There’s an old expression that “cash is king.” But for many businesses, data is now more important. It is the lifeblood of the organization. Yet, unfortunately, many don’t really understand the truly devastating impact of an IT disaster, thus they don’t take the necessary steps to protect themselves.

Have you ever been working on a report or tax return when the lights flickered and you lost 15 minutes of your work? How frustrating was that? And when you lose an hour of it? The frustration and cost to recover your information increases dramatically.

The concern for technology threats is evident in the AICPA’s 2013 North America Top Technology Initiatives Survey, with the top 10 concerns for CPAs in the United States being:

1. Managing and retaining data
2. Securing the IT environment
3. Managing IT risk and compliance
4. Ensuring privacy
5. Managing system implementations
6. Preventing and responding to computer fraud
7. Enabling decision support and analytics
8. Governing and managing IT investment/spending
9. Leveraging emerging technologies
10. Managing vendors and service providers

Ernst & Young interviewed 1,900 C-suite professionals and published their findings in its Under Cyber Attack: EY’s Global Information Security Survey 2013. Cyberrisks and threats were top concerns for 62 percent of the respondents. So it’s safe to say that IT issues are feared disasters, and we have good reason to be afraid.

In January 2014, someone hacked into the Chamber of Commerce’s system in Bennington, Vermont,¹ installed ransomware, and held the server hostage, asking for a $400 payment. Although the directors attempted to pay the money, they were unsuccessful and lost everything.

In the IT world, it’s often said: “There are two types of companies in this world. Those that have been breached, and those that are going to be breached.” In fact, some IT professionals believe that data breaches are just a fact of life, on par with taxes and death. Statistics appear to prove it.

Storagecraft² reports that 140,000 hard drives crash every week, yet, only 23 percent of companies back up their data daily. Of those, only 66 percent test their tape backups. When they do test them, 77 percent have found failures. According to research conducted by the National Cyber Security Alliance, almost 50 percent of small and medium businesses have experienced a cyberattack, and 60 percent of small and medium businesses that experience a significant data loss will go out of business.³

Then there are the issues from outside attacks. Highlights from Symantec’s 2017 Internet Security Threat Report⁴ indicate:

• In 2016 there were 15 data breaches that exposed more than 10 million identities each.
• In the past eight years, 7.1 billion identities have been exposed in data breaches.
• Fifty-three percent of all e-mail is spam.
• One out of every 131 e-mails contains malware.
• Over the past three years thieves stole $3 billion of business e-mail phishing scams.
• Ransomware attacks have increased by 36 percent with more than 100 new malware varieties.
• The average ransom demanded in ransomware attacks increased by 366 percent in one year.
• Seventy-six percent of websites scanned contain vulnerabilities that can be leveraged by fraudsters.
• An Internet of Things (IoT) device, such as a smart TV, smart thermostat, or cable modem, can be attacked and taken over in two minutes.

Information Age reported the following statistics in 2017:

• A 38 percent increase in reported cybersecurity incidents
• Fifty percent of small and midsize organizations suffering at least one cyberattack in the past 12 months.

There are many noteworthy examples of technology failures, including website failures, software failures, and data breaches.

For instance, in December 2013, Target was the victim of a malicious data breach. Hackers stole the debit and credit card information of 40 million customers, also taking the e-mail and mailing addresses of an additional 70 million customers. USA Today reported that costs associated with that breach were “between $400 million and $450 million.”⁵

There were also several instances of software failure that year. In one case, United Airlines had pricing issues on its website, selling some flights for only a dollar. Fortunately for their customers, they chose to honor those transactions.

Walmart’s customers weren’t so happy when, in October 2013, the company website listed computer monitor projectors for as little as $8.99. They chose to take the opposite approach of United and refused to honor these partner deals, canceling the purchases, and angering many customers.

The largest ever reported breach occurred at Yahoo with the disclosure of three billion e-mail accounts—every account that existed at the time. Although the breach occurred in 2013, it was not discovered and disclosed for more than three years. The breach reduced the selling price of Yahoo to Verizon by $350 million. And to this day, Yahoo does not know how the hack was accomplished.

