As cyberattacks become both more prevalent and complex, it's often no longer a matter of "if", but "when" a breach will occur. However, organizations can take steps to reduce the risk of a breach and to mitigate the impact of a breach should one occur. We outline below five things businesses and business leaders should do to protect against, and prepare for, cyber breaches.
1. IMPLEMENT AN INFORMATION SECURITY PROGRAM
Investing in preparedness is worthwhile. Organizations should ensure they have a written information security program in place, developed by experienced information security professionals. Determining the organization's information handling practices is essential to putting into place appropriate security measures. This should include a thorough risk assessment, business impact assessment and security audit.
Key stakeholders should be involved in both developing and implementing the program. Once implemented, don't "set it and forget it" — check that it is properly operationalized and regularly reviewed in light of evolving information handling practices and information security threats.
2. VENDOR MANAGEMENT
Data processing activities are increasingly being outsourced to third-party service providers. Organizations must assess the security and information handling practices of third-party vendors.
Vet prospective service providers in advance through effective due diligence and take the opportunity to do the same for any long-term vendors whose processes may not have been reviewed recently or at all. Information security and data protection obligations must be included in contracts with service providers that process personal or confidential information or have access to an organization's systems.
Organizations should carefully consider the appropriate security controls to apply to their providers, which may include a requirement for a given provider to comply with certain of the organization's own security policies, the provider's security policies and/or applicable ISO or other industry security standards.
3. EMPLOYEE TRAINING AND AWARENESS
Data breaches cost organizations millions annually. Employees remain a critical defence against data breaches and cyber security incidents.
Businesses should conduct regular employee training so that employees are, and remain aware of their obligations to protect company data and systems, including personal information, are trained to detect suspicious activities (such as phishing emails) and know what types of data security incidents need to be reported and to whom.
4. INCIDENT RESPONSE PLAN
Having an incident response plan is one of the most critical steps that an organization can take to prepare itself in the event of a cyberattack and to ensure it is ready to respond quickly and effectively.
An incident response plan provides the incident response team with a road map to follow in a crisis.
When developing an incident response plan, ensure you:
- Have involved all relevant stakeholders
- Have clear reporting protocols to ensure the right people are made aware of a crisis
- Have considered the notification obligations and risks in every potential jurisdiction to which your business is subject to report
- Have a plan to develop a communication strategy that minimizes reputational and litigation risk
- Effectively manage internal communications from directors and officers to individual employees
- Take steps to ensure privilege is maintained
A quick response is critical in any cyber incident. To be agile, businesses need access to third parties such as a forensic team and external counsel. It's best to pre-select these individuals to ensure they are easily accessed in a crisis.
Again, don't just "set it and forget it", test your incident response plan, including with simulations if possible, and make revisions based on "lessons learned".
Businesses can mitigate losses from cyberattacks through cyber insurance, contractual language around cybersecurity obligations and indemnification clauses.
Cyber insurance is not only important for the organization itself, but also for its third-party vendors. If practical, consider whether third-party providers should also be required to purchase cyber liability insurance.
Many insurance policies limit or exclude cyber risk coverage, so it's prudent not to presume, but speak to a broker and ensure you are covered in case of a data breach.
This article is the first instalment in a series examining how businesses can stay vigilant, resilient and secure, as part of Cybersecurity Awareness Month. The next article in the series will address how to respond to a cyberattack.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2019 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.