To borrow a phrase, there are two types of companies in the United States today: those that have been hacked and those who don’t know they’ve been hacked. If you are looking for excuses not to deal with the ever-increasing risk of cyber-related exposures on the Internet, here are a few suggestions:
- Your business holds your customers’ personal information — credit card numbers, social security numbers, health information and the like — that must be protected. Even better, somewhere in your system you have your subscribers’ security plans and protocols that can be used to breach the very protections you are paid to provide. No problem! You are 100-percent confident you cannot be breached, even though more than 80 percent of all U.S. companies have been hacked.
- You have intellectual property and trade secret assets that constitute a good part of your net worth, but you are sure you will not be hacked. Rest easy — there’s a chance that everything will be OK.
- Enjoying the savings inherent in cloud computing, you are not concerned that you really do not know where your data resides or that you may not be able to access your data (or your subscribers’ data) because the cloud computer vendor holds the encryption key, and you have no way of instituting an effective ‘legal hold’ on your data.
- You permit your employees to use your equipment, during working hours, to access social media and are eager to have them put any information they choose about your company, fellow workers and management, out to the public.
While you would think that no responsible executive would entertain thoughts like this, the way some companies deal with their cyber risk, you have to believe that this kind of thinking is alive and well.
More connectivity means more potential cybersecurity risk. Often, companies do not understand those risks and the potential catastrophic affect they can have on their business’s private information and confidential client data. To limit your risks, identify your company’s potential IoT exposures as well as other potential exposures associated with an Internet presence. That is not something you can do alone — you need experienced, knowledgeable and capable experts.
Self-Assessment
The first step in this process is to assess non-IT exposures, including social media, cloud computing contracting, regulatory compliance, BYOD, privacy and legal compliance issues. Next, your assessment should identify IT exposures, including computer systems security, policy and procedures, and specifically pinpoint potential exposures. Once a comprehensive report of these possible risks is generated and reviewed, the information gathered can enable a company to obtain the cyber risk insurance it needs at a reasonable cost and that accurately addresses the company’s primary risks.
This is taking a critical first step in getting its arms around the problem. Recognize that cyber risks span technical and non-technical areas. A hacked, or even improper usage of a social media account, for example, may lead to exposure to breach-of-privacy lawsuits, reputational damage to the firm, and a loss of proprietary firm information.
For real solutions, businesses need to retain tech-savvy lawyers and IT consultants with a combination of skills to get them to a well-founded comfort level. You should expect legal counsel and their paired IT consultants to provide a combined full-blown IT and legal cyber exposure management process that not only assesses and explains the company’s risk, but also yields clear and practical remediation steps.
Any process you choose should be cost-effective and timely. The risks are not getting any smaller or easier to deal with — making it problematic, at best, to put off getting an effective process in place as soon as possible. Besides permitting senior executives to sleep better at night, implementing an effective exposure management process goes a long way toward fulfilling the mandated due diligence obligations of both public and private companies, large and small.
Eric Pritchard is a Philadelphia Lawyer who spends his workday making the world safe for electronic security providers. He can be reached at [email protected]. This column does not constitute legal advice; contact an attorney with questions.
