Cybersecurity Lawyer ForumWhy Data Security Is So Hard (and what to do about it)
It’s ironic: when global threats are in the news every day, their ubiquity makes them easy to ignore. Whether they be political threats, climate threats, or data security threats, we can become numb to ever-present risk. Add in the chorus of advice from the growing number of providers, and even those who want to act become paralyzed by choice and complexity. Cybersecurity is no exception – the daily deluge of breach notices and press reports of massive attacks has made us less, not more, sensitive to the threat.
Crisis fatigue can be compounded with defeatist thinking, believing that no matter what you do, you will still be hacked and have your data compromised. So it is no surprise that while companies know data security should be a top priority, in reality, it’s easy to focus on more urgent – but less essential – items.
Cybersecurity faces additional hurdles that make it even challenging to address. By identifying those hurdles, however, firms may be able to overcome these barriers and move forward on the path to minimizing one of the greatest risks your company faces.
Data Security Is Expensive – But Not as Expensive as the Alternative
Implementing a cybersecure environment requires a commitment in technology, training, and adapting to the constant rate of change and upgrading processes. The extra steps needed for the simplest of tasks, such as logging in, add to the daily cost of doing business.
Gartner estimates that worldwide spending on data security this year will hit $90 billion. It’s understandable that a CEO would see that as money lost from corporate value. But these expenditures should be seen as an investment to preserve corporate value. Breaches are much more expensive and disruptive than the budgeted, planned improvements to systems, which can be controlled and implemented over time.
Intelligent and consistent technology upgrades, combined with regular training for all employees, are, in the end, better for a company’s bottom line than crisis management and costly technology remediation after the fact. Creative corporate leaders reframe the expense question and find budget for what’s vital.
Data Security Seems Really Complicated
For most of us, data security is complicated. We aren’t IT professionals, and venturing into the cybersecurity world is a challenge. Those who suffer any amount of technophobia may assume that they don’t know it and, more dangerously, that they can’t learn it. The technology community can reinforce this fear by speaking a foreign language and using unfamiliar terminology, all of which creates another barrier for non-technical executives and managers who need to understand the issues sufficiently enough to make intelligent decisions. Non-technical company management often feel that they are at the mercy of the IT experts. Even those who master important concepts in data and cybersecurity may doubt that knowledge, as there can be a tendency on the tech side to stress just how complicated things really are, reinforcing the need for their expertise.
Changing a Company Culture is Harder than Swapping Software
Successful cybersecurity programs require that every person in the company internalize the value of the company’s data. This requires a top-down belief in the importance of cybersecurity. For training to be effective, employees in every department need to see their vital individual role in an effective security system. This requires changing corporate culture, which is recognized as one of the great challenges in any organization. Individuals are resistant to change, and changing corporate culture requires even more effort and persistence. Effective cybersecurity programs rely in part on what infectious disease specialists call “herd immunity,” that is, eliminating the risk of as many potential disease victims as possible can protect even those who aren’t inoculated. This only works when the vast majority of those you are trying to protect opt in to the program and see it as important.
In order to change longstanding habits, we need to change our thinking. This takes work over time.
Breaking the Cycle
Changing behavior is difficult to accomplish, but it can be done in increments. Consider breaking down the program into small manageable steps that can be easily implemented. For example,
- Institute a program for stronger passwords that need to be updated more frequently.
- Make sure your existing systems are updated as required.
- Run diagnostic checks frequently.
- Review your virus defense system and begin to learn what it can and can’t do for you.
These are fairly small steps, but put data security in the forefront and have proven effectiveness. But more importantly, learn what not to do. There are behavior changes, both in IT and through the wider company, that can be instituted at no cost, but provide incredible value. Think of it this way; teach everyone in your organization to avoid a hot stove, and you have no-cost burn care. This kind of training is one of the least expensive ways to begin immediately to better protect your data and systems.
The foundation of any successful cybersecurity program is leadership from the top. Begin communicating how important data security is—even before you’ve hired a vendor or conducted an audit. Set an example. These messages will require continual reinforcement, but are one of the most important and cost-effective elements in protecting your company.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.