How can anyone not be aware of cybersecurity? Reports of large-scale data breaches, hacking and cyberattacks appear in the media almost daily. Phishing and ransomware attacks are also on the rise. Phishing attacks are used to steal user data, such as bank account or social security numbers, or login credentials. In a ransomware attack, the attacker encrypts a company’s data and makes it unavailable to the company until a “ransom” of some amount is paid.
One common misconception is that these cyberattacks only happen to large companies. A recent study by the security firm Symantec reports that 31 percent of all breaches occur at organizations with 100 or fewer employees, and that 61 percent of all breaches occur at organizations with 250 or fewer employees. Microsoft Corp. has also stated that 20 percent of small to medium businesses already have been targets of cyberattacks. In 2015, 43 percent of all phishing attacks targeted small businesses.
Other common misconceptions are that “our type of business is not at risk,” and “we don’t possess sensitive information.” However, the facts show that every business in every industry is at risk. In addition, every business possesses some sensitive information that criminals can use, even if it is the personal and health information of its employees, or customer and vendor payment and contact information.
A fourth misconception is that the business can absorb the cost of a data breach. This could be a very costly mistake. A June 2017 report from the Ponemon Institute finds that the average cost for each lost or stolen record containing sensitive information is $225, that the average total cost of a data breach is $7.35 million and that the average number of records involved in a data breach is 28,512.
Here are some steps all businesses should take to minimize the risk of losses:
• Undertake a security risk assessment. Businesses need to determine what sensitive and personal information of others they possess, as well as what information is most valuable to the business. The business also needs to understand its assets, operations and potential vulnerabilities.
• Develop and implement a security program to address the risks. Typically, this involves a written plan, which would address physical security measures (fences, locks, alarms and guards), administrative security measures (policies regarding operating procedures, administrative controls and employee training) and technological security measures (firewalls, controlling access to sensitive information, passwords, encryption).
• Evaluate the risk from third parties. Increasingly, the vendor chain is becoming a security risk, as trusted vendors often have access or connections to a business’s information systems. Businesses need to assess and monitor the security practices of their vendors, as an attack on an insecure vendor could also disrupt the business.
• Develop and practice a written incident response plan. The plan should include who is to be notified in the event of a security incident (including legal counsel), the actions and escalation steps to be taken to identify and resolve the issue, and how the business will comply with applicable federal and state laws if it turns out that there has been a security breach.
• Investigate cyber liability insurance. Ideally, a policy should include first-party coverage (for losses to the business due to loss of data or business interruption), as well as third-party coverage (for costs and expenses, and liability due to a data breach). Crime coverage is also important to address phishing scams and attacks that take over a corporate account.
Unfortunately, defending against cyberattacks has become a cost of doing business for all businesses, not just large companies. All companies need to take steps to mitigate their risks or face potentially crippling exposure if a cyberattack does occur.
John E. Ottaviani is chair of the Intellectual Property & Technology Group of Partridge Snow & Hahn LLP in Providence.