Information technology (IT) consultants bear the burden of teaching their clients how to protect data. Firewalls, antivirus protection, and vendor management are all second nature. However, IT consultants need to protect their cybersecurity more diligently than other businesses because they build their reputations on it.
The inevitability of a data breach looms over even the most highly regarded IT professionals. In 2015, the internationally recognized cybersecurity and anti-malware company Kaspersky Labs admitted to being breached by malware as part of an attempt by malicious actors to obtain technology research.
The sophisticated attack used up to three different previously unknown vulnerabilities, zero-day attacks, to gain entrance to devices. Moreover, since it infected network gateways and firewalls, it evaded anti-malware solutions.
Most cyberattacks targeting IT consultants are less dramatic. In 2017, Deloitte experienced a cybersecurity failure because their administrator account lacked two-factor authentication. Earlier that year, cybersecurity consulting firm Mandiant, associated with FireEye, suffered a compromise from a misconfigured online account.
The moral of this cautionary tale: cybercriminals can hold hostage even the largest security companies.
As a third-party vendor for your clients, you need to align your data protection controls with their risk tolerance. However, the types of nonpublic information you collect, transmit, and store may not be immediately obvious.
As a vendor, your clients give you access to their software, systems, services, and devices. Therefore, you need to ensure that you protect any information associated with your access to their IT infrastructure. You know you need to employ cyber hygiene practices such as a strong passphrase, but you also need to store that access information in a way that cannot be linked to a client identity.
If you work with a technology company, then you may have signed a non-disclosure agreement. A data event that compromises any information associated with the technology could trigger a breach of contract lawsuit, similar to the ones lawyers face. If you accept payments through your website, you could be considered an e-commerce company. Therefore, you may need to consider network segregation over your cardholder data environment or engaging in the appropriate vendor risk management.
You can quantify the obvious financial costs associated with a data breach. You know your company’s size and can extrapolate the average costs associated with them. You can probably also quantify the amount of expected downtime a cyber attack can cause and the business interruption costs.
However, reputation risk costs are harder to quantify. IT firms build their businesses by having technical knowledge that others need. When they fail to secure their environments appropriately, they lose more than information and money. They lose trust.
In a world of Google Reviews, a single bad customer experience can lead a customer to turn to your competition. In retail, 67% of customers are willing to switch brands after poor customer service. Since clients consider data protection part of the service you provide, a data event could be considered one of the worst customer service experiences possible.
Fortunately for most IT firms, client contracts often expire only on an annual or longer basis. Unfortunately for IT firms, a data breach might be considered a breach of contract in which case the client might seek to terminate the agreement earlier.
Thus, while the client turnover after a data breach may be lower for an IT firm after a data breach than a retailer after a poor customer service experience, you can look at significant financial loss especially if your firm incorporates cyber security review or IT infrastructure.
After a data breach, the most important response is the public one. A cyber risk insurance policy provides you the resources necessary to restore your reputation when a data breach occurs. The best way to repair the reputational damage caused by a data breach is to provide the necessary services to mitigate the damages it causes.
When looking for a cyber insurance policy, you want to ensure that it includes the following coverages:
As a Software-as-a-Service (SaaS) platform, we are in tune with the reputation risk connected to cybersecurity which is why we created an end-to-end security first solution enabling small and mid-sized businesses to protect information. We help you identify risks, create policies that govern your security controls, monitor their effectiveness, and direct you toward an end-to-end cyber insurance policy that fits your needs.
Protect your reputation today by contacting us for a cyber policy quote.