News reports of data breaches have become commonplace. Here are a few suggestions you should consider taking now, before your business becomes a victim. The list is not exhaustive and each business may need to address its unique situation differently:

  1. Know What You Have. In a written document available to key management, identify and inventory all physical devices and systems you have, including equipment (leased or owned) that you maintain offsite. Also, list all software platforms and applications used in operations, specifying the versions used and on which pieces of equipment the software is being used.
  2. Identify Sensitive Information You Store Electronically. Sensitive information includes personal identifying information concerning your customers, vendors and employees, and confidential information you store concerning intellectual property, your outside vendors and third parties. Know if and how all information is encrypted and at what point(s) in the business process.
  3. Know What Your Computer System Controls. Depending on your business, your computer system can control not only access to information, but your company's (and possibly, clients') infrastructure systems. This can be a high risk area, particularly if your business involves manufacturing, as someone from the outside could gain control of your machinery and cause production problems.
  4. Restrict Access. Access to confidential information should be restricted. Know which of your employees and non-employees have access, and what they have access to. For such people, consider appropriate written agreements with them to limit your exposure to "internal" breaches.
  5. Assess Your Legal Obligations. Consider, among other legal issues, the following:

    • Do you have the right to collect and retain information concerning your customers, vendors, business partners and employees?
    • Are there legal restrictions on your ability to use information you obtain from your customers, vendors, business partners and employees?
    • What are your legal obligations to protect the information you have obtained from your customers, vendors, business partners and employees? 6. Determine How Your Outsourced Functions Are Dealing With Cybersecurity Risks. You may be liable for any breaches to your outsourcing partners' networks. If you have outsourcing partners handling any data concerning your customers, you should inquire and/or audit their systems to assure that they are using best-business-practice procedures in securing your business data in their systems.
  6. Create a Risk Management Strategy. Management must:

    • Prioritize what is the most important information in your company's computer network;
    • Implement appropriate technical, administrative and other controls; and
    • Prepare a response plan in the event of a breach (note that development of these protocols requires the commitment of upper management; in most cases, it will be insufficient to simply hand the issue off to your IT Director).
  7. Create A Network of Relationships With Experts Now. Time is of the essence following a serious data breach. You can respond more quickly, cheaply and effectively if you already have relationships with experts you can call and who will respond quickly.
  8. Create A Written Cybersecurity Policy. Such a policy should identify who has access, and what those persons are authorized to do with data in your network, and what should be done if a breach is suspected of having occurred. Each employee and outsourcing partner should be given a copy of these policies and procedures.
  9. Determine Your Insurance Needs. Traditional business insurance typically does not cover losses from cybersecurity breaches. Numerous insurance carriers offer cybersecurity policies. These policies vary and you should determine what insurance coverage is best for your company's needs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.