that may lead to financial gain. Moreover,
the targets of these perpetrators are the
highly fallible humans who are prompted
to open e-mails or respond to the supposed
instruction of an executive to wire money
to an overseas bank account. A recent
Experian/Ponemon Institute survey found
that 66 percent of respondents believed
that employees are the weakest link in
creating strong security and that 55 percent
suffered a security incident due to a
malicious or negligent employee.
Perfect cybersecurity should not be
the enemy of good security based on
incremental (and frequently relatively
inexpensive) steps. Rather than being
seen as exotic (or as the purview solely
of the largest enterprises), cybersecurity
protection for businesses should be as
fundamental as protecting against fire,
water or wind for the simple reason
that data in the wrong hands can be as
destructive as any of these elements.
Understanding that perfect security
is unachievable, even for the largest
enterprises, what basic steps should a
business take?
analyze the nature of the specific risks
it confronts. If it has not already done
so, it should conduct an inventory of
key data assets and analyze existing
restrictions placed on access to such
data by its personnel.
written procedures and policies
regarding use of computer systems and
be elaborate, they must realistically
reflect the risk environment in which
the business operates. Key policies and
procedures may include: controlling
access to computer systems, password
controls, procedures for updating
software, implementing protections
against internal threats and monitoring
access to sensitive or valuable
information.
cybersecurity and privacy awareness
for all personnel, including executives.
All employees should be made aware
of the potential attacks, including
ransomware, phishing attacks, and
attempts to steal key data or extort or
wrongfully transfer money, and also
of the ways that such attacks may be
prevented.
insurance coverage appropriate for the
risks it faces. Because cybersecurity
insurance is a relatively new product
and policy terms vary, a business
should consult with a trusted advisor,
such as an attorney or insurance broker,
as to what coverage is best for it.
place technical protective measures
to help guard against its own specific
risks, such as storing credit card,
health or personal data. In addition to
traditional tools, such as firewalls and
anti-virus software, businesses should
consider implementing encryption,
filtering e-mails for phishing and
extortion threats, and implementing
measures to guard against ransomware.
activities is advisable. Lawyers are well
equipped to help analyze cybersecurity
problems in the context of the myriad
of applicable laws, regulations and best
practices. Although many businesses will
likely find it necessary to consult technical
personnel, including a company's own
IT department or outside consultants,
trusted legal counsel can help ensure that
the technical advice provided by such
personnel is presented to executives in
a manner that will maximize its impact.
Involving lawyers also helps ensure that
executives will see cybersecurity not as a
technical issue best left to IT, but as a part
of an overall risk management strategy.
Involving lawyers in cybersecurity
matters also provides attorney-client
privilege protection for sensitive issues,
such as the location and protection of
personal and proprietary data, gaps in
security and privacy protection, and the
vulnerability to outside attacks, as well as
communications with outside consultants.
Because of the complex array of global
regulatory and legal requirements,
counsel should be engaged if a business
must remediate a data breach, respond
to a regulatory inquiry, or transfer data
internationally.
Although, as Mark Twain stated,
"There are three kind of lies: lies,
damned lies, and statistics," enterprises
of all size should not let the wide array of
cybersecurity statistics prevent them from
taking the necessary and often relatively
inexpensive first steps needed to protect
against data incidents and breaches.