In 2017, Equifax experienced a data breach that exposed 148 million records, which is approximately 61 percent of all adults in the United States. The disclosed data included credit card, driver’s license numbers, Social Security numbers, date of birth, phone numbers, and e-mail addresses. The enormous breach was the result of one outward-
facing server with outdated software. The attack went on for 76 days before it was noticed. And then, Equifax waited six weeks before reporting the breach. As of the end of 2017, the costs related to the breach are $439 million and estimated to ultimately reach $600 million. In addition, Equifax has budgeted another $200 million to increase their security. Data breaches are not cheap, one server with outdated software will cost Equifax more than $800 million.

In the first half of 2018, 182 million records were exposed in the 10 largest reported breaches. The majority of the exposed records came from UnderArmour, where 150 million records were exposed.⁶ UnderArmour was extremely responsive and notified users four days after discovering the breach.

Sadly, 50 percent of companies that lost their data for 10 days or more filed for bankruptcy immediately after the data disaster and 93 percent filed for bankruptcy within a year.⁷ To make matters worse, many business owners mistakenly assume that cyberattacks only occur to large companies, but the numbers suggest that isn’t the case.

According to the U.S. House Small Business Subcommittee on Health and Technology, 20 percent of all cyberattacks actually impact small businesses. In addition, 63 percent of them are on companies with less than 100 employees. What’s scarier yet is that Gartner Group reports that 50 percent of small and medium-size businesses that manage their own network will be hacked and won’t ever know it.

Look at it this way: Only 39 percent of companies review their IT disaster plans annually, but how many hackers review their approaches daily? It is absolutely critical for your organization to have a plan in place to protect your technology systems and respond in the case of a disaster.

CAUSES AND COSTS OF IT DISASTERS

One reason IT disasters are so hard to prevent is that they can be created by so many different events. These include:

• Server failures
• Hard drive crash
• Power outages
• Service provider failures
• Software glitches or failure
• Malicious virus
• Ransomware (a type of malware that freezes access to all of your computer’s files)
• Natural disaster (such as flooding or earthquake)
• Employee sabotage (or theft)
• Human error

Although the possible causes are many, one thing is for sure. These types of issues, regardless of the cause, are often extremely costly. Companies lose money due to downtime, data loss, data corruption, and repair. There are also costs to restore software, restore hardware, patch security holes, and perform data recovery.

Add that to the cost of credit monitoring, costs associated with loss of credibility and customer trust, and lost revenue when customers cannot do business with you and the numbers just go up. Of course, then there are penalties for violating contracts with partners, suppliers, and distributors, and legal costs of compliance. The list goes on and on.

According to Symantec,⁸ IT outages cost the typical small business $3,000 a day, and the median cost of downtime is $12,500. Some companies wind up paying much more.

Sony PlayStation’s breach of 77 million records cost them $171 million, and on August 1, 2012, Knight Capital experienced a disaster that lasted only 45 minutes, yet cost the company $440 million (four times their 2011 net income) when they installed new trading software and a glitch caused the firm’s computers to buy and sell millions of shares of stocks incorrectly, dropping capital stock 63 percent by the end of the day. Ultimately, to cover the losses, 70 percent of the company had to be sold.

According to the Business Continuity Institute’s Horizon Scan 2014 Survey Report,⁹ if you look at that year’s top 10 threats to business continuity, the first three are IT-related: (1) unplanned IT and telecom outages, (2) data breach, and (3) cyberattack. Meanwhile, McAfee Labs 2014 Threat Predictions report¹⁰ forecasted that:

• As mobile malware attacks are increasing at a far greater rate than those on PCs (rising by 33 percent in the last half of 2013), this trend will most likely continue.
• Virtual currencies will be used to make ransomware payments.
• Online attacks by criminal gangs will increase in number and strength.
• Platform attacks against social websites, such as Facebook, Twitter, LinkedIn, and Instagram will continue to grow.
• PC and server attacks will continue to leverage weaknesses in operating systems and website programming.
• The adoption of “big data” security analytics will be necessary to meet detection and performance requirements.
• As cloud-based systems become more widely used, cybercriminals will attack those data repositories.

