Any commercial entity that has a computer network and maintains confidential information is exposed to cyber risk.

Fortunately, there are steps that risk managers can take to reduce their exposure to this risk, according to a panel of experts at a standing room only discussion of the issue at the Risk & Insurance Management Society Inc.’s annual conference in Vancouver Monday.

“Many security breaches are due to old-fashioned human error,” said Richard Billson, vp-proposition development for Zurich Insurance in New York. Regardless of the economic sector in which they’re employed, risk managers are on the front line of defense against this peril, he said.

Top perils include hacking, laptop loss with client data, backup tape loss, staff mistakes like data leaks, denial of service attacks and business partner mishaps and breaches, said Mark Greisiger, president of Gladwyne, Pa.-based NetDilligence, which provides cyber risk management and information security services.

Several factors contribute to the problem, he said. Companies collect more data than they need, often for marketing purposes, he said. Data is stored too long and most websites are very porous, Mr. Greisiger noted.

And “the bad guys rely on human error,” he said.

For example, “nasty software” can be loaded into a system when somebody plugs what appears to be a lost electronic notepad or even a fob on a keychain into a system, said Robert A. Parisi Jr., senior vp at Marsh USA Inc., in New York. Education is a big problem he said.

Risk managers have to try to stay vigilant, said Mr. Greisiger.

In a display shown behind him as he spoke, Mr. Parisi outlined best practices for dealing with the exposure.

For example, placing coverage is the last step in the process, he said. “Insurance is never a valid alternative to good risk management,” said Mr. Parisi.

He also said that relying on technology itself as a kind of “silver bullet” that will defend against all risks “is to turn a blind eye to major risks facing every commercial entity.”

The best approach to cyber and privacy risk combines elements of assessment, remediation, prevention, education and risk transfer, said Mr. Parisi. He noted that there are about 25 to 30 markets for those risks right now.

“Our most critical asset is our reputation,” said Victoria Telford, director-global insurance and risk management for Hanesbrands Inc. in Winston-Salem, N.C. Insurance won’t restore reputation, she said.

Loss control is critical, she said. But finding a champion—either one’s boss or someone in the information technology department—is key as well in making the case for greater cyber security. She said that chief financial officers are “very data-driven” and providing detailed information about cyber attacks is essential.

Ms. Telford said a company should have an IT loss prevention and business continuity plan in place and test IT policies frequently. In addition, she said to review all contracts with anyone touching Internet sites, credit card processing and the like to check for cyber coverage or to require it.

Mr. Billson asked each panelist to offer one brief bit of advice for risk managers.

Mr. Greisiger said to talk to the IT staff and ask if the company’s current posture is reasonable.

Ms. Telford said to get to know the legal department “very, very well” and to build relationships with the IT people.

“You have to assume you’re going to have an event,” said Mr. Parisi.