There are only two types of companies in the world – those that have been hacked and those that will be. With sophisticated cyberattacks on the rise and, according to Symantec’s 2016 Internet Security Threat Report, over half a billion personal records stolen or lost in 2015 alone, the first category is growing quickly. Yet despite media coverage of Target, Sony and Home Depot data breaches, many companies ignore cybersecurity and simply hope for the best. Hope is not a strategy, however. Businesses avoiding cybersecurity risk massive legal liability, loss of intellectual property, and theft of critical financial resources.
If your company has a computer, website or online banking login, then you are vulnerable to a cyberattack. According to Identity Theft Resource Center & Cyberscout’s data breach reports, in 2016, the number of publicly disclosed data breaches jumped 40 percent to a record of 1,093. The business sector was the most targeted industry, accounting for more than 45 percent of all breaches, with health care a close second at 34.5 percent.
Hackers don’t only target big business; in 2015, Symantec’s 2016 Internet Security Threat Report documented that over 43 percent of phishing attacks targeted small businesses. Even law firms are finding themselves in the crosshairs. According to the ABA’s 2016 Legal Technology Survey report, roughly 15 percent of law firms reported security breaches in 2015, and 23 percent were unable to state whether they had been breached.
The risk of being hacked is high, but with the help of legal counsel and a cybersecurity plan, companies can reduce the likelihood and impact of a data breach. Here are five steps to get your company started.
1. Enact a plan now.
Write a company-wide cybersecurity policy. To be effective, this policy must be practical, comprehensive and consistently enforced across all levels of the business. Your policy should establish procedures for handling sensitive financial or personal information; require complex passwords, encryption and two-factor authentication; define network monitoring and access policies; and demand employee cybersecurity training. Your policy should also consider applicable legal requirements for using or storing sensitive information.
2. The best offense is a good defense.
Planning is nothing without action, so enforce your policy. Strong passwords, encrypted data and knowledgeable employees are a company’s most valuable cyber defense tools. Make sure to apply software updates on a regular basis, and monitor your network for unusual activity. Cybersecurity is not just digital security; keep your computer systems and physical documents in secure areas to prevent unauthorized access or theft. The more comprehensive your active defenses are, the more likely a hacker will move on to a different target.
3. Think Outside the Box. A common mistake businesses make is to focus only on intranet network security and not consider external data. Companies increasingly rely on third-party cloud platforms and transmit sensitive data outside the company’s local network. Make sure your service providers are using industry-standard security procedures, and include cybersecurity requirements and physical security of mobile devices in your contracts with remote employees and vendors. Periodically verify that those parties are adhering to your security arrangements online and offline.
4. Iterate and Improve.
Technology changes, and so should your cybersecurity plan. Audit your company’s security needs, policies and practices at least annually to ensure ongoing compliance and effectiveness. As the digital and legal landscapes change, you may need to adjust your plan accordingly. If certain policies prove unworkable, your office’s IT environment changes, or a new law is enacted, revisit your policy and practices. While no security plan is perfect, the best plans constantly improve on discovered weaknesses and keep pace with the rapid changes in technology.
5. After the Hack, React.
No cybersecurity defense is perfect, so treat hacking as an inevitability. Your cybersecurity policy should include an effective procedure for breach response and notice. When your company suspects it has been hacked, fast action will limit the damage. Take steps to isolate and stop the attack, and then contact your attorney, as your company may have legal obligations such as notifying stakeholders. Companies doing business in Tennessee must alert customers of any data breach involving their personal information within 45 days of detecting the hack. See T. C. A. § 47-18-2107. Failure to act and report will increase your legal liability, could leave critical security holes unpatched, and will expose your customers to identity theft.
Nobody wants to believe that their company is going to be hacked, but companies that develop and enforce cybersecurity policies will mitigate the risk of getting hacked and reduce the financial impact when a hack occurs. Enforcing a cybersecurity policy will help protect your business and ensure your company’s compliance with cybersecurity laws – and avoid becoming next year’s statistic. Scott Douglass