Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

July 8, 2016 Friday Focus

10 tips for surviving and thriving after the breach

Nancy A.D. Hancock is an attorney with Pullman & Comley PHOTO | Contributed Nancy A.D. Hancock is an attorney with Pullman & Comley and an expert on legal and technical issues.

If the conflagration of information about security breaches has not yet convinced you that you need to up your cybersecurity game to survive and thrive after a breach, let me add a little bit more fuel to the fire.

What are the Threats?

According to a Website Security Threat Report for 2016 published by Symantec Corporation, during 2015, Cryptowall Version 3 was used to extort at least $325 million from victims, and losses to cybercrime worldwide exceeded $400 billion.

Victims of cybercrimes have included: retailers, such as Target and Home Depot; finance and insurance companies, such as Anthem Blue Cross/Blue Shield, Bank of America, JPMorgan Chase, and Wells Fargo; governmental authorities, such as the IRS, the OPM and the FBI; hospitals (Hollywood Presbyterian); and the infrastructure that is controlled by our internet of things: communications, energy and transportation platforms. We are all vulnerable.

What do they Want?

Money, of course. They may get money directly through ransom ware, or indirectly, by stealing data—data that leads to money. Some may have a political agenda and see themselves as reformers (Hacktivists). They degrade and disrupt systems and steal data.

What is the Answer?

Everybody wants a one stop, get it and forget it, solution—isn’t there something I can buy (like insurance or software), so I can stop fretting and get back to meditating?

No—because you really can’t rely on insurance to remedy the reputation damage that a breach can bring or to protect your job.

Why is this so Difficult?

The hardest part of preparing for a breach and responding in advance seems to be fighting the exploitation of human weakness. Employees scramble to respond to a high volume of e-mails every day. Should we pillory them for opening attachments that they shouldn’t? Before you say “yes,” remember that, while spear phishing may catch the uninformed in social media, whaling catches high profile, high level targets.

Even though the exploitation of human vulnerabilities is something we will always have with us, your business can take proactive steps to help prevent, or lessen the severity of, cybersecurity breaches.

Ten Survival Tips

Tip No. 1: Adopt a written internet security program (WISP)

First of all, it’s the law in Massachusetts that you must have a comprehensive information security program, if you own or license personal information about a resident of the Commonwealth of Massachusetts. You need to adopt a program with administrative, technical and physical safeguards that are appropriate for the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the personally identifiable information (PII) that you hold.

Don’t forget that 47 states and the District of Columbia have enacted notification legislation that applies when a security breach comprises PII. New York and California require “expedient notifications to affected state residents without unreasonable delay” regardless of harm, as well as notification to state authorities, if at least a threshold number of persons are affected.

Given this, you are not on the bleeding edge, but are just catching up, if you take the time to adopt a written comprehensive information security program.

Tip No. 2: Appoint A Czybersecurity Czar

Designate a Response Coordinator and identify her in your written comprehensive information security program (WISP). Give her authority to identify and assess internal and external risks to the security, confidentiality and integrity of your electronic, paper and other records containing personal information. Her authority should include the power to require employee training (and re-training), employee compliance with policies and procedures, and procuring means for detecting and preventing security system failures.

Her mandate should include:

  • developing security policies for storage, access, transportation of records containing PII
  • imposing discipline for violations
  • preventing access to terminated employees
  • overseeing service providers
  • imposing reasonable restrictions on physical access to records
  • regular monitoring and upgrading of safety measures
  • annual review of scope of security measures
  • documenting response actions taken in connection with incidents, with mandatory post-incident review of events and actions to consider lessons learned and potential changes.

She should also develop a post-breach protocol that addresses each of the following:

  • conducting a forensic investigation into what caused the breach (who was there and how did they get there)
  • identifying who will coach your company through the data breach
  • providing forms of notification letters
  • managing public relations
  • reviewing third party claims
  • identifying who handles the responses to regulatory inquiries.

Tip No. 3: Keep your software up to date.

Figure out what your company is always putting off. If you are the kind of business that can’t seem to prioritize things that aren’t on fire today, then outsource the responsibility for your patches and updates. Hire someone to be vigilant to make sure that your software is always updated.

Tip No. 4: Train your staff, and then train them again (and keep training them).

Spending on cybersecurity makes no sense if your greatest assets (and weakest link)--your employees--are not switched on to what can go wrong and how they can help protect the data that their company is managing. Once you have adopted a written protocol, invite people in to keep everyone up to date as to what the changes are. Cybersecurity is a field in which, every time someone finds an answer to the last breach, the bad guys have long since moved on to their next better-automated attack. Feed your staff lunch while having a fresh face regale them with the latest gaffs from large companies. It’s better than reality TV!

Tip No. 5: Include your employee hygiene rules in your employee handbook and manuals.

Internal employee hygiene should include:

  • Make it impossible (or at least harder) for employees to open attachments from people they do not know or who “look” suspicious;
  • Educate employees on safe social media conduct and then continue reminders;
  • Use 2-step or dual-factor authentication on any access point, website or app;
  • Require different passwords for each use and force regular password changes;
  • Educate your staff on avoiding sites most likely to be malicious;
  • Use the least privileged basis, giving people access to the minimum they need to do their jobs superbly.

Require similar rules for mobile devices.

Tip No. 6: Yes--procure insurance, but--

Even if your Board of Directors and CEO say that they prefer to assume regulatory risk and litigation risk, encourage them to reconsider. They may not be there too long after the breach occurs! Heads roll after infiltration events, so you don’t want to be the person who said that the spend was too big. Or the person who did not try to convince her otherwise. Failure to adhere to at least the norms in your industry will expose you to reputational risk that cannot be compensated for by insurance.

Tip No. 7: With proper notice in your manuals, monitor your employee digital behavior to predict the likelihood of internal attacks.

Your employee handbook needs to be updated. You need to disclose to your employees that they are giving you their permission to read all their emails and monitor their activity. Make sure that your employees agree to your handbook terms when they agree to work for you.

Tip No. 8: Implement secure communications for email, internet, fax, data transfers.

Use an “asset manager,” the outsourced professionals who are responsible for making sure that all of the assets that your business uses are current with security, patches, and updates. Use automation tools that scan your website; and deploy anti-virus software.

Tip No. 9: Use only reliable vendors. Hire those who are willing to explain to you how they stay educated and bring your level of preparedness up with them.

  • Have somebody’s job be keeping your security certificates current
  • Maintain a log of your security certificates
  • Limit access to keys and administrator rights
  • Separate administrators should manage server passwords
  • Reduce human involvement through automated systems wherever possible
  • No human should have direct access to passwords.
  • Partition off your data. (i.e., set up a document management system that stores different pieces of billing addresses in different places.)

Tip No. 10: Maintain a breach log, whether the breach turns out to be reportable or not.

Nancy A. D. Hancock is a member at Pullman & Comley. Her business law and corporate finance practice encompasses technology, tax, venture capital, securities and e-commerce.

Read other Friday Focus columns

Friday Focus is an online-only weekly series of columns focusing on human resource, business legal issues, technology, and marketing. Interested in participating? Send an email to Keith Griffin at kgriffin@hartfordbusiness.com.

Sign up for Enews

Related Content

0 Comments

Order a PDF