A data breach can be a catastrophic event for businesses of all sizes and types. Small businesses often think they are shielded from cyber exposure, but a recent report by Symantec revealed that in 2015, more than 30 percent of phishing attacks and 43 percent all of attacks were aimed at organizations with less than 250 employees. It is estimated that by 2021, the cost of cybercrimes will hit $6 trillion annually, double the 2015 number. IBM CEO Ginni Rometty has described cybercrime as the “greatest threat to any company in the world.”
No less than Warren Buffet has called cyberattacks the No. 1 threat facing mankind, even worse than nuclear weapons.
So, what is a business to do, especially a small- to medium-sized business that doesn’t have the resources of a Fortune 500 company? The following are some suggested strategies for businesses of all types and sizes to protect your data, your customers and your business.
1. MAKE CYBERSECURITY AN ORGANIZATIONAL PRIORITY
From the C-suite to the loading dock, all businesses must ensure that anyone and everyone with access to the organization’s data is aware of the threat. Company leadership must make cybersecurity a corporate priority and have a comprehensive prevention and response plan in place to address it. Employees must be trained to understand the threat, both in terms of how attacks are carried out — most cyberattacks use social engineering, not brute force, to breach a company’s IT systems — and what potential damage can be done. Hackers are increasingly creative and resourceful. Basic cyber-hygiene, including no less than regular cybersecurity awareness training for every employee with access to your systems, strong passwords, multifactor authentication and anti-virus protections, cannot be overemphasized or too strongly enforced. Cybersecurity is everyone’s responsibility.
2. BRING IN EXPERTS
While many businesses do not have the resources (or the need) to have a full-time chief information security officer; it is well worth the cost to bring in a cybersecurity specialist to provide an evaluation of your data systems, recommend best practices that are right for your business and provide training and periodic testing of your system’s ability to withstand attacks.
When selecting IT security consultants, look for ones with relevant certifications, the most common being certified information security manager. And don’t think a one-and-done approach is adequate. Expert advice, assistance and auditing should be a regular, ongoing part (and cost) of doing business.
3. LOOK INTO INSURANCE COVERAGE
A data breach can damage more than a business’s IT system, it can put employees and customers at risk. Increasingly, cyber insurance is available to minimize such risks. A cyber insurance policy, also known as cyber liability insurance coverage, is designed to mitigate risk exposure by offsetting costs related to a cyber breach or related events. Consulting firm PwC estimates that about one-third of U.S. companies carry some type of cyber insurance.
These policies can make sense as a risk management tool, but as with all insurance, the devil is in the details. Key questions when considering such coverage include:
• What are the limits of coverage?
• What deductibles apply?
• What exclusions apply?
In addition to obtaining your own policy, it is also important to determine whether your vendors with access to your system(s) also have adequate coverage. Consult with your business insurance broker on what options are right for your business.
4. HAVE A MULTIDISCIPLINARY RESPONSE PLAN IN PLACE AND PRACTICE IT
Coach Vince Lombardi once said, “Hope is not a strategy.”
When considering your response to a cybersecurity event, nothing could be truer. It’s incumbent upon a company’s leadership team to have a breach response plan in place, and to practice implementing it. Adequate cybersecurity for any business demands a multifaceted, multidisciplinary approach to the threat. This includes having not only expert technological support in the form of a cybersecurity consultant, but having the expert legal, government relations and public affairs support as well. You need professionals that know the law, have the necessary industry and government relationships and have the experience managing these circumstances. The FBI has observed that there are two types of businesses — those that have been hacked and those that will be hacked. Given this reality, all businesses, no matter what size or type, must be ready to respond to their own cyber situation with a comprehensive response that addresses all potential technical, regulatory, law enforcement, public relations and political considerations. This requires having a team in place and a plan ready to execute and practicing that plan before the inevitable happens.
Greg Brower and David Cohen are members of the cybersecurity practice group at the Brownstein Hyatt Farber Schreck law firm.