This article was originally published in Business NH and can be found here.
Mark Dobson and James P. Harris | September 15, 2020
Cyberattacks, from data breaches to ransomware, are common, and while organizations rely on their information security departments or outside consultancies to protect them, those preventative efforts frequently fail, even for the largest companies with the most well-funded cybersecurity efforts.
Data breaches can lead to fines, lawsuit settlements, brand damage, and loss of market share and revenue. Successful ransomware attacks result in substantial ransom payouts, or 10 to 100 times greater expense when trying to recover without paying the ransom, a true lose-lose scenario. An estimated 50% of small and mid-size businesses go out of business as a result of a ransomware attack or major data breach becoming public.
Companies must be prepared with a combination of preventative measures and business continuity plans. Here are key areas in which companies should invest resources.
1. Fortify Cybersecurity Resources
Companies need to use a combination of hardware, software, and professionals on staff to design and execute policies and procedures to prevent successful cyberattacks. And especially when many employees are working remotely, companies need to educate workers about how to prevent cyberthreats and the policies that need to be followed. Failing to provide consistent, meaningful training to employees severely weakens the efficacy of any technological defenses.
2. Legal Counsel
Plan for the eventuality of a successful cyberattack. Estimates show that as many as 46% of organizations get attacked every year, 1% successfully, and those percentages tend to go up year-over-year. The chance of being the victim of a successful, potentially business-ending cyberattack is one in 100.
Beyond having data backups, companies should have an established relationship with a law firm that has counseled other companies through a breach to help them prepare a plan to follow in the event of a cyberattack.
A law firm can also assist businesses with complying with the myriad of privacy laws and regulations, which are persistently growing in number and complexity.
Successful cyberattacks have become so commonplace that insurance companies offer organizations policies to help protect against the associated costs and to help resume normal business operation more quickly.
However, many of these policies have clauses that invalidate the coverage, such as if the attack was due to “an act of war,” even though a growing percentage of cyberattacks are state sponsored by countries doing cyber espionage, intellectual property theft, or trying to gain a competitive advantage in a global marketplace.
Although cyber coverage has been around for some time, the policies are not uniform and the terms and exclusions can vary significantly. Organizations should search out insurance professionals with substantial experience in cyber coverage and have their legal team carefully review coverage terms before purchasing a policy as the disparity in coverages and exclusions has sparked litigation.
4. IT Asset Disposition
Lastly, it doesn’t do an organization any good to craft an elaborate cybersecurity plan for data on its network and in its data centers if the business loses control of its data when it unintentionally throws it out with the trash. Eventually all data-bearing devices reach their end-of-life, and companies retire those assets as they refresh IT infrastructure and replace devices with new ones. Or they experience a merger-and-acquisition or otherwise consolidate infrastructure and retire the excess equipment.
Multiple studies have shown that IT asset disposition (ITAD) is often handled poorly, even by large, multinational organizations, and around 40% of retired IT devices, from hard drives to cell phones, out on the secondary market still have personally identifiable information or corporate data on them.
Additional risk comes from the fact that ITAD is a loosely regulated industry. Vendors like remarketers and recyclers may not be certified for data security and destruction or even for responsible recycling, so they cannot ensure data security or environmental compliance.