IT DISASTER PREVENTION

We’ve all said, “You get what you pay for,” and this is especially true when it comes to today’s technology because buying cheap equipment leaves you vulnerable to hardware failures. Sure, a $300 server may sound like a deal compared to one that costs $3,000, but the cheaper version likely won’t be as reliable or last as long.

Another factor to consider when it comes to preventing IT disasters is to be consistent in your equipment purchases. Hardware compatibility becomes a major issue when you purchase different brands, such as Dell versus Apple verus Toshiba. In addition, too many brands make it difficult for your IT department to become experts in any one type of hardware.

Software is another area where consistency is helpful as data integrity becomes an issue when you’re using different versions of the same program. For example, if some of your employees use Microsoft Office 2010 and some use Microsoft Office 2013, you’re likely to experience problems.

It also helps to update software programs on a regular basis on the server level and at the user level. This includes PCs, laptops, and tablets because, although it’s easy for your IT department to schedule updates to the software on the server, it can be much more difficult to push updates to users.

You may even decide to prevent users from installing their own updates without permission from your IT department. Often, viruses and malware can be installed on a computer system when the user mistakes them for normal software updates.

Though the least expensive way to deal with an IT disaster is to spend money on prevention, one of the most overlooked considerations is the facilities housing your systems. Many large organizations have dedicated server rooms, but a lot of small and medium-size enterprises do not.

Often, servers are an afterthought, kept in a spare closet and stored among other materials and supplies, greatly increasing the risk of hardware failure. The room may not be dusted on a regular basis, increasing the risk of fire. There may be too many items plugged into a single outlet or power strip. There may be cables and loose wires creating a tripping hazard. There may be many pieces of equipment, some new and currently being used, some old and unused. There may be cardboard boxes of old supplies making it difficult to move around the room and access the equipment. And, worst of all, nothing is labeled. So when something fails, it is extremely hard to identify and fix the issue.

Okay, maybe it isn’t that bad, but if it’s not neat and orderly, this is something you should work to remedy immediately. The first step in protecting your onsite servers and helping to prevent hardware failure is to ensure the facilities housing your systems are clean, regularly dusted, and free of pests.

Speaking of pests, in 1945, computer scientist Grace Hopper coined the expression “computer bug” when she discovered that a moth had short-circuited the Harvard Mark II computer she was working on. Other animal-related IT disasters have occurred due to rats chewing on wires or nesting inside a server, spiders spinning webs inside a server, or hatching baby spiders inside the CD drive.

Your housing facilities should also be:

• Adequately ventilated
• Adequately air-conditioned
• Wired professionally
• The servers plugged into battery backup systems (uninterrupted power supplies)

Servers and battery backup systems should be tested quarterly if you aren’t replacing your batteries yearly. Battery backups allow you time to shut down your system in the event of a power outage and prevent fires from electrical surges.

Many people mistakenly assume that a power strip is also a surge protector; but often power strips just provide additional outlets (ultimately overloading the electrical system). And just because a strip has six outlets it doesn’t mean that the power strip is rated to be running six different appliances. When a power strip is overloaded (even if it is a surge-protector), both the power strip and the attached equipment can melt or catch fire.

For security purposes, your server room should be kept locked and have limited access because one of the simplest things a company can do to prevent an IT breach is to mandate access controls. Take the time to set up proper access limitations for both administrative and nonadministrative employees (especially when employees are using personal devices to access company data) to mitigate this top IT threat. Install surveillance cameras and check them regularly to make sure the cameras are working.

Layering security is also a good approach, but it’s not necessary to require high-level security for every application. An employee’s initial login should require the strongest of passwords, with an additional password required to access your accounting system. It may not be necessary to require a third level of passwords for individual portions to the accounting system though, such as accounts receivable, so you want to apply the appropriate level of security based on the confidentiality of the system.

