Please do not leave this page until complete. This can take a few moments.
If the conflagration of information about security breaches has not yet convinced you that you need to up your cybersecurity game to survive and thrive after a breach, let me add a little bit more fuel to the fire.
What are the Threats?
According to a Website Security Threat Report for 2016 published by Symantec Corporation, during 2015, Cryptowall Version 3 was used to extort at least $325 million from victims, and losses to cybercrime worldwide exceeded $400 billion.
Victims of cybercrimes have included: retailers, such as Target and Home Depot; finance and insurance companies, such as Anthem Blue Cross/Blue Shield, Bank of America, JPMorgan Chase, and Wells Fargo; governmental authorities, such as the IRS, the OPM and the FBI; hospitals (Hollywood Presbyterian); and the infrastructure that is controlled by our internet of things: communications, energy and transportation platforms. We are all vulnerable.
What do they Want?
Money, of course. They may get money directly through ransom ware, or indirectly, by stealing data—data that leads to money. Some may have a political agenda and see themselves as reformers (Hacktivists). They degrade and disrupt systems and steal data.
What is the Answer?
Everybody wants a one stop, get it and forget it, solution—isn’t there something I can buy (like insurance or software), so I can stop fretting and get back to meditating?
No—because you really can’t rely on insurance to remedy the reputation damage that a breach can bring or to protect your job.
Why is this so Difficult?
The hardest part of preparing for a breach and responding in advance seems to be fighting the exploitation of human weakness. Employees scramble to respond to a high volume of e-mails every day. Should we pillory them for opening attachments that they shouldn’t? Before you say “yes,” remember that, while spear phishing may catch the uninformed in social media, whaling catches high profile, high level targets.
Even though the exploitation of human vulnerabilities is something we will always have with us, your business can take proactive steps to help prevent, or lessen the severity of, cybersecurity breaches.
Ten Survival Tips
Tip No. 1: Adopt a written internet security program (WISP)
First of all, it’s the law in Massachusetts that you must have a comprehensive information security program, if you own or license personal information about a resident of the Commonwealth of Massachusetts. You need to adopt a program with administrative, technical and physical safeguards that are appropriate for the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the personally identifiable information (PII) that you hold.
Don’t forget that 47 states and the District of Columbia have enacted notification legislation that applies when a security breach comprises PII. New York and California require “expedient notifications to affected state residents without unreasonable delay” regardless of harm, as well as notification to state authorities, if at least a threshold number of persons are affected.
Given this, you are not on the bleeding edge, but are just catching up, if you take the time to adopt a written comprehensive information security program.
Tip No. 2: Appoint A Czybersecurity Czar
Designate a Response Coordinator and identify her in your written comprehensive information security program (WISP). Give her authority to identify and assess internal and external risks to the security, confidentiality and integrity of your electronic, paper and other records containing personal information. Her authority should include the power to require employee training (and re-training), employee compliance with policies and procedures, and procuring means for detecting and preventing security system failures.
Her mandate should include:
She should also develop a post-breach protocol that addresses each of the following:
Tip No. 3: Keep your software up to date.
Figure out what your company is always putting off. If you are the kind of business that can’t seem to prioritize things that aren’t on fire today, then outsource the responsibility for your patches and updates. Hire someone to be vigilant to make sure that your software is always updated.
Tip No. 4: Train your staff, and then train them again (and keep training them).
Spending on cybersecurity makes no sense if your greatest assets (and weakest link)--your employees--are not switched on to what can go wrong and how they can help protect the data that their company is managing. Once you have adopted a written protocol, invite people in to keep everyone up to date as to what the changes are. Cybersecurity is a field in which, every time someone finds an answer to the last breach, the bad guys have long since moved on to their next better-automated attack. Feed your staff lunch while having a fresh face regale them with the latest gaffs from large companies. It’s better than reality TV!
Tip No. 5: Include your employee hygiene rules in your employee handbook and manuals.
Internal employee hygiene should include:
Require similar rules for mobile devices.
Tip No. 6: Yes--procure insurance, but--
Even if your Board of Directors and CEO say that they prefer to assume regulatory risk and litigation risk, encourage them to reconsider. They may not be there too long after the breach occurs! Heads roll after infiltration events, so you don’t want to be the person who said that the spend was too big. Or the person who did not try to convince her otherwise. Failure to adhere to at least the norms in your industry will expose you to reputational risk that cannot be compensated for by insurance.
Tip No. 7: With proper notice in your manuals, monitor your employee digital behavior to predict the likelihood of internal attacks.
Your employee handbook needs to be updated. You need to disclose to your employees that they are giving you their permission to read all their emails and monitor their activity. Make sure that your employees agree to your handbook terms when they agree to work for you.
Tip No. 8: Implement secure communications for email, internet, fax, data transfers.
Use an “asset manager,” the outsourced professionals who are responsible for making sure that all of the assets that your business uses are current with security, patches, and updates. Use automation tools that scan your website; and deploy anti-virus software.
Tip No. 9: Use only reliable vendors. Hire those who are willing to explain to you how they stay educated and bring your level of preparedness up with them.
Tip No. 10: Maintain a breach log, whether the breach turns out to be reportable or not.
Nancy A. D. Hancock is a member at Pullman & Comley. Her business law and corporate finance practice encompasses technology, tax, venture capital, securities and e-commerce.
Read other Friday Focus columns
Friday Focus is an online-only weekly series of columns focusing on human resource, business legal issues, technology, and marketing. Interested in participating? Send an email to Keith Griffin at kgriffin@hartfordbusiness.com.
This special edition informs and connects businesses with nonprofit organizations that are aligned with what they care about. Each nonprofit profile provides a crisp snapshot of the organization’s mission, goals, area of service, giving and volunteer opportunities and board leadership.
Learn moreHartford Business Journal provides the top coverage of news, trends, data, politics and personalities of the area’s business community. Get the news and information you need from the award-winning writers at HBJ. Don’t miss out - subscribe today.
SubscribeDelivering Vital Marketplace Content and Context to Senior Decision Makers Throughout Greater Hartford and the State ... All Year Long!
Read HereThis special edition informs and connects businesses with nonprofit organizations that are aligned with what they care about. Each nonprofit profile provides a crisp snapshot of the organization’s mission, goals, area of service, giving and volunteer opportunities and board leadership.
Hartford Business Journal provides the top coverage of news, trends, data, politics and personalities of the area’s business community. Get the news and information you need from the award-winning writers at HBJ. Don’t miss out - subscribe today.
Delivering Vital Marketplace Content and Context to Senior Decision Makers Throughout Greater Hartford and the State ... All Year Long!
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
This website uses cookies to ensure you get the best experience on our website. Our privacy policy
To ensure the best experience on our website, articles cannot be read without allowing cookies. Please allow cookies to continue reading. Our privacy policy
0 Comments