Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

April 15, 2024 Opinion & Commentary

Here are preemptive measures to limit a cyberattack’s damage to your business

PHOTO | CONTRIBUTED Connecticut Business & Industry Association President and CEO Chris DiPentima speaks at a CBIA event.

It’s been nine months since Connecticut’s sweeping new data privacy law to protect consumers took effect, after lawmakers made the decision that due to inaction in Congress, the state should pass its own law to protect consumer data.

William Roberts

By all indications, Connecticut businesses impacted by the new law seem to be taking it seriously in terms of compliance, with some even going above and beyond what is required.

This is good news.

Having this sweeping law on the books is progress indeed, but the unfortunate reality in 2024 is, no state law can ever fully protect a business or consumers from those looking to cause chaos and harm, as the risk of a cyberattack remains as heightened as ever.

So, it is still up to the individual business to remain breach-ready at all times, because no one is ever breach-proof. Businesses should not think with a mindset of if a cyberattack can happen, but when one will.

Because when such an attack occurs, it is no laughing matter.

According to IBM, the average cost of a data breach is $4.45 million, and there is also a $1.3 million average cost of lost sales and revenue associated with an incident. Additionally, there is the impact to the company’s reputation — a recent survey of 1,000 U.S. consumers found 60% of respondents are less likely to work with a brand that has suffered a data breach, and 21% will immediately seek a new provider following an incident.

This is why establishing core procedures that will potentially mitigate the harm derived from a data breach is critical to protect sensitive data and any resulting reputational damage to a business.

Reducing risks

For starters, companies should very much strive to be in a state of “breach-readiness.” This means three things: reducing the likelihood of a breach, reducing the scope of a breach and being prepared to respond when a breach eventually occurs.

Once this is made clear, there are a number of steps that must be taken. The first is the company should develop an understanding of what its cyber risk profile is. This means asking a series of questions.

What personal data does it collect and retain? With whom is that data shared? Where is the data located? This step is also referred to as data mapping or data inventory, and it is crucial — a business cannot protect data unless it knows what it is and where it is located.

Having this knowledge, a business can then evaluate its cybersecurity on a number of levels, including technical security (such as encryption, multifactor verification, threat detection software and more), administrative controls (properly training staff) and the actual physical controls they have in place (such as security cameras, visitor policies and document storage).

Next, a business should be looking to limit the scope of an eventual attack, which is why a data-minimization project is often very helpful.

This involves reducing the volume of collected data, and reducing the data fields that are kept on file. After all, data cannot be breached if it cannot be found in your system.

Lastly, as with every strategic undertaking, there needs to be a plan in place to train employees on what to do in case of a breach, as well as to test existing plans to determine their overall efficacy.

Companies should encourage their employees to develop and constantly review a comprehensive cybersecurity plan, including tabletop breach simulations and written response plans that are shared throughout the business.

As each employer is different, it is equally important that these plans are tailored and optimized to fit the unique needs of each individual business.

Connecticut’s new law was a meaningful step to provide some protection to consumers, but as in many cases, a law alone will not stop those who are determined to hack into, steal from and disrupt a business.

This is why preemptive protections are so important, as is informing the employee base just how critical these protections are.

Perhaps a company can’t stop an attack from happening, but it can take steps to potentially limit the harm it causes.

Chris DiPentima is the president and CEO of the Connecticut Business & Industry Association. William Roberts is a partner with Day Pitney LLP and co-chair of the firm’s data privacy, protection and litigation practice.

Sign up for Enews


Order a PDF