When it comes to passwords, employees may love to hate them, but they are in fact a very effective control. Here’s a list of 10 things you should never do with passwords:

1. DON’T use common dictionary words in any language; for instance, don’t use monkey, computer, password, or buenos dias.
2. DON’T spell common words backwards, such as retupmoc or drowssap.
3. DON’T use sequential numbers, like 12345 or 9876.
4. DON’T use personal information; stay away from using your name, a pet’s name, or your favorite sports team.
5. DON’T substitute a similar number or symbol for an alphabetic character; p@ssword should never be a password.
6. DON’T use a common word with just a number added; don’t use Tommy1 or Apple5.
7. DON’T use a string of identical characters or numbers; BBBBB and 111111 should never be used.
8. DON’T use your login ID as your password; these two should always be different.
9. DON’T write your password down and keep it in all the typical places; don’t keep your password on a sticky note on your monitor, underneath your keyboard, in a file labeled “passwords,” or on the last page of your calendar.
10. DON’T share your password with anybody else; your password should be known by you and you only.

Now, if those are all the things you’re not supposed to do, what can you do to develop a strong password and maintain your security?

Ideally, to create a strong password, you want to:

• Use a minimum of 10 characters, but even longer is better.
• Also, make your password a combination of alphabetic, numeric, and special characters.
• Use a combination of lowercase and capital letters.
• Set different passwords for different types of log-ins. (For example, you want to use different passwords for banking sites, social media, and e-mail accounts.)
• Most important, you want to change your most critical passwords on a regular basis.

LAPTOP AND CELL PHONE PROTECTION

Laptop theft is a significant threat to individuals and organizations alike. Ponemon Institute reports that 12,000 are lost weekly, with the average cost to an organization for just one of them right around $49,246.¹¹ And only 7 percent of stolen devices are recovered.

According to some estimates, one out of every 10 stolen laptops is taken at an airport. In one commonly used method, two criminals position themselves in front of a victim while in line for TSA luggage screening. The first one goes through the metal detector while the second delays the victim by distracting security personnel, often by intentionally placing metal objects in various pockets. Meanwhile, the victim’s luggage and laptop pass through the screener and, while the victim is stuck behind the second criminal whose pockets are being emptied, the first criminal steals the laptop as it comes off the conveyer belt.

A frequently overlooked step to protecting laptops is simply educating employees on laptop safety. They should be regularly trained and updated on how to protect themselves and their data, particularly when traveling. Steps they can be instructed to take include:

• Always keep your laptop with you. In particular, don’t leave it at a restaurant table, behind a chair, or in your car.
• Use a security cable and lock when leaving it at the office or in a hotel room.
• Write down the laptop’s serial number, make, and model. You’ll need it if you ever have to report a theft.
• Back up your files regularly and test the backup.
• Encrypt your hard drive. If your laptop is stolen, this will minimize the data loss.
• Consider installing a tracking device or software.
• Install utility software that will notify the police if it is stolen.
• Install antivirus software.
• Install a firewall.
• Remove unnecessary data.
• Set an idle time-out, requiring the use of your password to log back in.
• Use a strong password.
• Don’t leave a copy of the password in the carrying case or taped to your laptop.
• Use a screen guard to prevent strangers from seeing what you’re working on.
• Keep software updated, especially for security patches.
• Customize the appearance of your laptop and carrying case to make them distinctive.
• Be careful when using Wi-Fi networks.
• Store your data in a cloud so that if your laptop is stolen or broken, you still have access to your data.
• Insure your laptop.

Sadly, cell phones don’t fare any better as they’re most frequently stolen at airports, in mass transit, and from cars. According to Time magazine, cell phone theft in major cities has become an epidemic. In New York City, for example, there was a 40 percent increase in cell phone theft in 2012, and it’s estimated that, in 2013, 3.1 million were taken from their owners.¹²

In Chicago, cell phone theft has become the modern-day purse snatching. Criminals are targeting victims who are using their cell phones on the subway. It goes something like this: The person is involved in a phone call and not paying attention. Just as the subway doors are opening at a stop, the criminal grabs the victim’s phone, jumps off the train, and disappears into the crowd.

