Practical cybersecurity guidance for businesses

Large or small, no business is immune

Tracy L. Lechner //August 4, 2017//

Practical cybersecurity guidance for businesses

Large or small, no business is immune

Tracy L. Lechner //August 4, 2017//

When it comes to cybersecurity, an ounce of prevention is worth far more than a pound of cure. Widespread storage of data in digital form has become a significant risk for businesses. An entire organization’s records can be transferred, hijacked or otherwise compromised in the blink of an eye. The frequency and scale of security breaches are rapidly expanding and the associated damages continue to rise. Ransomware attacks, such as “WannaCry” and “Petya,” have disabled organizations internationally.

Large or small, no business is immune and the consequences can be dire: business interruption, economic losses, reputational damage, liability to customers and business partners for breach of contract, statutory liability for failure to comply with regulatory requirements and even professional sanctions can ensue. Lloyd’s of London has estimated that, given widespread use of cloud-based services and operating systems, a global cyberattack against a cloud service provider could spur economic losses of up to $53 billion and actual losses of nearly $121 billion. An attack on a widely used computer operating system could spur losses of $28.7 billion. Of these losses, only a fraction would be covered by insurance.

Given the increasingly threatening environment and the limitations of cyber liability insurance coverage, businesses would be well-advised to take immediate steps to secure their confidential, proprietary information and consumer data.

Here are some basic tips for mitigating some of the more significant cybersecurity risks.

Conduct a Risk Assessment

Businesses should inventory their hardware, software and systems and understand what safeguards are built in and/or have been applied. Businesses should also audit and map their data, taking into account elevated legal obligations (regulatory and contractual) and whether the data is critical for the operation of the business. Once compiled and classified, a level of risk can be assigned to each data set (e.g., on a scale of 1 to 10), taking into account (i) the likelihood and potential impact of a breach on its customers, business operations, third-party relationships, goodwill, regulatory compliance and other applicable concerns, and (ii) mitigating factors such as systems and/or operational controls and insurance coverage.

Implement Appropriate Safeguards and Controls

Businesses should apply appropriate safeguards and controls, focusing first on high-risk data sets. Safeguards and controls may include, but are not limited to:

1.         Limiting access to IT systems, software, equipment and information to only those persons with a need for access to the information.

2.         Timely installing patches and software updates and anti-virus solutions.

3.         Limiting access to dangerous websites and links and installing appropriate spam filters.

4.         Implementing systems and server fail-overs as well as non-technological backups to provide necessary redundancy.

5.         Monitoring and mitigating external threats (e.g., firewalls, proxies and systems logging and analysis).

6.         Encrypting sensitive data at rest and in transit.

7.         Restricting the use of removable media (e.g., USB drives) to guard against accidental or intentional loss of data and/or installation of malware.

8.         Implementing appropriate physical safeguards to detect and prevent intrusion.

9.         Securely disposing of information that no longer serves a business purpose and is legally permitted to be disposed.

10.       Conducting appropriate due diligence with respect to third-party providers, obtaining appropriate contractual protections and auditing provider compliance.

11.       Monitoring and testing security controls and timely addressing vulnerabilities.

Provide Education, Awareness and Training

Businesses should implement appropriate policies (such as information security policies and acceptable use policies), procedures and training designed to ensure employee awareness and compliance.

Assess Insurance Coverage

Businesses should assess their insurance policies and understand the scope of their coverage. If a business does not have cyber liability coverage, it may want to assess the value in obtaining coverage, based upon the nature of its services, the data that it is collecting, the cost of coverage and the risk that such coverage may mitigate.

Develop an Incident Response Plan

Businesses should consider developing an incident response plan that addresses such basic elements as:

1.         The internal chain of command and up-to-date contact information for team members;

2.         The procedures for investigating and containing a breach;

3.         The plan for internal and external communications;

4.         Outside resources (e.g., legal counsel, forensic investigators and other service providers);   and

5.         Insurance coverage, reporting obligations and approved providers.

Consult with Outside Counsel

Experienced outside counsel can help strengthen an organization’s cybersecurity program. For example, counsel can assist in preparing policies and procedures in compliance with regulatory requirements, drafting vendor agreements to ensure that appropriate provisions are in place to protect the business and reviewing third-party agreements to evaluate risk. In the event of a breach, experienced counsel can assist in analyzing data security breach notification laws. Moreover, having outside counsel engage and direct forensic investigators and other service providers in the investigation and remediation of a data breach can bolster the assertion of legal privilege. Experienced outside counsel can also help a business to prepare for and respond to regulatory investigations, civil litigation and/or criminal litigation.

In today’s threatening environment, the question is not “if” a breach will occur, but “when.” Are you prepared?