that may lead to financial gain. Moreover, the targets of these perpetrators are the highly fallible humans who are prompted to open e-mails or respond to the supposed instruction of an executive to wire money to an overseas bank account. A recent Experian/Ponemon Institute survey found that 66 percent of respondents believed that employees are the weakest link in creating strong security and that 55 percent suffered a security incident due to a malicious or negligent employee. Perfect cybersecurity should not be the enemy of good security based on incremental (and frequently relatively inexpensive) steps. Rather than being seen as exotic (or as the purview solely of the largest enterprises), cybersecurity protection for businesses should be as fundamental as protecting against fire, water or wind for the simple reason that data in the wrong hands can be as destructive as any of these elements. Understanding that perfect security is unachievable, even for the largest enterprises, what basic steps should a business take? analyze the nature of the specific risks it confronts. If it has not already done so, it should conduct an inventory of key data assets and analyze existing restrictions placed on access to such data by its personnel. written procedures and policies regarding use of computer systems and be elaborate, they must realistically reflect the risk environment in which the business operates. Key policies and procedures may include: controlling access to computer systems, password controls, procedures for updating software, implementing protections against internal threats and monitoring access to sensitive or valuable information. cybersecurity and privacy awareness for all personnel, including executives. All employees should be made aware of the potential attacks, including ransomware, phishing attacks, and attempts to steal key data or extort or wrongfully transfer money, and also of the ways that such attacks may be prevented. insurance coverage appropriate for the risks it faces. Because cybersecurity insurance is a relatively new product and policy terms vary, a business should consult with a trusted advisor, such as an attorney or insurance broker, as to what coverage is best for it. place technical protective measures to help guard against its own specific risks, such as storing credit card, health or personal data. In addition to traditional tools, such as firewalls and anti-virus software, businesses should consider implementing encryption, filtering e-mails for phishing and extortion threats, and implementing measures to guard against ransomware. activities is advisable. Lawyers are well equipped to help analyze cybersecurity problems in the context of the myriad of applicable laws, regulations and best practices. Although many businesses will likely find it necessary to consult technical personnel, including a company's own IT department or outside consultants, trusted legal counsel can help ensure that the technical advice provided by such personnel is presented to executives in a manner that will maximize its impact. Involving lawyers also helps ensure that executives will see cybersecurity not as a technical issue best left to IT, but as a part of an overall risk management strategy. Involving lawyers in cybersecurity matters also provides attorney-client privilege protection for sensitive issues, such as the location and protection of personal and proprietary data, gaps in security and privacy protection, and the vulnerability to outside attacks, as well as communications with outside consultants. Because of the complex array of global regulatory and legal requirements, counsel should be engaged if a business must remediate a data breach, respond to a regulatory inquiry, or transfer data internationally. Although, as Mark Twain stated, "There are three kind of lies: lies, damned lies, and statistics," enterprises of all size should not let the wide array of cybersecurity statistics prevent them from taking the necessary and often relatively inexpensive first steps needed to protect against data incidents and breaches. |