The issue for organizations is that mobile phones contain a great deal of confidential information. This puts their contacts, e-mail, Internet credentials, usernames and passwords, business applications, and/or mobile payment information at risk if the phone is accessed.

Plus, we often get distracted when using our phones, making ourselves easy targets for thieves. That’s why it’s a good idea to hold your phone tightly, potentially even using two hands, especially while in public places. It may look strange, but wouldn’t you rather look silly than be robbed of your phone?

Other steps you can take to protect your cell phone include:

• Never let it out of your sight, paying special attention to never leave it unaccompanied on the restaurant table or in your car.
• Write down your phone’s number, make, model, serial number, and PIN (or security lock code).
• Lock your phone using a security code or PIN feature.
• Install antitheft software that will remotely locate your lost device and, if necessary, destroy all of its data.
• Install antivirus software.
• When carrying your phone, make it difficult to access. If it’s easy for you to reach, it’s easy for criminals to reach.
• Back up your data and photos regularly.

If your phone is stolen, report it immediately to police and your carrier. Your carrier can blacklist it and prevent anyone from making calls. Also, immediately activate any tracking and remote device management software.

NETWORK SECURITY

One major concern of businesses is that their network will infect a client with a virus or be used by hackers to gain unauthorized access to information. The risk of either of these happening can be lessened by taking proactive steps, such as:

• Installing a firewall
• Putting virus protection on all of your company’s computers and mobile devices
• Using antispam software
• Establishing a VPN for remote access
• Setting appropriate administrator rights and responsibilities
• Placing restrictions on downloads and upgrades
• Conducting employee training

Additionally, all of your files need to be backed up. This means that files used by employees should always be saved on your server, not on their local desktop or laptop. A good backup system is off-site, automatic, uses an external hard drive (rather than a tape or CD system), and includes backup of software applications.

Another preventative step is to develop IT security policies and procedures, sharing these with all employees via regular training sessions so they understand what you expect in this regard. An effective IT security policy will cover:

• Confidentiality of client records
• Transmission of data
• Computer security
• Wireless transmissions
• Remote access
• Computer backup
• Credit card information
• File retention
• File destruction

One of the newest risks in today’s IT environment involves BYOD, short for “bring your own device.” Many employees prefer to use their personal devices—such as laptops, tablets, or cell phones—in lieu of those provided by the employer. Symantec reports that the average employee connects 2.8 devices to an employer network every single day.

Whether you currently allow employees to BYOD or you’re considering it as a viable business option, ask yourself these questions first:

• Is there an assumption of privacy?
• How will you address confidentiality of proprietary information?
• Who pays for the services?
• How will you address software compatibility?
• What happens if the device is broken or lost?
• What happens when the employee leaves?
• What security policies will you require?

Keep in mind that, although security is definitely an issue, creating a policy that is too restrictive won’t necessarily help keep your data secure. Further, the Gartner Group estimates that 20 percent of BYOD programs will fail because they are too restrictive and difficult to follow, which makes finding a happy compromise the best solution.

To establish a good BYOD policy, you want to define policies that employees can live with. Make a clear separation between work and personal lives when it comes to devices. Choose apps that don’t directly store data. Fully explain the risks of BYOD; and, finally, communicate your policy to your employees on paper and in person.

OPERATING IN THE “CLOUD”

The “cloud” refers to the use of web-based applications that provide access to data from any location at any time, as long as there’s a working Internet connection. Some companies prefer them because they generally incur lower hardware and maintenance costs as they’re paid for on a pay-as-you-go basis or with per-user fees.

Although the cloud does offer some advantages, there are some risks associated with this type of application as well. For instance, there can be issues with security, both physical security of the hardware and security of the data. There’s also a potential for downtime and questionable availability of customer support.

The speed and bandwidth required for access to cloud-based applications can sometimes cause issues as well. Legally, there is the need for disclosure to clients, whether required by the IRS and/or by the AICPA Ethics Ruling No. 112.

