You’ve read the headlines, seen the statistics, and discussed the issue with the board of directors. You get it: cyber-attacks are increasingly frequent, sophisticated, and devastating to a business’s bottom line. There is no doubt that cybersecurity needs to be an important priority to the business and that real attention needs to be paid to the issue. But what does that mean? Where do you start after you’ve been inundated with terrifying statistics and the never-ending “parade of horribles” that can result from a data breach?
Unfortunately, a lot of the fear-mongering associated with cybersecurity can generate paralysis in organizations. The problem seems insurmountable and too costly to begin to address. But, in reality, there are easy, pragmatic steps an organization can take—and should be taking—to begin addressing its security vulnerabilities. The following are some basic steps to mitigate risk:
A good start is determining where your company stores sensitive, confidential, or regulated data (e.g., personal-identifying information or protected-health information). Conducting a formal audit to determine the location of this data can be helpful and revealing. Legal, IT, and corporate executives might all be surprised to learn that accounting, for example, is storing bank or credit card information on an unsecure, but “convenient” drive. When reviewing the results of the audit, ask whether there is a business need to collect the information. Don’t collect sensitive data you don’t need.
At the most basic level, a company needs to ensure that its servers and network devices are securely configured and regularly scanned for vulnerabilities. The company should also ensure that it is utilizing up-to-date antivirus software, and the company’s intranet is protected by a properly-configured firewall. Finally, the company should determine whether its sensitive information is adequately protected when it is stored and transmitted, using strong encryption tools where applicable.
There’s a lot that can happen when no one is watching. It is critical that a company monitor its network for suspicious activities, including by using an intrusion detection system and monitoring network logs. Knowing how network activity is logged, where those logs are stored, and how long they are available is essential to prevent and respond to a breach.
One of the most basic aspects of information security is implementing “security access controls”—i.e., methods designed to ensure that only authorized employees are able to access sensitive data. Employees should only have access to sensitive data if there is a business reason for that access, and only a select few should have unfettered access. Restricting access helps a company monitor the flow of data, limit opportunities for piracy, and demonstrate that efforts have been undertaken to maintain the security of the sensitive data.
Allowing an employee to use the company name as his or her password is not much different than permitting access without a password at all. Likewise, allowing an employee with administrative access to utilize the same password for all applications, regardless of the sensitivity of information contained in that application, poses significant security threats. Instead, require employees to use complex and unique passwords (at least eight characters, including upper and lower-case characters and numeric and special characters) and require a change in passwords at least every three months. For employees regularly accessing sensitive information, use two-factor authentication before granting access. To guard against brute force hacking attempts, disable or suspend user credentials after a certain number of unsuccessful login attempts.
Most companies utilize third party vendors to handle some portion of their sensitive data. If the Target data breach taught us anything, it’s that third party vendors can generate massive security vulnerabilities. When hiring a third party vendor, be clear about your security expectations and ensure that your contract reflects those expectations (and establishes clear liability for any data breach resulting from a security breach). Develop security standards for inclusion in vendor contracts and perform audits of those security standards. Do your due diligence before hiring a vendor, especially if that vendor will be entrusted with your sensitive data or access to your network.
Let’s face it, even the most dedicated and sophisticated organizations have security vulnerabilities. Every company should have an incident response plan that, in the event of a breach, clearly defines the relevant stakeholders (including the immediate involvement of the appropriate business executives, legal counsel, and relevant IT or forensics support), the roles of each representative, and who is the quarterback of the response team, as well as the appropriate course of action.
If you’re going to collect sensitive data, make sure you have a plan in place to destroy the data after you no longer need it. The easiest way to limit cybersecurity risks is to ensure that sensitive data is securely disposed of once the business no longer needs it. If the sensitive data is “out of sight, out of mind,” you probably don’t need it and you probably aren’t protecting it. Ensure that you have a procedure for identifying when sensitive information is no longer needed and a policy for securely disposing of it.
For the policies and procedures to work, the employees and executives have to know how to apply them and be invested in following them. Security policies and procedures are simply not effective if no one knows they exist or how to implement them. Effective employee training programs will utilize realistic examples and common situations to demonstrate best practices. Likewise, employees will not follow policies and procedures unless the company consistently enforces them. Conduct formal training and reinforce the policies and procedures at every turn.
"Cybersecurity was decades away from entering the lexicon when the firm opened in 1970. Yet the core notion of protecting clients’ business interests, in litigation and transactional matters, has always been the most important part of what we do. That’s why clients come to us and keep coming back to us. They know that we take a smart approach to the law and business."