Phishing, ransomware, unauthorized access, social engineering, theft of digital assets, hacktivists, insider threats – all cybersecurity buzzwords that, if you are a business owner especially – or a regular reader of New Jersey Business – you are likely already aware of. The question is how well do you understand these threats, and how prepared are you – a business owner – to deal with a cyberattack?
Karen Randall, founder and chair of the Cybersecurity and Data Privacy practice at Connell Foley LLP points to two sayings that emphasize an unfortunate reality: “It’s not a matter of if, but a matter of when,” and, “There are two types of companies: those that have been hacked, and those that will be hacked.”
That may paint a rather bleak picture, but the fact of the matter is that in today’s digital age, as technology continues to develop, so too does the sophistication of digital threats to one’s company.
“Information is a company’s most valuable asset,” says Steven Teppler, partner, chair of Privacy and Cybersecurity practice, Mandelbaum Salsburg PC. “It is the most understated and undervalued asset that a company has, and cybersecurity is how one protects that information. For the longest time, there has been a huge disconnect between companies that don’t understand this because they think that cybersecurity is an afterthought – [they think] there’s no return-on-investment to it. A lot of companies have been ‘whistling past the cemetery’ when it comes to cybersecurity.”
“There is a mistaken belief that if an enterprise did not have ‘crown jewels’ (extremely valuable or desirable information) then it wouldn’t be vulnerable,” Randall adds. “Today, attacks like ransomware focus on stealing the availability of data so really no one is immune.”
Not only does a company not need a “crown jewel” to be a target, in fact, they don’t even have to be a target at all to get attacked.
“An attack, whether it’s malware of some sort or a ransomware attack, for example, once unleashed into the world spreads like wildfire. The e-mails and malware will go where they may, and will hit companies that the attacker didn’t even know existed,” explains Josh Mooney, partner and co-chair of the Cyber Law and Data Protection Group, White and Williams LLP.
According to the U.S. Justice Department, nearly 400,000 new strains of ransomware are detected daily with more than 4,000 occurring each day, across all industries. Additionally, 70 percent of businesses hit by ransomware paid on average $20,000 to $40,000 to get their data back.
Randall highlights another telling statistic from the justice department, which states that globally, damage costs associated with ransomware are predicted to exceed $5 billion in 2017, up from $325 million in 2015.
Teppler further cautions that anything that can gather or transmit information that is connected to a company’s network (think smart devices) can present security vulnerabilities. And this is not limited to merely cellphones or laptops – but as he points out, a connected coffee maker, refrigerator or dishwasher can all be potential entry points into a company’s network.
How to Protect Your Company (Mitigating Risk)
The first thing that a company should do, if it hasn’t already, is conduct a cybersecurity risk assessment.
“Prior to an incident occurring, organizations should work with a third-party security vendor, under the attorney client privilege, to perform a risk assessment of their current computer network to identify and address gaps,” says Randall, adding that creating a layered defense is the best approach.
“The risk of a cyber-attack is just a different form of risk, and you need to treat it as such,” adds Brian E. O’Donnell, co-chairman of Riker Danzig. “You need to quantify your vulnerabilities and put together an action plan in case any of those vulnerabilities are compromised.”
O’Donnell also says that purchasing cyber-insurance, effectively transferring some of the risk to a third party, can be an extremely effective way to limit the potential damages of a future attack.
For companies that may lack in-house resources to protect themselves, Michael P. O’Mullan, partner in Riker Danzig’s Commercial Litigation Group, adds that insurance can also be a solid starting point and can create a good framework for protection.
Creating a Program and Response Plan
After an initial risk assessment, a company should use the information gathered to then create a cybersecurity program. “Assuming you have a reasonable security infrastructure and protections in place, you should assemble an incident response team,” Randall says.
A cybersecurity program encompasses measures on the technological side – such as having a firewall, spam filters, updated network patches and anti-virus software – but also includes coming up with an incident response plan to fall back on in the event that the company is compromised, as well as the creation of a proper team to effectively carry it out.
The response team should touch all aspects of a business when looking through the lens of limiting its own liability and mitigating damage. Suggested members and areas include: a lead/counsel, executive leaders, IT, in-house counsel, digital forensics, public relations, human resources, law enforcement and an insurance broker/carrier.
“The incident response plan is supposed to be the playbook that you follow,” O’Mullan says. “It ought to entail a clear line of communication from the person that discovers the incident to quickly report up the chain to a person who has the authority to make quick decisions.”
“Conducting tabletop exercises will help an organization assess response time and whether or not they are capable of thwarting or mitigating a cyberattack,” explains Randall, adding that tabletop exercises to practice executing a response plan should be done regularly, as often as every six months.
“The quicker a breach can be dealt with, the lower the cost to repair the damage. Companies that contain a breach in less than 30 days could potentially save six to seven figures on average, compared to those that took more than 30 days,” she continues. “The key cost saver is having an incident response team ready to act.”
Employees Play an Important Role
A properly trained employee can be a company’s best asset in defending against cyberattacks. It is often the employee who is the first line of defense against a potentially malicious phishing e-mail or a social engineering attack, either of which can be avoided if an employee knows what red flags to watch out for. Something as simple as following up via telephone to an e-mail request for a payment could potentially save a company thousands of dollars.
“Not training employees is a common occurrence,” Mooney says. “You can have the best cybersecurity program in place with the best security technology, policy and procedures possible, but if it is not effectively implemented and your employees aren’t trained in the matter, it will be ineffective.”
In fact, Mooney adds that there are regulatory agencies including the U.S. Securities and Exchange Commission (SEC) that have said that if a company does not effectively implement a cybersecurity program, that company can be in violation of securities laws.
“Even if you have taken all the steps, if you do not train your employees, you run the risk of not only having a [cyber-breach], but also – later down the line – of being deemed to have acted unreasonably and forced to face additional liability,” he says.
There is no silver bullet for preventing a data breach. The best course of action is to take a layered defense approach which can mitigate the legal, ethical, reputational, operational and other damage caused by an incident.
Implementing multi-factor authentication, segmenting a company’s network, back-ups, managing password and user privileges, encryption, antivirus and spam filters, firewalls, security awareness training, incident response planning and procurement of a cyber liability policy from an experienced broker are all important aspects of a proper layered defense approach.
Of course, even with the best defense possible, a cyberbreach can still happen. Because of this, it is how a company responds that will resonate with its customers.
Randall says that most people will forgive a company once, but if a breach and loss of clients’ sensitive information happens again, they will likely take their business elsewhere.
“It is important that organizations understand that cyber risk is everyone’s responsibility,” she says. “While ‘it’s not a matter of if but when’ sounds cliché, it is suitable in the current threat environment. Being prepared to respond appropriately and timely will help limit the harm a breach can cause an organization. Once a data breach is contained, eradicated, and notification is completed, an organization must take remedial measures to assess what happened and prevent a similar incident from happening again in the future.”
“Everyone realizes that every company, no matter how big or small, is a potential target of a cyberattack,” O’Donnell says. “If you handle it right, the public [will] be forgiving.”
To access more business news, visit NJB News Now.Related Articles: