I recently attended a one-day seminar on Managing Cybersecurity Incidents organized by the Practicing Law Institute. I walked away from the seminar more paranoid about cyber vulnerabilities in our utilities, financial institutions, healthcare system, retail industry, and government. It did not help that the seminar occurred just days after the Equifax breach.
As I wrote in a previous article, the chances of experiencing a cyber incident are so high that it is not a matter of if, but when.
One of the primary messages from the event was "BE PREPARED." Unfortunately, many companies are unprepared and do not have a plan. Being proactive and hiring a cybersecurity professional is extremely important to address the many issues with securing your company's and your clients' valuable and sensitive information. If you have not hired a professional yet, here are a few areas to consider in your company's preparation for the inevitable.
Internal Cybersecurity Policy
Companies need to have an internal cybersecurity policy. The policy should include a number of categories, such as security, human resources, and software. The security policy should have sub-elements such as physical security, personnel, and IT security. In turn, IT security will have a number of policy elements under its umbrella, such as password, anti-virus, remote connections, and e-mail usage. The complexity of the policy will depend on your particular company and the defined risks.
The Human Factor
The first line of defense, and sometimes the weakest link in the security chain, are humans. Non-technical vulnerabilities are weak points in a company’s security that occurs when personnel fall prey to social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Companies should train employees on how to recognize spoofing, phishing, spear phishing, etc.
While biometrics might become the industry standard at some point, for now, most companies use passwords. Employees need to understand how to create strong passwords and companies need to implement two factor authentication.
Plan For the Inevitable Breach
Companies need to have a breach preparedness plan. Waiting until after a data breach is not the time to decide, for the first time, how to handle a cyber incident. Develop your response plan and build your response team before you need them.
A preparedness plan should identify your incident leader. The incident leader is someone from an internal or external legal department or a chief privacy officer. The incident leader is responsible for managing and coordinating your company’s overall response efforts and team, such as supervising key tasks, managing timelines and documenting all response efforts from beginning to end.
Your response team should also include your IT and security teams who will likely lead the way in identifying and stopping a data breach. Again, during the breach is not the ideal time to negotiate contract terms with your response team.
Similar to your IT and security team, you will need to have your legal team ready. Your internal and/or external legal experts will help to minimize the risk of litigation and fines. Your legal representatives will need to determine whether it is necessary to notify affected individuals, law enforcement, government agencies and other third parties, such as card holder issuers. To ensure attorney-client privilege attaches to communications during the breach, it is wise to have outside counsel involved at the outset.
Part of the preparation plan is obtaining cyber insurance before the breach. As the saying goes, "nobody wants insurance until they need it." Many cyber insurance policies will cover the cost for attorneys, advisors, IT specialists, and security teams during a breach. The cyber policy may also cover notification costs. Many insurance carriers have a panel of preferred vendors who provide IT, forensic, public relation, and legal services.
Sometimes, before purchasing the policy, it is possible for you to negotiate with the carrier to identify your preferred vendors and legal counsel.
If the hackers demand a ransom, some cyber policies will cover those costs as well. When considering an insurance carrier, you should consider whether the carrier, or its vendors, have access to cryptocurrencies (such as bitcoin, because that is the preferred currency for hacker).
Dependent on Cyber
Modern society relies heavily on computers, the internet, and social networks. To survive in today's business environment, companies have to successfully employ technology. Criminals are also exploiting technology with great success. It requires some effort, but dealing with today's cyber risks means you must be prepared and have a plan.