Cyber resolutions for 2016

Organizations face constant and evolving threats of cyberattacks and data breaches. No sector is immune from potential risks that can arise externally from hackers or internally from employee error. An organization’s planning must set and impose cybersecurity expectations that are commensurate with industry standards and its specific needs. Here are five resolutions for 2016 to promote a data-secure environment within your organization.

n Size up where you stand. The Rhode Island Identity Theft Protection Act of 2015 will take effect on June 26. The law requires an organization to maintain a “risk-based information security program” to ensure the proper collection, processing, retention and destruction of data containing sensitive personal information. As the effective date nears, an organization should conduct a meaningful examination of its existing written policies and established protocols. Policy proliferation must be avoided, where employees are confused or overwhelmed by too many mandates blurring their vital roles in proper data management.

n Meet at the tabletop. The initial 72 hours after a data breach typically comprise the pivotal period for prompt crisis management and the implementation of the response plan. The more prepared that your organization is for a breach, the better its response will be when one actually occurs. A crisis service team should convene regularly to engage in “tabletop” exercises to consider breach scenarios and test the incident response plan. These “fire drills” examine cross-functional responsibilities among key personnel.

n Don’t go phishing. Phishing occurs when an email user is tricked into revealing information or infecting a system by clicking on a link. Spear phishing targets individuals or groups based upon researched profiling (such as information from social media posts). Organizational preventive measures against phishing must include strong internal technology focusing on malware prevention. Simulated phishing drills will aid employees to identify suspicious email content.

- Advertisement -

n Tighten the links in data chains. An organization may outsource sensitive and confidential data to vendors, including personal identifiable information, protected health information or other sensitive information. Your data security is only as strong as the weakest link in your information supply chain. Your external relationships could be pivot points for hackers to target in a peripheral attack against your organization. If a vendor is unwilling or unable to meet data-security standards, an organization must be prepared to look elsewhere.

Vendor contracts should state exactly what data will be shared and the expected security controls.

n Check your coverage. Organizations must manage the potential costs and impacts of the cyber risks. Traditional insurance policies were developed before the recent proliferation of cyberthreats. Cyberinsurance policies are nascent and evolving products, which are not standard in their terms and coverage.

Going forward, cybersecurity insurers will define more clearly an actuarial model of risk. Organizations should evaluate carefully what a cybersecurity policy provides in first-party breach response and third-party liability coverage.

An organization’s security posture will impact what it will need in cyberinsurance, especially in light of its data sources and potential vulnerabilities. Key considerations include the evaluation of any exclusions or sublimits applicable to the retention of forensic specialists, the responses to governmental or regulatory investigations and the impacts of business interruptions. •

Steven Richard is a business litigator at Nixon Peabody LLP and co-editor of the firm’s Privacy Blog.

No posts to display