Cyberattacks from data breaches to ransomware are becoming common occurrences. Organizations rely on their information security departments or engage outside consultancies to try to protect against attacks and theft of personally identifiable information (PII), intellectual property (IP), and other confidential company and client information. But preventative efforts fail with alarming frequency, even for the largest companies with the most well-funded cybersecurity efforts.
Devastating consequences of a data breach include fines, civil lawsuit settlements, brand damage, loss of market share, and accompanying revenue loss. Successful ransomware attacks result in a true lose-lose situation for the victim — the company must choose to pay the substantial ransom payouts or try to recover without paying, which sometimes costs 10 to 100 times more than the ransom. Many companies do not survive a successful ransomware attack or major data breach becoming public; estimates put the number approaching 50% of small- and mid-size businesses that go out of business as a result.
What Companies Can Do to Prepare
A multipronged approach of proactive preventative steps and reactive business continuity plans is recommended, with effort and expenditure in each of the following four areas.
1. Fortify Cybersecurity Resources, Including Your People
Use a combination of hardware, software, professional practitioners on staff, employee awareness training to architect and execute solutions, and policies and procedures to try to prevent successful cyberattacks. Failing to provide consistent, meaningful training to employees severely weakens any technological defenses in which you have invested.
2. Legal Counsel
Plan for the eventuality of a successful cyberattack. Estimates show that as many as 46% of organizations get attacked every year (1% successfully), and those percentages tend to go up year over year. Some companies are at much higher or lower risk than others based on the nature of their business, but with an average chance of being the victim of a successful, potentially business-ending cyberattack at 1 in 100, the odds are not good.
Just like you want to have data backups in your IT infrastructure before you’re locked out of it by ransomware, you want to have already established a relationship with a law firm that has counseled companies through a breach, so you can prepare a plan to follow in the event of a cyberattack.
Beyond preparing for an incident, a law firm can also guide your organization through another growing risk: failing to comply with the myriad of privacy laws and regulations, which are persistently growing in number and complexity. Combining legal analysis with a comprehensive information security risk assessment puts organizations in the best position to navigate this risky digital world.
Successful cyberattacks have become so commonplace that insurance companies offer organizations policies to help protect against the associated negative financial impact and recover to normal business operation more quickly.
Unfortunately, many of these policies have clauses that invalidate the coverage, such as if the attack was due to “an act of war,” even though a growing percentage of cyberattacks are state-sponsored by countries doing cyber espionage, IP theft, or trying to gain a competitive advantage in a global marketplace. Although cyber coverage has been around for some time, the policies are not uniform, and the terms and exclusions can vary significantly. Organizations should search out insurance professionals with substantial experience in cyber coverage and leverage their legal team to carefully review coverage terms before purchasing a policy. The disparity in coverages and exclusions has sparked litigation between insurers and insureds, which reinforces the wisdom of getting some targeted advice before paying for a policy.
4. IT Asset Disposition
Lastly, it doesn’t do an organization any good to craft an elaborate cybersecurity scheme for data on their network and in their data centers if they lose control of their data when they unintentionally throw it out with the trash. Eventually, all data-bearing devices reach their end-of-life (EOL), and companies retire those assets as they refresh IT infrastructure and replace devices with new ones. Or they experience a merger/acquisition or otherwise consolidate infrastructure and retire the excess equipment.
Multiple studies have shown that the IT asset disposition (ITAD) phase of a data-bearing device’s life cycle is handled poorly, even by large, multinational organizations, and around 40% of retired IT devices from hard drives to cellphones out on the secondary market still have PII or corporate data on them.