According to a Ponemon Institute study, the majority of cloud-
computing providers believe it is the customer’s responsibility to secure the cloud. Additionally, the provider’s systems were often not evaluated for security prior to deployment, did not have dedicated security personnel, and the user had no idea what was being done to protect their data.

In order to compensate for some of these risks, organizations should request disclosure from the provider. Ask about their security programs and policies, their disaster recovery plans, their employee hiring policies, and their liability insurance policies. You also want to request third-party monitoring of their security and evaluate their financial stability. The more you protect yourself in the beginning by taking these types of actions, the safer your data becomes.

When using a cloud provider, your contract with them should address confidentiality as they shouldn’t be able to make any unauthorized disclosures, and there should be no unauthorized use of data by them. It should also state who will bear financial responsibility if either of these occur. Include a Right-to-Audit clause where you, the customer, can review their security policies and procedures. You also want to review their SOC-2, Type 2 Report.

Technically, an SOC report is the result of an examination engagement undertaken by an external auditor to report on the controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting. Put simply, it’s a report that tells you whether your provider takes their internal controls seriously.

There are three types of SOC reports, and, to make it even more complex, each report can have different types. For instance, an SOC 1 report covers the service organization’s internal control system, and there are two versions of it. Type 1 is a report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type 2, on the other hand, is also a report on management’s description of the service organization’s system and the suitability of the design, but it also addresses the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. This report is more expensive because it covers not only the design but also the usage of the internal 
controls.

An SOC 2 report is slightly more comprehensive and covers the specific controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. It’s essentially intended to provide assurance about the controls that affect these issues and, like an SOC 1, comes in two types. Type 1 only addresses the design of the controls, but Type 2 addresses both the design and the effectiveness of the controls.

Finally, SOC 3 reports are designed to meet the needs of users who need assurance about the controls at a service organization, but at a more general level. These reports are general use reports that can be freely distributed or posted on a website using an authorized seal of approval.

To be most comfortable with the controls of a service organization you intend to use, you should request a SOC 2, Type 2 report. (If you’d like more information about SOC reports, it’s available on the AICPA website (https://www.aicpa.org/InterestAreas/InformationTechnology/), where you can download the brochure, “Service Organization Controls.”

CREATING AN IT DISASTER RECOVERY PLAN

When creating an IT disaster recovery plan, one of the first things an organization has to define is the difference between an “inconvenience” and a “disaster.” These definitions may vary between departments and between employee roles.

For example, if your customer service employees can’t access your customer relationship management (CRM) software for 15 minutes, the impact will be immediate if they have no other way to answer customer’s questions. However, if your accounting department can’t access general ledger software for 15 minutes, it’s more of an annoyance.

Another consideration is recovery time. How quickly does each system need to get back up and running? Again, this may vary by department, system, or employee role. Customer service software may have a quicker recovery time, for instance, than accounting software.

Don’t forget to consider regulatory requirements because many industries are subject to specific regulations covering data security. These regulations can be at both the federal and state level, and noncompliance can result in fines, loss of business license, or even jail time.

Table 12.1 is a list of some of the more applicable federal data retention regulations (Appendix H includes a list of many of the U.S. privacy laws, for your convenience).

When it comes to the software systems you use, not all of the systems are created equal and not all of them need to be running all the time. So, after identifying all of the systems running on your server and mobile devices, the next step is to rank them in terms of criticality as those are the ones you want to protect most. For instance, CRM and accounting software are more critical elements of Microsoft Office programs, such as Excel and PowerPoint.

Not all data is critical either, so you want to identify what is, what is archival (historical copies), and what is useless. During this process, don’t forget to include data that is not stored centrally because when employees use laptops, they sometimes mistakenly store files locally rather than on the server.

Your organization also needs to consider how employees might access their programs and data if they couldn’t come into work or if the power goes out at your facility. (When doing this, be careful not to confuse accessibility and availability with disaster recovery.)

