Paralysis is one of the biggest obstacles to achieving a cybersecure environment. Companies are often unable to take the steps necessary to bring security to an enterprise. It’s not only common; it’s entirely understandable.
Achieving cybersecurity appears to be an overwhelming task. Every day brings another headline announcing a data breach, or reports on the enormous cost of data breaches – one has to wonder if implementing a cybersecurity regime would even achieve its goal. Companies are challenged by the complexity of their systems and the seemingly impenetrable jargon used to describe them. Funding a cybersecurity program is a challenge – as one CEO put it, “I gave my team an unlimited budget, and they exceeded it.” Spending valuable time and scarce resources on security takes away from operations that ground an enterprise. Companies fear that focusing on cybersecurity can only come at the expense of their core operations.
Ignoring Cybersecurity is not an Option
It is tempting to avoid the issue altogether and focus on existing areas of competency and comfort. That is not a realistic option.
Companies that fail to protect sensitive information will face legal liability. Courts are more willing to consider the possibility of damages in data breach cases, and regulators are moving toward requiring companies to adopt and implement security standards. As that trend gains momentum, the failure to address cybersecurity will expose more and more companies to liability.
Ignoring cybersecurity imposes costs – the average cost of a data breach rose from $138 to $221 for each affected person during the past decade, and cyber insurance is often conditioned on having taken steps to avoid a breach. Companies that do not address cybersecurity will be impacted in customer loyalty; A new study from retail services provider Interactions, “Security Hacks and the Lasting Impact on Retailers,” reported that 75% of consumers believe that keeping shopper information safe is the retailer’s responsibility. A company that fails to maintain the security of its customer’s data will lose the customer’s patronage.
Moreover, new trends have created new vulnerabilities. Ransomware is an increasingly popular form of hacking that not only steals a company’s data; it forces the company to pay a ransom to return it. The more recent “lockerware” attacks not only block a company from using its data; it can shut down entire networks. Companies risk not only damage claims from impacted customers and individuals; they must pay extortion money or risk destruction of their entire business. A breach can allow a bad actor to impersonate company officials and authorize the transfer of thousands or even millions of dollars to thieves, something not always covered by insurance. Companies that have not taken effective steps to prepare face immediate out-of-pocket costs just to keep their businesses open.
Approaching the Challenge
Implementing cybersecurity is not beyond a company’s reach – it takes a step-by-step approach, beginning with the understanding that cybersecurity is not a one size fits all exercise; a solution for one company is not a solution for its competitor. Rather, addressing cybersecurity requires a disciplined line of attack:
- Adopt a culture of security at all levels of the enterprise.
- Identify the particular risks facing the company.
- Identify and adopt the key policies and procedures that will address unacceptable risk.
- Understand that while technical steps – implementing the hardware of cybersecurity – are essential, training all personnel and adopting a culture of security will have a great and long-lasting impact on the security of the enterprise.
- Engage the outside expertise that is necessary to supplement the company’s resources.
Achieving complete cybersecurity may not be realistic, but this approach is designed to reduce legal and business exposure and set the stage for achieving real security.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.