’s hardware and software daily in myriad ways. Employees use a company’s electronic systems to perform their jobs but often access the internet during breaks for activities such as checking personal e-mail, shopping, or browsing social media. These activities expose a company to malware, viruses, and hackers.
Cybersecurity risks co-exist with legal threats. For example, the doctrine of respondeat superior holds an employer liable for employees’ wrongful and illegal actions conducted during their employment. Suppose an employee has authorized use of the employer’s computer or electronic system and uses it to injure someone else or commit a crime. In that case, it is the employer’s burden to establish the employee was acting outside the scope of employment.
However, proving that an employee was acting outside the scope of regular employment is difficult. Such actions arguably extend to the use of employer-owned cell phones.
Another risk is an employee’s use of a computer to defraud his employer by misappropriating proprietary and other confidential information. Suppose the employee does not have authorized access to this information (through an internal hack of the employer’s files). In that case, the act could be a criminal violation of the federal Computer Fraud and Abuse Act. It would also give the employer grounds for civil action against the employee.
However, if the employee does have permission and authorized use, the U.S. Supreme Court has held that information misappropriation does not violate the CFAA. Employers must have clear policies on using their electronic systems and control employee access to these systems. Training is an essential component of managing employee use of company computers, digital data, and electronic systems.
There are other legal issues relating to the ripple effect of computer system failures or cybersecurity breaches. A cybersecurity-related shutdown causing a delay in production or transportation can interfere with contracted obligations to the customers of a business. The release of private customer information can lead to financial damages from litigation to the defamation of a company’s reputation.
Creating a sound cybersecurity strategy includes owners and management recognizing the inherent legal risks associated with a security breach and including that assessment in the company’s planning. According to Mike Mueller, former Chief Technology Officer at ARM, every business must assume it will experience a cybersecurity breach and have a “solid mitigation strategy.”
Cybersecurity Insurance Is a Wise Choice
Cybersecurity insurance plays a vital part in this mitigation strategy. Forbes recommends that businesses obtain cybersecurity insurance to cover damages for ransomware attacks, privacy breaches (including litigation), the loss of business income for a downtime caused by weather-related outages or criminal attacks, and regulatory fines.