OKLAHOMA CITY, OK — Your business – yes, even your business – needs a crisis management plan, said the panelists at The Journal Record’s Crisis Management Forum, held Aug. 19 at Oklahoma City Community College.
If your company is making any amount of money, it is a target for cybercriminals, said Tim Fawcett, director of cybersecurity consulting with Guernsey. Businesses that handle sensitive data – such as law firms or health care companies – or which contract with other companies that handle sensitive data, are also a target for a ransomware attack, he said.
“From a cybersecurity standpoint, if you make money, you are a target,” Fawcett said. “Might your solution be a lot more simple than Devon’s? Probably.”
“We’re very, very busy right now,” said Vic Albert, shareholder with Ogletree Deakins. “We’re looking at things with vaccines and face masking and social justice and diversity, equity and inclusion. We’re looking at all kinds of very important things in the workplace. Cybersecurity cannot be put to the back burner.”
Cybercriminals are actively searching for companies with their guard down, Albert said. Sometimes it is terrorists at work, but often it’s just thieves looking for money.
Without a crisis management plan in place, a misstep in responding to a crisis situation also can result in a lawsuit, Albert said.
“If you are a business and you make money, you are a target for a lawsuit – it doesn’t matter if you have one employee or a million employees,” Albert said.
Every business is faced with its own set of risks – there is no one-size-fits-all solution, Albert said. Currently, some businesses are trying to compel workers to come back to the workplace in the interests of communication, collaboration and productivity. Other businesses want their employees to continue to work from home indefinitely. Both are encountering resistance from some employees.
“It comes down to planning and it comes down to being as fair as you can,” Albert said.
Whatever rules provide for the safest workplace must be clearly stated and uniformly enforced, he said.
“A private company is allowed to set the requirements for its workplace, it’s allowed to set the requirements for its customer base,” Albert said – even to require employees or customers on-site to be vaccinated.
“COVID has actually progressed our technology 10 years, maybe 15 years,” Fawcett said. The pandemic proved how much work can get done remotely, he said, though remote work does present some security challenges with more data in the cloud and with workers accessing applications through the internet.
IT specialists are not necessarily risk management specialists, Fawcett noted. Businesses leaders need to work with risk management specialists to implement cybersecurity protocols that are effective – which might even require that executives practice security measures they don’t particularly enjoy doing.
“If you leave it up to somebody that’s there to make you happy, they are going to make you happy,” Fawcett said.
An IT company might tell you what you want to hear, but a cybersecurity expert is going to tell you what you need to do, he said.
“We usually find that it’s something pretty simple: turn on this multifactor, change your password, train your people,” Fawcett said. “Those things are going to prevent some of the worst things to happen.”
Businesses that contract with certain government agencies in the next few years are going to be held to a high cybersecurity standard, Fawcett said. The Department of Defense and Homeland Security are rolling out a new requirement that contractors not only have a cybersecurity plan in place, but that their security systems are assessed by a third party.
“Even the companies that do the assessments are lined up to have their own audit, we have to pass the audit ourselves,” Fawcett said. “They’ve only had three companies pass that so far, and these are the companies doing the audits.”
Ransomware exploits vulnerabilities in older systems; keeping technology up to date helps keep data secure, Fawcett said.
“Companies need to have a policy, they need to consult with a professional and put together the right policy in the right timing and then train employees on it and then enforce it,” Albert said. “Have a plan for cybersecurity. Have a plan for how you’re going to respond to the pandemic and what’s coming in next three months. Have a plan and be ready to adjust and be flexible.”
The event was sponsored by Guernsey and Ogletree Deakins. It was moderated by Journal Record Assistant Editor Steven Metzer.