Do a 7-step cyber health checkup
Daniel Mitchell
Michael Bosse
Cyber security is top of mind in businesses of all sizes. As lawyers practicing in the data privacy and cyber security areas throughout Maine and New England, we thought it would be helpful to provide the following list of seven steps to consider as you assess the cyber health of your organization:
1. Educate yourself: There is already so much we need to know, but cyber security is too important not to invest some time in learning basic concepts. Fortunately, there are many readily accessible sources of information, including blogs such as Krebs on Security (www.krebsonsecurity.com), written by former Washington Post staffer Brian Krebs. Another good place to start is the Cybersecurity Framework developed by the National Institute of Standards and Technology.
2. Have an incident response plan: The early hours after a breach is discovered are critical, and every organization should have an up-to-date incident response plan that will enable it to respond quickly and effectively in a crisis environment. There are several local security consultants who can help you develop a plan that is right for the needs of your business. Among other things, a good plan should detail the makeup of your internal response team, the procedures it will follow in the event of a breach and the external resources that will be available to assist, such as forensic consultants, attorneys and public relations professionals.
3. Consider hiring a chief privacy officer: Many companies are hiring a chief privacy officer or chief information officer. This individual, usually an executive of the company, should be charged with primary responsibility for developing and implementing policies designed to protect employee and customer data from unauthorized access, as well as spearheading efforts to address breaches. Consider also whether your organization has management personnel outside the IT department who regularly are involved in data protection — good security should involve non-IT personnel as essential players.
4. Test yourself: You should test your cyber security regularly in order to find its potential weaknesses. At a minimum, conduct at least an annual assessment of the key components of your system and the knowledge of your team regarding best practices. Internal audits are useful, but also consider using an outside security professional to perform penetration testing.
5. Train and retrain your team: You must develop and perform internal training at every level of your organization, with regular reinforcement. Even security-minded employees can fall prey to attacks in surprising ways. For instance, one prevalent form of attack is CEO fraud, in which the attacker impersonates the boss via email and tricks a staff member into wiring funds or sending sensitive financial information to an unusual destination. Good training on company protocol would prevent many such attacks. And while effective testing is crucial, its benefits will be wasted without follow-up training.
6. Consider cyber insurance: Your company's current policies, including its general liability coverage, are unlikely to protect you in the event of a cyber incident. Fortunately, the cyber insurance market is expanding. Your agent can suggest policies that will cover both first-party damages, such as business interruption and loss of income, the cost of forensic investigations, legal fees, regulatory penalties, breach notification and even public relations assistance to deal with potential reputational and branding fallout. Policies may also provide third-party coverage against damages your customers sustain as a result of a breach.
7. Always stay one step ahead: Cyber criminals are constantly trying to figure out new ways to enrich themselves at your expense. No system ever will be foolproof, but investing time and dollars now in proper planning, training and insurance protection for your organization will pay for itself if it protects you against even one serious cyber security event. Good cyber security has become part of your business, like it or not, so accept it and get out front.
Daniel Mitchell and Michael Bosse are shareholders at the law firm Bernstein Shur in Portland.
Most Recent
Most Recent
Comments