With the increase in cybercrime over the past two years, risk managers should work with leaders throughout their organizations to develop breach response plans and train all employees, a risk manager said.

“As a risk manager, you have to partner with the right people in your organization,” said Jenny Novoa, senior director of risk management and safety at Gap Inc. in San Francisco.

She was speaking Monday during a session of Riskworld, the Risk & Insurance Management Society Inc.’s annual conference in San Francisco.

Ms. Novoa said she works closely on cyber risk with Gap’s chief information security officer and chief privacy officer, who do regular audits of the company’s vendors, including cloud data storage vendors, from a cybersecurity perspective.

Internal access to data also needs to be carefully vetted, with restrictions imposed at an individual level. For example, Ms. Novoa has claims reporting staff who need access to the company’s HR systems, but she does not need access to the system, she said.

“My team has to have specialized training every year because they have access to the HR database. You have to have that process in place,” Ms. Novoa said.

Training of all staff on data security issues is also important because any employee can allow criminals access to a corporate system by clicking on a link in an email, she said.

In addition, organizations should hold regular events, such as a cyber security month, to maintain awareness of the issue, Ms. Novoa said.

“Your employees can hurt you, so you want to make sure that it’s front of mind for them,” she said.

C-suite executives and their assistants should have specialized training because they are often the targets of attacks, Ms. Novoa said.

In addition, organizations should have separate response plans for data breaches and ransomware attacks, to ensure the right response team is in place for each type of event. “You have to make sure you have the people in the room,” Ms. Novoa said.

Gap does an annual table-top ransomware exercise with its senior executives that is led by an outside consultant. It plays out scenarios in which executives have to make decisions on whether to pay a ransom demand. “It’s very important to have a specialized plan,” Ms. Novoa said.

To mitigate losses, organizations should also prioritize their IT systems and decide which ones have to be replaced immediately and which ones do not. “Services to recover backups are expensive, depending on the level of service you require,” Ms. Novoa said.

In addition, organizations should identify breach response vendors – including law firms, credit-monitoring services, call centers, public relations and crisis management service providers, and ransomware negotiation firms – and have them pre-approved by insurers, she said.

And organizations should build a relationship with their local FBI office. “They are there to assist you,” Ms. Novoa said.