In this age of data breaches, malware, ransomware, and phishing attempts, small and mid-sized businesses can no longer operate under the premise that they are safe. Eventually, every business will experience some form of cyberattack.
How should you handle this risk? Do you wait until the crippling attack occurs, or do you take proactive measures to mitigate the risk and damage? And, more importantly, where do you begin? Start with the following mantras: Know Thyself; Heal Thyself and Love Thyself.
Nosce Te Ipsum (Know thyself)
Every business is different, and there is no “one-size-fits-all” solution. The most important thing a business can do is take a hard look at the following: the kind of data you maintain (credit card information, intellectual property, etc.); what data is valuable (customer lists, intellectual property); where the data is stored (cloud, servers, computers, etc.); who has access to the data; and the systems and software on which your business depends.
Understanding the data and systems (“knowing thyself”) is the crucial first step. Once you have a handle on the data, you will want a professional to scan your system to determine if the data is secure. You will want a legal professional to evaluate your business website disclaimers, and your internal company policies. You must understand what you have, what is valuable, your equipment and software, your current level of security, and your current level of legal compliance.
This is not something a mid-sized or small business has to tackle alone. Many businesses hire law firms and information technology vendors to help them develop an approach that will suit their particular needs. The worst thing a mid-sized or small business can do is treat this as a one-size-fits-all problem and adopt big business policies or procedures that it will not be able to honor.
Cura Te Ipsum (Heal thyself)
Now that you know where the problems exist – and every business will have its own unique problems – you need to heal thyself. Here are several common practices businesses should implement to be more secure:
• Use strong passwords and change them quarterly;
• Encrypt your valuable or sensitive data;
• Backup your data;
• Update operating systems and software and remove software or programs that are inactive or obsolete;
• Develop human resource policies and computer usage polices, and train your employees; and
• Explore obtaining cyber insurance.
Developing an incident response plan – an internal document outlining the relevant contacts and tasks that need to be completed when a cyber incident takes place – is something that many companies do to prepare for the inevitable cyber event. The plan should include: contact information for legal experts, information technology experts and other relevant participants; a clear outline of the procedures for assessing the severity of the incident; drafts of notifications to relevant audiences, including public relations and law enforcement if applicable; and steps to resolve the incident.
There are several reasons why attorneys should be involved, but the biggest reason is the shielding protection clients are afforded under the attorney-client privilege and attorney-work product doctrine. Other important reasons to include legal counsel in the planning and execution of the incident response plan are: to obtain clear legal guidance regarding the federal and state laws that are implicated in any particular situation; to interface and communicate on behalf of the business with third-party vendors, insurance companies, customers, law enforcement, and media; and to defend against or prosecute potential lawsuits. Planning for the inevitable event also will force your business to fix any existing problems before the crisis takes place.
Diliget Te (Love thyself)
Now that your business is in decent shape, you must love thyself. Commit to good cyber-hygiene practices going forward. Those new policies you implemented – follow them! Encrypt valuable and sensitive data. Back up your data, ideally through the cloud. Use strong passwords and change them quarterly. Update operating systems and software patches when they become available. Make sure your network firewall is working. Make sure your antivirus software is current and active. Perform daily full system scans to check for malware and viruses. Employ common-sense and secure approaches to usage of the internet, email and personal devices. Frequently test and review policies with employees and third-party vendors to reinforce their understanding of their roles and responsibilities. Check in with your incident response team quarterly to make sure the team is in place and up to speed.
If the business is having trouble honoring the policies and procedures, explore the reasons why. Is it the policies are too onerous, or the policies have become outdated, or is it a lack of training and commitment? And when a cyber incident or data breach occurs, you will have your team in place to help you quickly navigate the problem.
Seconds count and decisions matter when a cyber incident takes place. You don’t want to be searching for help when you need to be dealing with the critical problems.
Matthew A.S. Esworthy is a partner at Bowie & Jensen LLC. He can be reached at firstname.lastname@example.org.