Steps to Prevent a Cyberattack – No Matter Your Company Size
In September of last year the credit reporting company, Equifax, revealed it had been hacked earlier in the year, compromising the personal data of some 145 million Americans. According to reports, hackers were able to penetrate Equifax’s systems because the company failed to implement a software patch for a flaw they knew of weeks before the hack took place. In other words, the data breach did not result from some super-sophisticated hack, but a simple and preventable lapse in security. More recently, Uber revealed it had been hacked in 2016, affecting the data of 57 million customers and drivers.
As a result, these companies are facing lawsuits, government agency investigations, Congressional investigations, and other consequences that will likely cost them tens, if not hundreds, of millions of dollars. In addition, each company’s clumsy response to the breach has damaged their reputation and cost several executives their jobs.
Large companies such as Equifax, Target, and Home Depot have been hacked in recent years despite dedicating enormous resources to cybersecurity. However, any company, no matter its size, is vulnerable to a breach. There is no way to be 100% secure against a cyberattack, but even small and mid-sized companies can take reasonable measures to lower the risk of an attack and lower their legal exposure if they are hacked.
Many small companies fail to address cybersecurity because they don’t know where to start. Good cybersecurity requires a multi-pronged strategy, not just an IT “fix.” A comprehensive approach includes the following:
- Assessment of types of data, its sensitivity and importance, how and where it is kept
- Learn what laws and regulations apply to the business; depending on the industry this will vary and will shape the approach to cybersecurity.
- Identify risks and vulnerabilities that exist as a result of IT systems issues or inadequate procedures, processes or training.
- Development of a comprehensive information security plan, along with strong policies and procedures, followed by training
- Implementation of recommended IT fixes, such as anti-virus and malware software, monitoring of programs, limitation of access, and firewalls
- Development and testing of a written breach response plan, to be implemented in the event of a cyberattack, so that the company can respond in an organized and effective manner (unlike Equifax)
- Review of contracts with vendors who may hold or process company data, or have access to the company’s network, to ensure that those vendors have adequate cybersecurity measures in place
- Consideration of a cybersecurity liability insurance policy, to offset some of the costs that could result from a breach
Taking reasonable steps to make it more difficult for hackers to penetrate your systems will improve your security and lower your costs in the long run. An investment to prevent a breach is much less expensive than the cost of responding to one.
Mark Spitz is the founder of Spitz Legal Counsel LLC in Denver, Colorado. He brings years of experience as a former general counsel to his small and medium-sized business clients and serves as their trusted advisor. Mark’s outside general counsel services cover issues related to transactions, contracts, acquisitions, entity formation. He also advises clients on cybersecurity and data privacy planning. Mark is also a lecturer and blogger on issues related to business law, employment law issues, and data security.