One location-based solution is to have a “hot site.” There are vendors that will provide fully configured data centers with commonly used hardware and software programs. In some cases, applications, data streams, and data security services can also be hosted and managed by these vendors.

Creating an IT disaster recovery plan is very similar to creating a business continuity plan in that data recovery plans are not just an IT responsibility. That’s why it’s important to involve everyone in the organization in the development of IT-related security policies.

Disaster recovery plans should address four basic IT protections: data protection, system recovery, people, and processes. When it comes to data protection, your data needs to be backed up and secured at an off-site location. System recovery in the plan will address the platforms, servers, operating systems, software, networks, and storage that you’ll use to recover your applications.

Because people will be performing the work, it’s important to ensure that they have operational places to work from with the right equipment to enable them to do their jobs when trying to restore your IT system.

When developing an effective IT disaster recovery plan, the steps can be summed up as follows:

• Step 1: Assess your risks.
• Step 2: Test your systems for vulnerabilities and risks; it’s better that you find out where the weaknesses are before somebody outside your organization exploits them.
• Step 3: Develop recovery strategies, addressing the length of disruption (24 hours? 72 hours? five days or more?), type of disruption (single system? branch location? entire network?), type of disaster (power outage? virus? fire?), and assignment of personnel.
• Step 4: Test the recovery plan; the last thing you want to find out is that the backups that you’re relying on will not restore (a sample IT backup and testing form is located in Appendix I).
• Step 5: Communicate the plan to all employees.
• Step 6: Update the plan regularly (at least every quarter).

Though you may be tempted to skip Step 4 and not test your recovery plan, to do so could be catastrophic. For example, prior to Superstorm Sandy, the manager of a marina contacted her IT consultant to confirm that her systems were being backed up. She was told that all of the company’s data was on a schedule to be backed up nightly, but, after the storm, she learned that the backup system had not run for two entire months.

Many organizations also choose to create a separate breach plan to address hacking, data loss, and server extortion. If you’re interested in creating a separate breach plan, the process looks like this:

• Step 1: Identify, locate, and map digital assets.
• Step 2: Identify risks and potential types of breaches.
• Step 3: Develop response plans for mitigation and correction.
• Step 4: Develop a communication plan.
• Step 5: Update regularly.

CYBER INSURANCE

While cyber insurance (sometimes referred to as cybersecurity insurance) will obviously not help with prevention of a cyberattack, it can at least help mitigate the losses related to data recovery. Your property insurance policy will cover your physical computer equipment, but how about the costs of downtime and data recovery?

Cyber insurance can include many types of coverage. For instance, a data breach of privacy crisis management coverage steps in on issues related to managing an investigation, data recovery and remediation, third-party notification, call management, credit monitoring, legal defense costs, legal damage awards, and regulatory fines. Multimedia liability covers website defacement and intellectual property rights infringement, and extortion liability covers costs associated with negotiating with extortionists, ransom fees, and data recovery.

Before buying cyber insurance, assess your IT systems. Take an inventory of all of your computer equipment, map out your network (a sample network map is provided in Appendix J), identify all software programs, and document your current security procedures.

Next, consider your desired coverage. Start by identifying what costs you’d like to have covered and what incidents you want to be covered for, brainstorming with your IT department. Together, create a list of all the types of incidents that may occur, then create a list of all the potential costs and expenses related to those incidents.

The third step is to talk to your broker and discuss your cyber insurance options. Ideally, you want someone who has experience in IT coverage, which may mean finding a specialist broker.

No two businesses are the same and, in cybersecurity, risks are changing all the time. So, there are additional considerations when reviewing your potential policy, including:

• Will you have to undertake a security risk review?
• What steps that, if taken, will reduce or limit the risks?
• Do all portable media or computing devices need to be encrypted as a mark?
• What assistance is provided to improve your IT security?
• What is the impact on future premiums if you make a claim?
• Are malicious acts by employees covered?
• What is the maximum limit of coverage?
• Are limits for expenses grouped together?
• What legal defense costs are covered?
• What is the time period for discovering, reporting, and covering a breach?