BY DAVID WEINSTEIN
Attendees at the Connecticut chapter of the Turnaround Management Association”™s event earlier this month, titled “Dealing with Cybersecurity: What Turnaround Managers Should Know,” learned that for companies to renew themselves ”” especially middle-market companies ”” they will need to minimize cyber risk. Trouble, as reported by a panel of experts before an audience of 40 to 50 executives, could be as close as a current employee”™s cubicle.
- David Weinstein
Speakers at the New Haven event included Michelle D. Syc, a senior analyst at Adnet Technologies LLC in Farmington; Richard D. Harris, partner in law firm Day Pitney”™s New Haven office; and Michael Vitulli, senior vice president at Boston-based insurance broker Risk Strategies Co.
Among the speakers”™ key points:
Ӣ Middle-market companies are vulnerable to hacking and the target of choice for hackers looking to steal data from giant companies. Hackers then use information from the middle-market companies to penetrate the much larger companiesӪ data systems.
Ӣ Failure to change default passwords on routers is perhaps the most common weakness enabling hackers to gain access to middle-market company systems.
”¢ Business assets most at risk are intangibles, especially intellectual property such as patents, trademarks, copyrights and especially trade secrets. Trade secrets are the assets “most at risk,” whether financial information and business plans or customers”™ personal data.
Ӣ Current and former employees are the group most often associated with misappropriation of trade secrets.
Ӣ Data theft pays well, incentivizing hackers to break into corporate systems. Brazil, Russia and China are countries with the most profitable underground economies for U.S. data. In Brazil, credit card credentials with a PIN number attached are worth $35 to $135 per instance per card. A list of mobile phone numbers there goes for $290 to $1,236 and a list of landline phone numbers brings $317 to $1,931.
”¢ Operating executives when going into a company need to ask, “Are we taking sufficient steps to protect against theft?” They should designate a person to be responsible for cybersecurity oversight.
Ӣ If reporting to a board of directors, operating executives should ensure that cybersecurity is on the boardӪs agenda at least once annually.
”¢ Plan for compliance with applicable state “breach notification” statutes.
”¢ To assess and reduce risk, companies should pay “ethical” hackers to break into their data systems.
Ӣ Paying a professional hacker to assess a companyӪs ability to defend against a breach runs $20,000 to $35,000 for a $25 million to $100 million business with 30 to 100 employees.
Ӣ When preparing a business for sale, companies need to consider guidance from the Securities and Exchange Commission that issuers start disclosing whether they have had past data breaches and whether future breaches might have a material impact on the company.
Ӣ Companies also are spreading risk to third parties, such as vendors and, increasingly, insurance companies.
”¢ Insurance coverage for breaches of data security has emerged over the last seven years. One out of five companies are buying this kind of insurance. Banks have begun requiring it. For companies with $10 million to $100 million in volume, about 10 percent are buying coverage ”” up from 0 percent seven years ago.
”¢ Before applying for insurance, companies should pursue risk management to minimize risk and, in turn, insurance premiums. Hiring a professional hacker to test a company’s network is an example of risk management.
David Weinstein is president of the Connecticut chapter of the Turnaround Management Association, based in Weston. Established in 1988, the association has more than 9,300 members in 49 chapters, including 31 in North America. The chapter”™s website is Connecticut.Turnaround.org.
