As Milwaukee businesses reassess their risks in the wake of the tragic events of Sept. 11, they should not overlook the serious financial losses that can result from cyber-terrorism, according to local officials of the world’s largest risk management and insurance brokerage firm.
"A major cyber attack can have devastating consequences for companies that rely heavily on the Internet and related technology for sales, marketing, inventory management, distribution and related functions," said, Michael Sarner, e-business practice leader of the Milwaukee office of Marsh Inc. "Unfortunately, until recently, many firms haven’t paid enough attention to what they need to do to safeguard these operations."
He added that cyber risks are not limited to businesses that have a large Internet presence, such as a company that sells products online. For instance, hackers can use a Web site or e-mail system to get to critical infrastructure that houses databases of information on customers, competitors and employees.
"Businesses and government entities need to act quickly to find out where there may be gaps in their Internet security and address them with a comprehensive plan," said Sarner.
Marsh recommends the following steps to improve security and manage cyber risks:
1 Evaluate technology, people and processes. Effective security involves technology-related issues, appropriate people and process management and evaluation. Technology won’t prevent an authorized insider who has access to your critical infrastructure from committing a malicious act. It is imperative that management review the procedures to address this exposure.
2 Test security measures. Have an outside security firm review your policies and procedures at least once a year and test them regularly.
3 Hire outside expertise. If information security management cannot be handled internally, consider outsourcing key security functions, such as firewall monitoring and intrusion detection, to an outside firm with a focused expertise in security installation and maintenance.
4 Assess risks. Form a cross-functional committee to assess risks associated with your crucial e-Business applications and activities, and the strategies to prevent or mitigate those risks.
5 Review vendor contracts. Strengthen due diligence and insurance requirements of your contracts with Internet and application service providers (ISPs and ASPs), as well as other technology vendors. Many contracts do not indemnify you for "consequential loss," which may leave you with not only your own risk, but also that of your customers.
6 Communicate online policies to employees. Review your e-mail and Internet use policies and make sure your employees understand them (especially important in the control of viruses).
7 Create disaster recovery plan. Develop, implement, and test your Information Technology disaster recovery or business continuity program. Make sure this program can be implemented in times of physical and non-physical loss to your organization.
8 Analyze insurance policy. Review your insurance program for potential gaps or limitations in coverage related to e-business. Determine whether insurance is an appropriate solution, or if you can successfully reduce these uncovered exposures through other means.